openapi: 3.0.1
info:
title: Token.io's Open Banking API for TPPs
description: >-
<b>Token.io's Open Banking API</b><br/><br/>Token.io Support: <a
href="https://support.token.io"
target="_blank">support.token.io</a><br/><br/>The Token.io Open Banking API
enables you to connect securely with banks for a range of
services.<br/><br/> Using our API you can: <ul><li>provide authorized access
to an authenticated user's account information</li><li>get information on
specific banks</li><li>initiate authorization with a user-selected
bank</li><li>initate and track single immediate payments and future dated
payments</li><li>use variable recurring payments (VRP) to grant long-held
consents to Payment Initiation Service Providers (PISPs) to initiate series
of payments from users' bank accounts</li><li>carry out settlements,
payments and refunds using our settlement accounts</li></ul><br/>For more
information see our <a
href="https://developer.token.io/token_rest_api_doc/content/e-rest/dashboard-intro.htm"
target="_blank">developer documentation</a>.
version: ''
servers:
- url: https://api.token.io
tags:
- name: Payments v2
description: >-
Creates and initiates a single immediate payment or a future-dated
payment. Also supports initiating a Variable Recurring Payment (VRP) using
an existing VRP mandate that has been created and authorised via the
`/vrp-consent` endpoint.
- name: Pay by Link
description: >-
These endpoints allow you to create and manage payment links. Payment
links are reusable or single-use payment URLs that can be shared with
customers, supporting fixed or variable amounts, usage limits, and
expiration dates.
- name: Account on File
description: >-
These endpoints allow you to create and manage an Account on File from
bank account details. The Account on File can then be used in other API
requests instead of sending the full account details.
- name: Requests - for Payments v1 or AIS
description: >-
These endpoints allow you to initiate a Payments v1 request or an AIS
request, and retrieve the status of the request.
- name: Transfers - for Payments v1
description: >-
These endpoints relate to transfers, which are requests to move money
between accounts.
- name: Variable Recurring Payments
description: >-
These endpoints enable you to initiate Variable Recurring Payments (VRP).
Note, that VRP is also available in Payments v2 API.
x-internal: true
- name: Refunds
description: >-
These endpoints allow you to handle registration, posting, and retrieval
of refunds associated with original transaction account information.
- name: Payouts
description: These endpoints allow you to make payouts.
x-internal: true
- name: Settlement Accounts
description: >-
These endpoints provide authorized access to an authenticated user's
settlement account information, enabling you to create settlement
accounts, retrieve settlement account details, transactions and payouts,
and manage settlement rules.
x-internal: true
- name: Accounts
description: >-
These endpoints provide authorized access to an authenticated user's
account information.
- name: Tokens
description: >-
These endpoints retrieve all tokens, a filtered list of tokens, or a
specific token, as well as allowing you to cancel an existing token.
- name: Banks v1
description: >-
These endpoints filter and fetch the list of connected banks, get
information on specific banks, and initiate authorization with
user-selected banks using Payments v1.
- name: Banks v2
description: >-
This endpoint filters and fetches the list of connected banks, gets
information on specific banks, and initiates authorization with
user-selected banks using Payments v2.
- name: Sub-TPPs
description: >-
These endpoints are for resellers using Token.io's licence to create,
retrieve and delete sub-TPPs.
- name: Authentication keys
description: >-
These endpoints are for managing the public keys that are used for JWT
authentication.
- name: Reports
description: >-
These endpoints retrieve the current AIS and PIS status of connected
banks.
x-internal: true
- name: Webhooks
description: >-
These endpoints configure, retrieve and remove webhooks. See <a
href="https://developer.token.io/token_rest_api_doc/content/e-rest/api-basics.htm#Webhook"
target="_blank">Webhooks</a> for more details.
paths:
/accounts:
get:
tags:
- Accounts
summary: Get information for all accounts
description: >-
The `GET /accounts` endpoint retrieves information for all bank
accounts.
operationId: GatewayService.GetAccounts
parameters:
- name: on-behalf-of
in: header
description: The `tokenId` represents the consent granted by the user (PSU).
schema:
type: string
required: true
example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
- name: token-customer-ip-address
in: header
description: >-
The user's IP address if the user is currently logged in with the
TPP. If the customer IP address is supplied (recommended), it is
inferred that the user is present during the session (<i>i.e.</i>,
the request is user-initiated; adding a `customer-initiated` =
`true` header makes this explicit). For AIS calls, if the customer's
IP address is not provided in the request, the bank assumes it is a
TPP-initiated request and may limit the TPP to four TPP-initiated
access attempts within a given 24-hour period.
schema:
type: string
format: ipv4
required: false
example: 172.16.254.1
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: '#/components/schemas/GetAccountsResponse'
'400':
description: The client specified an invalid argument
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_400'
'401':
description: The authorization information is missing or invalid
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_401'
'403':
description: Permission to access this endpoint is denied
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_403'
'404':
description: The requested entity, such as a payment, was not found
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_404'
'429':
description: Too many requests
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_429'
'500':
description: An unexpected or internal server error
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_500'
'501':
description: The operation was not implemented
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_501'
'503':
description: Service is unavailable
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_503'
'504':
description: Gateway has timed out
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_504'
deprecated: false
security:
- Bearer: []
- BasicAuth: []
x-hideTryItPanel: true
/accounts/{accountId}:
get:
tags:
- Accounts
summary: Get account information
description: >-
The `GET /accounts/{accountId}` endpoint retrieves the information for a
specific bank account.
operationId: GatewayService.GetAccount
parameters:
- name: on-behalf-of
in: header
description: The `tokenId` represents the consent granted by the user (PSU).
schema:
type: string
required: true
example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
- name: accountId
in: path
description: >-
The system-generated, unique bank account id, which specifies the
account for which the information is requested.
required: false
style: simple
explode: false
schema:
type: string
example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
- name: token-customer-ip-address
in: header
description: >-
The user's IP address if the user is currently logged in with the
TPP. If the customer IP address is supplied (recommended), it is
inferred that the user is present during the session (<i>i.e.</i>,
the request is user-initiated; adding a `customer-initiated` =
`true` header makes this explicit). For AIS calls, if the customer's
IP address is not provided in the request, the bank assumes it is a
TPP-initiated request and may limit the TPP to 4 TPP-initiated
access attempts within a given 24-hour period.
schema:
type: string
format: ipv4
required: false
example: 172.16.254.1
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: '#/components/schemas/GetAccountResponse'
'400':
description: The client specified an invalid argument
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_400'
'401':
description: The authorization information is missing or invalid
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_401'
'403':
description: Permission to access this endpoint is denied
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_403'
'404':
description: The requested entity, such as a payment, was not found
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_404'
'429':
description: Too many requests
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_429'
'500':
description: An unexpected or internal server error
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_500'
'501':
description: The operation was not implemented
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_501'
'503':
description: Service is unavailable
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_503'
'504':
description: Gateway has timed out
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_504'
deprecated: false
security:
- Bearer: []
- BasicAuth: []
x-hideTryItPanel: true
/account-balance:
get:
tags:
- Accounts
summary: Get account balances
description: >-
The `GET /account-balance` endpoint retrieves the balances for multiple
bank accounts.
operationId: GatewayService.GetBalances
parameters:
- name: on-behalf-of
in: header
description: The `tokenId` represents the consent granted by the user (PSU).
schema:
type: string
required: true
example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
- name: token-customer-ip-address
in: header
description: >-
The user's IP address if the user is currently logged in with the
TPP. If the customer IP address is supplied (recommended), it is
inferred that the user is present during the session (<i>i.e.</i>,
the request is user-initiated; adding a `customer-initiated` =
`true` header makes this explicit). For AIS calls, if the customer's
IP address is not provided in the request, the bank assumes it is a
TPP-initiated request and may limit the TPP to 4 TPP-initiated
access attempts within a given 24-hour period.
schema:
type: string
format: ipv4
required: false
example: 172.16.254.1
- name: accountId
in: query
description: >-
A list of account ids for which you wish to retrieve account
balances. Each `accountId` should be specified separately as
accountId=a:xxx:xxx&accountId=a:yyy:yyy.
required: false
style: form
explode: true
schema:
type: array
items:
type: string
example:
- a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
- a:9TFpwkcQmcsMbdjQcpdjfsEBosDw28503fAAGPEMF2MVF19hfk3nc
- a:rtmv254gaskGLdkadQvdNesk2Y9ferbvpaom5mvepm0mv2nfGnaix
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: '#/components/schemas/GetBalancesResponse'
'400':
description: The client specified an invalid argument
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_400'
'401':
description: The authorization information is missing or invalid
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_401'
'403':
description: Permission to access this endpoint is denied
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_403'
'404':
description: The requested entity, such as a payment, was not found
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_404'
'429':
description: Too many requests
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_429'
'500':
description: An unexpected or internal server error
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_500'
'501':
description: The operation was not implemented
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_501'
'503':
description: Service is unavailable
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_503'
'504':
description: Gateway has timed out
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_504'
deprecated: false
security:
- Bearer: []
- BasicAuth: []
x-hideTryItPanel: true
/accounts/{accountId}/balance:
get:
tags:
- Accounts
summary: Get an account balance
description: >-
The `GET /accounts/{accountId}/balance` endpoint retrieves the balance
for a given bank account.
operationId: GatewayService.GetBalance
parameters:
- name: on-behalf-of
in: header
description: The `tokenId` represents the consent granted by the user (PSU).
schema:
type: string
required: true
example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
- name: token-customer-ip-address
in: header
description: >-
The user's IP address if the user is currently logged in with the
TPP. If the customer IP address is supplied (recommended), it is
inferred that the user is present during the session (<i>i.e.</i>,
the request is user-initiated; adding a `customer-initiated` =
`true` header makes this explicit). For AIS calls, if the customer's
IP address is not provided in the request, the bank assumes it is a
TPP-initiated request and may limit the TPP to 4 TPP-initiated
access attempts within a given 24-hour period.
schema:
type: string
format: ipv4
required: false
example: 172.16.254.1
- name: accountId
in: path
description: >-
The unique bank account id, which specifies the account for which
the information is requested.
required: false
style: simple
explode: false
schema:
type: string
example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: '#/components/schemas/GetBalanceResponse'
'400':
description: The client specified an invalid argument
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_400'
'401':
description: The authorization information is missing or invalid
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_401'
'403':
description: Permission to access this endpoint is denied
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_403'
'404':
description: The requested entity, such as a payment, was not found
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_404'
'429':
description: Too many requests
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_429'
'500':
description: An unexpected or internal server error
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_500'
'501':
description: The operation was not implemented
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_501'
'503':
description: Service is unavailable
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_503'
'504':
description: Gateway has timed out
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_504'
deprecated: false
security:
- Bearer: []
- BasicAuth: []
x-hideTryItPanel: true
/accounts/{accountId}/standing-orders:
get:
tags:
- Accounts
summary: Get information for all standing orders
description: >-
The `GET /accounts/{accountId}/standing-orders` endpoint retrieves
information for all standing orders in a given account, once consent has
been given.
operationId: GatewayService.GetStandingOrders
parameters:
- name: on-behalf-of
in: header
description: The `tokenId` represents the consent granted by the user (PSU).
schema:
type: string
required: true
example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
- name: token-customer-ip-address
in: header
description: >-
The user's IP address if the user is currently logged in with the
TPP. If the customer IP address is supplied (recommended), it is
inferred that the user is present during the session (<i>i.e.</i>,
the request is user-initiated; adding a `customer-initiated` =
`true` header makes this explicit). For AIS calls, if the customer's
IP address is not provided in the request, the bank assumes it is a
TPP-initiated request and may limit the TPP to 4 TPP-initiated
access attempts within a given 24-hour period.
schema:
type: string
format: ipv4
required: false
example: 172.16.254.1
- name: accountId
in: path
description: >-
The unique bank account id, which specifies the account for which
the information is requested.
required: false
schema:
type: string
example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
- name: page.offset
in: query
description: >-
The offset for the current page. If the offset has been provided in
the request, this offset will be equal to the provided one. But if
no offset was provided in the request (<i>i.e.</i> this is the first
page) and the page is not empty, this field will be populated with a
non-empty string. This may be helpful for loading the same page
again, which might not always be possible with an empty offset due
to a dynamic nature of the data. <br>The offset is not visible to a
user and should not be parsed and/or understood in any way.
required: false
style: form
explode: true
schema:
type: string
example: LerV6Jmex
- name: page.limit
in: query
description: The maximum number of records to return. This must be less than 200.
required: true
style: form
explode: true
schema:
type: integer
format: int32
example: 175
default: 1
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: '#/components/schemas/GetStandingOrdersResponse'
'400':
description: The client specified an invalid argument
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_400'
'401':
description: The authorization information is missing or invalid
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_400'
'403':
description: Permission to access this endpoint is denied
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_403'
'404':
description: The requested entity, such as a payment, was not found
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_404'
'429':
description: Too many requests
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_429'
'500':
description: An unexpected or internal server error
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_500'
'501':
description: The operation was not implemented
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_501'
'503':
description: Service is unavailable
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_503'
'504':
description: Gateway has timed out
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_504'
deprecated: false
security:
- Bearer: []
- BasicAuth: []
x-hideTryItPanel: true
x-internal: true
/accounts/{accountId}/standing-orders/{standingOrderId}:
get:
tags:
- Accounts
summary: Get standing order information
description: >-
The `GET /accounts/{accountId}/standing-orders/{standingOrderId}`
endpoint retrieves information for a specific standing order in a given
account, once consent has been given.
operationId: GatewayService.GetStandingOrder
parameters:
- name: on-behalf-of
in: header
description: The `tokenId` represents the consent granted by the user (PSU).
schema:
type: string
required: true
example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
- name: token-customer-ip-address
in: header
description: >-
The user's IP address if the user is currently logged in with the
TPP. If the customer IP address is supplied (recommended), it is
inferred that the user is present during the session (<i>i.e.</i>,
the request is user-initiated; adding a `customer-initiated` =
`true` header makes this explicit). For AIS calls, if the customer's
IP address is not provided in the request, the bank assumes it is a
TPP-initiated request and may limit the TPP to 4 TPP-initiated
access attempts within a given 24-hour period.
schema:
type: string
format: ipv4
required: false
example: 172.16.254.1
- name: accountId
in: path
description: >-
The system-generated, unique bank account id, which specifies the
account for which the information is requested.
required: false
schema:
type: string
example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
- name: standingOrderId
in: path
required: true
schema:
type: string
description: >-
The unique standing order identifier, which specifies the standing
order requested.
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: '#/components/schemas/GetStandingOrderResponse'
'400':
description: The client specified an invalid argument
content:
application/json:
schema:
$ref: '#/components/schemas/inline_response_400'
deprecated: false
security:
- Bearer: []
- BasicAuth: []
x-hideTryItPanel: true
x-internal: true
/accounts/{accountId}/transactions:
get:
tags:
- Accounts
summary: Get account transactions
description: >-
The `GET /accounts/{accountId}/transactions` endpoint retrieves
information for all transactions in a given account.
operationId: GatewayService.GetTransactions
parameters:
- name: on-behalf-of
in: header
description: The `tokenId` represents the consent granted by the user (PSU).
schema:
type: string
required: true
example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
- name: token-customer-ip-address
in: header
description: >-
The user's IP address if the user is currently logged in with the
TPP. If the customer IP address is supplied (recommended), it is
inferred that the user is present during the session (<i>i.e.</i>,
the request is user-initiated; adding a `customer-initiated` =
`true` header makes this explicit). For AIS calls, if the customer's
IP address is not provided in the request, the bank assumes it is a
TPP-initiated request and may limit the TPP to 4 TPP-initiated
access attempts within a given 24-hour period.
schema:
type: string
format: ipv4
required: false
example: 172.16.254.1
- name: accountId
in: path
description: >-
The system-generated unique bank account id, which specifies the
account for which the information is requested.
required: false
style: simple
explode: false
schema:
type: string
example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
- name: page.offset
in: query
description: >-
The offset for the current page. If the offset has been provided in
the request, this offset will be equal to the provided one. But if
no offset was provided in the request (<i>i.e.</i> this is the first
page) and the page is not empty, this field will be populated with a
non-empty string. This may be helpful for loading the same page
again, which might not always be possible with an empty offset due
to a dynamic nature of the data. <br/>The offset is not visible to a
user and should not be parsed and/or understood in any way.
required: false
style: form
explode: true
schema:
type: string
example: LerV6Jmex
- name: page.limit
in: query
description: The maximum number of records to return. This must be less than 200.
required: true
style: form
explode: true
schema:
type: integer
format: int32
example: 175
default: 1
- name: startDate
in: query
description: >-
The earliest transaction date requested, in <a
href="https://www.iso.org/iso-8601-date-and-time-format.html"
target="_blank">ISO 8601</a> format.
required: false
style: form
explode: true
schema:
type: string
example: '2022-06-15'
- name: endDate
in: query
description: >-
The latest transaction date requested, in <a
href="https://www.iso.org/iso-8601-date-and-time-format.html"
target="_blank">ISO 8601</a> format.
required: false
style: form
explode: true
schema:
type: string
example: '2022-11-30'
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: '#/components/schemas/GetTransactionsResponse'
'400':
description: The client specified an invalid argument
content:
application/json:
# --- truncated at 32 KB (703 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/token-io/refs/heads/main/openapi/token-io-openapi.yml