Note: 

Previously TPPs were required to Register with the Developer Portal to test their Applications against YBSG APIs - this is no longer the case, TPPs now need to register with YBSG's Test interface via the API.

Our Open Banking APIs

We want to make sure third-party developers can easily register their applications with us and access the standardised industry-wide Open Banking APIs (Application Programming Interfaces) we've helped to create. The sections below provide information on the Open Banking APIs that Yorkshire Building Society has implemented. These APIs provide a secure, coherent set of capabilities that you can use within your applications to deliver value to customers. 

Developer Portal Services

The purpose of the Developer Portal is to help developers of client applications understand the APIs supplied by the YBS Group and to support them in building applications that use these APIs. To that end, the Developer Portal provides the following services:

Category

Service

Description

Operational

Registration

You have to register with Open banking website to get access for the Sandbox API.

Support

API Documentation

You will find detailed technical specifications of our APIs in this section.

Developer Support

Developer Portal provides overview of our API's and FAQs. Please use the Contact Us page for suggestions on improvements or queries on our Developer Portal or Testing Interface offering.

Overview of YBS APIs

Our initial implementation focuses on PSD2 regulatory compliance for AISP and PISP.  Our we have adopted the UK Open Banking specification standards for our APIs. A key aspect of these standards is the adoption of the open authorisation model based on the OAuth 2.0 Authorisation Framework in addition to adherence to the OWASP REST API guidelines.

There is an Authorisation Mock Page in the Sandbox that acts as the Authorisation Server a website that a human-user interacts with to authenticate and authorise the access request. It responds with an Authorisation Code when supplied with valid input parameters; authorisation is implicit and guaranteed for all valid input. This enables TPPs to automate the end-to-end flow without the need for managing additional credentials to authenticate or additional human intervention to manually authorise the access request. 

For information about API releases and alignment with UK Open Banking, please refer to the FAQ section.

Discovery and Application Registration

The Open Banking specification for enrolling with the Open Banking Directory (Directory Specification) and then registering with Account Servicing Payment Service Providers (ASPSPs), like Yorkshire Building Society, is available on the central Open Banking website.

The sandbox hostname for YBS and CBS brand is ob-ybs.sandbox.ybs.co.uk and ob-che.sandbox.ybs.co.uk respectively.

The production hostname for YBS and CBS brand is ob-ybs.api.ybs.co.uk and ob-che.api.ybs.co.uk respectively.

Yorkshire Building Society supports the following to enable discovery and registration for Open Banking with us:

GET  /.well-known URL details:

Brand Environment URL
YBS Sandbox https://sandbox.ybs.co.uk/open-banking/v1.0/.well-known/ybs/openid-configuration
CBS Sandbox https://sandbox.ybs.co.uk/open-banking/v1.0/.well-known/che/openid-configuration
YBS Production https://api.ybs.co.uk/open-banking/v1.0/.well-known/ybs/openid-configuration
CBS Production https://api.ybs.co.uk/open-banking/v1.0/.well-known/che/openid-configuration

 

POST /register URL Details:

Brand Environment URL
YBS Sandbox https://ob-ybs.sandbox.ybs.co.uk/open-banking/v1.0/register/tpp-client
CBS Sandbox https://ob-che.sandbox.ybs.co.uk/open-banking/v1.0/register/tpp-client
YBS Production https://ob-ybs.api.ybs.co.uk/open-banking/v1.0/register/tpp-client
CBS Production https://ob-che.api.ybs.co.uk/open-banking/v1.0/register/tpp-client

 

  • Use of this functionality is described in the ‘Register an application with an ASPSP using APIs’ section of the open banking Directory Specification.
  • We support TPP on-boarding application via Registration API and does not provide this capability via a manual process.

Security

The detailed Open Banking specification for the security model (Security Profile) is available on the central Open Banking website 

Yorkshire Building Society supports the following to set up and enable secure use of Open Banking functionality:

POST / token

Get access token required to invoke APIs.

Supporting information for registration and security:

Client ID and Secret

Your client ID and secret that you use to access our APIs are important credentials which must be kept securely within your organisation, and must not be shared with other parties or lost.

Transport layer security mutual authentication (TLS MA)

We require Transport Layer Security Mutual Authentication (TLS MA) to all Yorkshire Building Society API endpoints except:
./well-known

Support of algorithms

Yorkshire Building Society supports the PS256 algorithm for any signed JWTs provided by a Third Party. OIDC tokens that Yorkshire Building Society provide will be signed using the PS256 algorithm.

Note: JSON = JavaScript Object Notation, JWT = JSON Web Token, OIDC = OpenID Connect.

Security authorisation expiry & new intents

Where security authorisation has expired, a new intent is required to ensure continued access to the account information. Yorkshire Building Society will not allow an intent to be confirmed again.

Deleting intents

Customers can only request the deletion of an authorised intent.

Token validity periods

Token life spans are as follows:

  • Authorization code (used to exchange ID Token by AISP and PISP): 10 minutes, not reusable – as per OAUTH2 specification
  • Access Token (are used to allow PISPs access to protected resources (APIs), the tokens are only valid for a short duration For Single AISP Intent ID): 30 minutes
  • Refresh Token (are required to obtain new access tokens when the current token becomes invalid or expires For Single AISP Intent ID): ~90 days expected (multi-use Refresh Token)
  • ID Token generated by YBS Identity API (For Single Immediate Payment): 24 hours – but payment submission only accepted within 1 hour of customer authorisation
  • ID Token for an Consent ID (AISP): 30 minutes
  • Please note these are not fixed and will change over time.

Exception Codes

In addition to the response codes detailed in the Open Banking API specifications, we will return the following exception code:
- HTTP 503 (services unavailable or too busy).

Transaction Processing

API Call Limits

We will only process four requests for data from a third party where the customer are not present within a 24hr period; there is no restriction on requests where the customer is present.

Pagination

To restrict the size of the data of transactions we will split the response messages into pages, pagination will operate with 100 rows per page.

Sample Data

API Sample Data Link
Identity-v3 https://developers.ybs.co.uk/identity-api-sample-data
Account-v3 https://developers.ybs.co.uk/account-api-sample-data
Payment-v3 https://developers.ybs.co.uk/payment-and-standing-order-api-sample-data
Confirmationoffunds-v3 https://developers.ybs.co.uk/confirmationoffunds-api-sample-data
Registration-v1 https://developers.ybs.co.uk/registration-api-sample-data