Consent Engine

Here you find a mapping of part of the infrastructure of the Open Finance environment: the Consent Engine, whose APIs are responsible for managing customer consent for possible integrations. Its functionalities are:

  • create Consent;

  • validate a Consent;

  • update the Consent approvers;

  • update the Consent’s permissions;

  • authorize a Consent;

  • reject a Consent;

  • revoke a Consent;

  • update the resources of a Consent.

BACEN’s official specifications for Consent Engine (in Portuguese).

The Open Finance Brasil specifies two groups of institutions that can participate in the integration ecosystem:

  • Transmitting Institutions - Account Servicing Payment Service Providers (ASPSP): An ASPSP is any financial institution that offers a payment account with online access. ASPSPs must provide access to allow registered third parties (TPP) to access account information through APIs.

  • Provider Institutions - Third Party Providers (TPP): Provider institutions are organizations that use APIs developed by ASPSPs to access customer accounts in order to provide account information services.

TPP Consent Journey

The TPP Consent Journey APIs are used by Financial Institutions (FIs) to perform a consent request on behalf of the user at another FI. The Open Finance requires FIs to integrate, and these APIs abstract away the complexity of that integration.

ASPSP Consent Journey

The ASPSP Consent Journey APIs enable the Financial Institution (FI) to receive consent requests and data consumption from other FIs. In addition, they facilitate the integration of the customer journey for consent approvals as well as multi-level approvals.

Interceptors

To expose your Open Finance APIs for consumption, you need to add specific interceptors that perform validations and fundamental tasks in the context of Open Finance. We offer ready-made custom interceptors in the Admin Portal. [under construction]

The interceptors for Open Finance are:

  • Access Token Authorization;

  • Certificate Extractor;

  • Update Location;

  • Consent Validation;

  • Signature Validation;

  • Permission Validation.

Access Token Authorization

This interceptor is required for all APIs that will be exposed that are related to Open Finance. The Access Token Authorization validates the access token entered in the request.

Certificate Extractor

As the name implies, the Certificate Extractor extracts the incoming certificate and passes it on. This extraction happens so that the certificate can be interpreted and the links and validations can be made.

Update Location

Incoming requests first go through the API Gateway before they reach the Authorization Server. The Authorization Server then makes internal redirections, creating domains for the internal calls. The Update Location updates the addresses of these domains so that they can be seen by the requester.

Consent Validation

The Consent Validation Interceptor is used in conjunction with the Permissions Validation Interceptor to certify that the consent created by the user in ASPSP and the permissions of the API being accessed meet the grouping defined by Open Finance Brasil.

Signature Validation

Interceptor used in the payment initiation flow to validate JWS messages sent by the initiating institution. This interceptor can be used in both the request and the response stream of the API and is responsible for validating the payload, signing and base64 encoding.

Permissions Validation

This interceptor is used to validate the permissions pool defined by Open Finance Brasil for accessing client resources at the ASPSP institution. Once this interceptor is configured, the API is ready to validate that the consent contains the permissions required to access the resource. Each interceptor must contain the permissions strictly necessary to access the specific resource.

Useful links:
Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]