Skip to content

Token.io's Open Banking API for TPPs

Token.io's Open Banking API

Token.io Support: support.token.io

The Token.io Open Banking API enables you to connect securely with banks for a range of services.

Using our API you can:

  • provide authorized access to an authenticated user's account information
  • get information on specific banks
  • initiate authorization with a user-selected bank
  • initate and track single immediate payments and future dated payments
  • use variable recurring payments (VRP) to grant long-held consents to Payment Initiation Service Providers (PISPs) to initiate series of payments from users' bank accounts
  • carry out settlements, payments and refunds using our settlement accounts

For more information see our developer documentation.

Download OpenAPI description
index.json
index.yaml
Languages
Servers
https://api.token.io

Payments v2

Creates and initiates a single immediate payment or a future-dated payment. Also supports initiating a Variable Recurring Payment (VRP) using an existing VRP mandate that has been created and authorised via the /vrp-consent endpoint.

Operations

Requests - for Payments v1 or AIS

These endpoints allow you to initiate a Payments v1 request or an AIS request, and retrieve the status of the request.

Operations

Transfers - for Payments v1

These endpoints relate to transfers, which are requests to move money between accounts.

Operations

Variable Recurring Payments

These endpoints enable you to initiate Variable Recurring Payments (VRP). Note, that VRP is also available in Payments v2 API.

Operations

Refunds

These endpoints allow you to handle registration, posting, and retrieval of refunds associated with original transaction account information.

Operations

Payouts

These endpoints allow you to make payouts.

Operations

Settlement Accounts

These endpoints provide authorized access to an authenticated user's settlement account information, enabling you to create settlement accounts, retrieve settlement account details, transactions and payouts, and manage settlement rules.

Operations

Accounts

These endpoints provide authorized access to an authenticated user's account information.

Operations

Get information for all accounts

Request

The GET /accounts endpoint retrieves information for all bank accounts.

Security
Bearer or BasicAuth
Headers
on-behalf-ofstringrequired

The tokenId represents the consent granted by the user (PSU).

Example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
token-customer-ip-addressstring(ipv4)

The user's IP address if the user is currently logged in with the TPP. If the customer IP address is supplied (recommended), it is inferred that the user is present during the session (i.e., the request is user-initiated; adding a customer-initiated = true header makes this explicit). For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to four TPP-initiated access attempts within a given 24-hour period.

Example: 172.16.254.1
curl -i -X GET \
  https://api.token.io/accounts \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'on-behalf-of: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq' \
  -H 'token-customer-ip-address: 172.16.254.1'

Responses

Successful response

Bodyapplication/json
accountsArray of objects(Account)
Response
application/json
{
  "accounts": [
    {}
  ]
}

Get account information

Request

The GET /accounts/{accountId} endpoint retrieves the information for a specific bank account.

Security
Bearer or BasicAuth
Path
accountIdstring

The system-generated, unique bank account id, which specifies the account for which the information is requested.

Example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
Headers
on-behalf-ofstringrequired

The tokenId represents the consent granted by the user (PSU).

Example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
token-customer-ip-addressstring(ipv4)

The user's IP address if the user is currently logged in with the TPP. If the customer IP address is supplied (recommended), it is inferred that the user is present during the session (i.e., the request is user-initiated; adding a customer-initiated = true header makes this explicit). For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period.

Example: 172.16.254.1
curl -i -X GET \
  https://api.token.io/accounts/a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'on-behalf-of: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq' \
  -H 'token-customer-ip-address: 172.16.254.1'

Responses

Successful response

Bodyapplication/json
accountobject(Account)

Contains information about the requested bank account.

Response
application/json
{
  "account": {
    "accountDetails": {},
    "accountFeatures": {},
    "bankId": "ob-modelo",
    "id": "a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV",
    "isLocked": false,
    "name": "John A Smith"
  }
}

Get account balances

Request

The GET /account-balance endpoint retrieves the balances for multiple bank accounts.

Security
Bearer or BasicAuth
Query
accountIdArray of strings

A list of account ids for which you wish to retrieve account balances. Each accountId should be specified separately as accountId=a:xxx:xxx&accountId=a:yyy:yyy.

Example: accountId=a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV&accountId=a:9TFpwkcQmcsMbdjQcpdjfsEBosDw28503fAAGPEMF2MVF19hfk3nc&accountId=a:rtmv254gaskGLdkadQvdNesk2Y9ferbvpaom5mvepm0mv2nfGnaix
Headers
on-behalf-ofstringrequired

The tokenId represents the consent granted by the user (PSU).

Example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
token-customer-ip-addressstring(ipv4)

The user's IP address if the user is currently logged in with the TPP. If the customer IP address is supplied (recommended), it is inferred that the user is present during the session (i.e., the request is user-initiated; adding a customer-initiated = true header makes this explicit). For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period.

Example: 172.16.254.1
curl -i -X GET \
  'https://api.token.io/account-balance?accountId=a%3A8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4%3A5zKcENpV%2Ca%3A9TFpwkcQmcsMbdjQcpdjfsEBosDw28503fAAGPEMF2MVF19hfk3nc%2Ca%3Artmv254gaskGLdkadQvdNesk2Y9ferbvpaom5mvepm0mv2nfGnaix' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'on-behalf-of: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq' \
  -H 'token-customer-ip-address: 172.16.254.1'

Responses

Successful response

Bodyapplication/json
responseArray of objects(GetBalanceResponse)

An array of objects containing balance information for each account requested.

Response
application/json
{
  "response": [
    {}
  ]
}

Get an account balance

Request

The GET /accounts/{accountId}/balance endpoint retrieves the balance for a given bank account.

Security
Bearer or BasicAuth
Path
accountIdstring

The unique bank account id, which specifies the account for which the information is requested.

Example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
Headers
on-behalf-ofstringrequired

The tokenId represents the consent granted by the user (PSU).

Example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
token-customer-ip-addressstring(ipv4)

The user's IP address if the user is currently logged in with the TPP. If the customer IP address is supplied (recommended), it is inferred that the user is present during the session (i.e., the request is user-initiated; adding a customer-initiated = true header makes this explicit). For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period.

Example: 172.16.254.1
curl -i -X GET \
  https://api.token.io/accounts/a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV/balance \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'on-behalf-of: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq' \
  -H 'token-customer-ip-address: 172.16.254.1'

Responses

Successful response

Bodyapplication/json
balanceobject(Balance)

Relevant information associated with the monetary balance of an individual account.

statusstring(RequestStatus)

Specifies the status of the request.

Default "INVALID_REQUEST"
Enum"INVALID_REQUEST""SUCCESSFUL_REQUEST""MORE_SIGNATURES_NEEDED"
Example: "SUCCESSFUL_REQUEST"
Response
application/json
{
  "balance": {
    "accountId": "a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV4",
    "available": {},
    "current": {},
    "otherBalances": []
  },
  "status": "SUCCESSFUL_REQUEST"
}

Get information for all standing orders

Request

The GET /accounts/{accountId}/standing-orders endpoint retrieves information for all standing orders in a given account, once consent has been given.

Security
Bearer or BasicAuth
Path
accountIdstring

The unique bank account id, which specifies the account for which the information is requested.

Example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
Query
page.offsetstring

The offset for the current page. If the offset has been provided in the request, this offset will be equal to the provided one. But if no offset was provided in the request (i.e. this is the first page) and the page is not empty, this field will be populated with a non-empty string. This may be helpful for loading the same page again, which might not always be possible with an empty offset due to a dynamic nature of the data.
The offset is not visible to a user and should not be parsed and/or understood in any way.

Example: page.offset=LerV6Jmex
page.limitinteger(int32)required

The maximum number of records to return. This must be less than 200.

Default 1
Example: page.limit=175
Headers
on-behalf-ofstringrequired

The tokenId represents the consent granted by the user (PSU).

Example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
token-customer-ip-addressstring(ipv4)

The user's IP address if the user is currently logged in with the TPP. If the customer IP address is supplied (recommended), it is inferred that the user is present during the session (i.e., the request is user-initiated; adding a customer-initiated = true header makes this explicit). For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period.

Example: 172.16.254.1
curl -i -X GET \
  'https://api.token.io/accounts/a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV/standing-orders?page.offset=LerV6Jmex&page.limit=175' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'on-behalf-of: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq' \
  -H 'token-customer-ip-address: 172.16.254.1'

Responses

Successful response

Bodyapplication/json
offsetstring

The offset of the first item returned in the collection.

Example: "LerV6Jmex"
standingOrdersArray of objects(StandingOrder)
statusstring(RequestStatus)

Specifies the status of the request.

Default "INVALID_REQUEST"
Enum"INVALID_REQUEST""SUCCESSFUL_REQUEST""MORE_SIGNATURES_NEEDED"
Example: "SUCCESSFUL_REQUEST"
Response
application/json
{
  "offset": "LerV6Jmex",
  "standingOrders": [
    {}
  ],
  "status": "SUCCESSFUL_REQUEST"
}

Get standing order information

Request

The GET /accounts/{accountId}/standing-orders/{standingOrderId} endpoint retrieves information for a specific standing order in a given account, once consent has been given.

Security
Bearer or BasicAuth
Path
accountIdstring

The system-generated, unique bank account id, which specifies the account for which the information is requested.

Example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
standingOrderIdstringrequired

The unique standing order identifier, which specifies the standing order requested.

Headers
on-behalf-ofstringrequired

The tokenId represents the consent granted by the user (PSU).

Example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
token-customer-ip-addressstring(ipv4)

The user's IP address if the user is currently logged in with the TPP. If the customer IP address is supplied (recommended), it is inferred that the user is present during the session (i.e., the request is user-initiated; adding a customer-initiated = true header makes this explicit). For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period.

Example: 172.16.254.1
curl -i -X GET \
  'https://api.token.io/accounts/a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV/standing-orders/{standingOrderId}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'on-behalf-of: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq' \
  -H 'token-customer-ip-address: 172.16.254.1'

Responses

Successful response

Bodyapplication/json
standingOrderobject(StandingOrder)

Contains the list of requested standing order records retrieved.

statusstring(RequestStatus)

Specifies the status of the request.

Default "INVALID_REQUEST"
Enum"INVALID_REQUEST""SUCCESSFUL_REQUEST""MORE_SIGNATURES_NEEDED"
Example: "SUCCESSFUL_REQUEST"
Response
application/json
{
  "standingOrder": {
    "createdAtMs": 1729212980771,
    "creditorEndpoint": {},
    "frequency": "WEEK",
    "id": "tt:83KiRJuXmEDV5m2b8ZvLGE91ELf7PPw5BaDab98kMguu:3VMczyq7r7b6HwC",
    "providerStandingOrderDetails": {},
    "status": "PROCESSING",
    "tokenId": "tt:8zK1dic95omjWb72gvc3z3ELKbTNfnGd89MbDnM73er4:ZhBVAJSH8DeU1",
    "tokenSubmissionId": "12345678"
  },
  "status": "SUCCESSFUL_REQUEST"
}

Get account transactions

Request

The GET /accounts/{accountId}/transactions endpoint retrieves information for all transactions in a given account.

Security
Bearer or BasicAuth
Path
accountIdstring

The system-generated unique bank account id, which specifies the account for which the information is requested.

Example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
Query
page.offsetstring

The offset for the current page. If the offset has been provided in the request, this offset will be equal to the provided one. But if no offset was provided in the request (i.e. this is the first page) and the page is not empty, this field will be populated with a non-empty string. This may be helpful for loading the same page again, which might not always be possible with an empty offset due to a dynamic nature of the data.
The offset is not visible to a user and should not be parsed and/or understood in any way.

Example: page.offset=LerV6Jmex
page.limitinteger(int32)required

The maximum number of records to return. This must be less than 200.

Default 1
Example: page.limit=175
startDatestring

The earliest transaction date requested, in ISO 8601 format.

Example: startDate=2022-06-15
endDatestring

The latest transaction date requested, in ISO 8601 format.

Example: endDate=2022-11-30
Headers
on-behalf-ofstringrequired

The tokenId represents the consent granted by the user (PSU).

Example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
token-customer-ip-addressstring(ipv4)

The user's IP address if the user is currently logged in with the TPP. If the customer IP address is supplied (recommended), it is inferred that the user is present during the session (i.e., the request is user-initiated; adding a customer-initiated = true header makes this explicit). For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period.

Example: 172.16.254.1
curl -i -X GET \
  'https://api.token.io/accounts/a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV/transactions?page.offset=LerV6Jmex&page.limit=175&startDate=2022-06-15&endDate=2022-11-30' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'on-behalf-of: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq' \
  -H 'token-customer-ip-address: 172.16.254.1'

Responses

Successful response

Bodyapplication/json
offsetstring

The offset of the first item returned in the collection.

Example: "LerV6Jmex"
statusstring(RequestStatus)required

Specifies the status of the request.

Default "INVALID_REQUEST"
Enum"INVALID_REQUEST""SUCCESSFUL_REQUEST""MORE_SIGNATURES_NEEDED"
Example: "SUCCESSFUL_REQUEST"
transactionsArray of objects(Transaction)
Response
application/json
{
  "offset": "LerV6Jmex",
  "status": "SUCCESSFUL_REQUEST",
  "transactions": [
    {}
  ]
}

Get transaction information

Request

The GET /accounts/{accountId}/transaction/{transactionId} endpoint retrieves information for a specific transaction in a given account.

Security
Bearer or BasicAuth
Path
accountIdstring

The unique bank account id, which specifies the account for which the information is requested.

Example: a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV
transactionIdstringrequired

The unique transaction identifier, which specifies the transaction requested.

Example: 42909b155d4942299c39017686b5dc36
Headers
on-behalf-ofstringrequired

The tokenId represents the consent granted by the user (PSU).

Example: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq
token-customer-ip-addressstring(ipv4)

The user's IP address if the user is currently logged in with the TPP. If the customer IP address is supplied (recommended), it is inferred that the user is present during the session (i.e., the request is user-initiated; adding a customer-initiated = true header makes this explicit). For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period.

Example: 172.16.254.1
curl -i -X GET \
  https://api.token.io/accounts/a:8DbPteGnytmMbKXdnWTReeRB6cYWKXZ84JgLTBC7fKL4:5zKcENpV/transaction/42909b155d4942299c39017686b5dc36 \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'on-behalf-of: ta:3eYPU1BEKKunfmYgQuSKXFCeo851C5Y3XiZW3XA465TU:5zKtXEAq' \
  -H 'token-customer-ip-address: 172.16.254.1'

Responses

Successful response

Bodyapplication/json
statusstring(RequestStatus)required

Specifies the status of the request.

Default "INVALID_REQUEST"
Enum"INVALID_REQUEST""SUCCESSFUL_REQUEST""MORE_SIGNATURES_NEEDED"
Example: "SUCCESSFUL_REQUEST"
transactionobject(Transaction)

Information about the requested transaction.

Response
application/json
{
  "status": "SUCCESSFUL_REQUEST",
  "transaction": {
    "amount": {},
    "bankTransactionCode": {},
    "bankTransactionId": "83KiRJuXmEDV5m2b8ZvLGE91ELf7PPw5BaDab98kMguu:3VMczyq7r7b6HwC",
    "createdAtMs": 1729212980771,
    "creditorEndpoint": {},
    "description": "Payment",
    "id": "tt:83KiRJuXmEDV5m2b8ZvLGE91ELf7PPw5BaDab98kMguu:3VMczyq7r7b6HwC",
    "metadata": {},
    "providerTransactionDetails": {},
    "status": "PROCESSING",
    "tokenId": "tt:8zK1dic95omjWb72gvc3z3ELKbTNfnGd89MbDnM73er4:ZhBVAJSH8DeU1",
    "tokenTransferId": "t:2UhwCZ3BMaEcAUK8bZdukor7NL4tH6TBuu6aJMp5KKfX:5zKcENpV",
    "type": "INVALID_TYPE"
  }
}

Tokens

These endpoints retrieve all tokens, a filtered list of tokens, or a specific token, as well as allowing you to cancel an existing token.

Operations

Banks v1

These endpoints filter and fetch the list of connected banks, get information on specific banks, and initiate authorization with user-selected banks using Payments v1.

Operations

Banks v2

This endpoint filters and fetches the list of connected banks, gets information on specific banks, and initiates authorization with user-selected banks using Payments v2.

Operations

Sub-TPPs

These endpoints are for resellers using Token.io's licence to create, retrieve and delete sub-TPPs.

Operations

Authentication keys

These endpoints are for managing the public keys that are used for JWT authentication.

Operations

Reports

These endpoints retrieve the current AIS and PIS status of connected banks.

Operations

Webhooks

These endpoints configure, retrieve and remove webhooks. See Webhooks for more details.

Operations

Verification

Operations
© 2025 TOKEN, INC. ALL RIGHTS RESERVED.