Access scopes map to a subset of the consent negotiated between the resource owner (customer) and the client (TPP). Scopes dictate what data the client can access and what services the client can consume.
When an application wants to access a protected resource on behalf of a user, it must obtain an access token from the authorisation server. As part of this process, the application specifies the desired access scopes that it needs to perform its intended operations.
The authorisation server uses the requested scopes to determine the level of access that the application is granted. The user, during the authentication and authorisation process, may be prompted to review and consent to the requested scopes, thereby controlling the access privileges granted to the application.
By utilizing access scopes, Access Authorisation APIs provide a fine-grained control mechanism to ensure that applications only have access to the specific resources and actions that are necessary and authorised by the user.
FAQ:
- What scopes are expected to be passed in the authorisation request (POST /authorize) when attempting to initiate a payment?
PAYMENTS_MULTIPLE scope is sufficient for a payment initiation. Please refer to Access Authorization and Business Access Authorization API documentation:
and Swagger files:
Postman and Swagger files (Nordea API Market)
Note: When the "account_list" parameter is set to "ALL_WITH_CARDS" then it requires adding "CARDS_INFORMATION" in the scope. "CARDS_INFORMATION" parameter is only available for personal customers segment - when used otherwise, the following error will occur:
"code": "error.parameters.invalid",
"description": "Invalid scopes"
- Is there a way to identify what access type a user has?
Yes, you can check which assets user has access to via authorization /assets endpoint. Please refer to Access Authorisation API documentation:
and Swagger files:
Postman and Swagger files (Nordea API Market)
Note: Access scopes are defined in a consent.