The following sections provide basic information about how Token.io's API is structured.
Correlated in the following table, the {{BASE_URL}} for calls and redirects depends on the environment in which you're operating.
| Environment | BASE_URL |
|---|---|
| Hosted Pages Redirect v1 (for consent) | |
| Production | https://web-app.token.io |
| Sandbox | https://web-app.sandbox.token.io |
| Hosted Pages Redirect v2 (for consent) | |
| Production | https://app.token.io |
| Sandbox | https://app.sandbox.token.io |
| API calls | |
| Production | https://api.token.io |
| Sandbox | https://api.sandbox.token.io |
Be sure to include the BASE_URL for the appropriate environment and purpose in each call.
In order to successfully send API requests, TPPs must send a set of HTTP headers that allow the bank to check the request's validity. This includes signing the request with a qualified certificate.
Formulate the required headers for the Token.io API in accordance with these formatting rules:
Headers are case-insensitive
Header fields must be separated by a colon
Key-value pairs must be in clear-text string format
Denote the end of the header section with an empty field header
For a general review of HTTP 1.1 header formatting, see https://www.rfc-editor.org/rfc/rfc9110.html.
The Authorization header field is mandatory and must be included in all relevant requests.
The token-customer-ip-address header field is recommended and should be included in all relevant requests.
The table below describes the common request headers.
| Header Field | Description/Purpose | POST Requests | GET Requests |
|---|---|---|---|
Authorization | Passes valid credentials constructed for either API key authentication (Basic) or JWT authentication (Bearer) authentication schemes. Ex: Use the links above for basic and bearer authentication to see the respective format and examples. | Mandatory | Mandatory |
customer-initiated | Boolean. Lets the bank know that the API call was explicitly initiated by the user. Useful in circumnavigating bank restrictions that impose a 4-times-a-day (i.e., the same 24-hour period) access limit on the same AISP in accordance with RTS regulations. | Optional | Optional |
request-timeout | Integer. Sets the number of elapsed seconds until the call is aborted with a DEADLINE_EXCEEDED exception due to no response received. | Optional | Optional |
token-customer-last-logged-time | Time when the user last logged in with the TPP | Optional | Optional |
token-customer-ip-address | User's IP address if the user is currently logged in with the TPP. If the customer IP address is supplied (recommended), it is inferred that the user is present during the session (i.e., the request is user-initiated; adding a "customer-initiated": "true" header makes this explicit).For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period. Ex: 172.16.254.1 | Recommended | Recommended |
token-customer-device-id | Obtained by the TPP from details in the user agent information of the user. Ex: 00000000-00000000-01234567-89ABCDEF | Optional | Optional |
token-customer-user-agent | Specifies the user agent for the user.. Format: Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversionEx: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0If the user is using the TPP's mobile app, make sure the mobile app user-agent string is different than browser-based user-agent strings | Optional | Optional |
token-json-error | Boolean. Converts the error response, if any, to JSON format. | Optional | Optional |
Headers included in the response do not directly relate to the content of the message, and not all headers appearing in the response are categorised as response headers. In general, response-header fields allow the responding server to pass additional information about the response that cannot be placed in the Status-Line.
W3C standard and non-standard response header field definitions can be found in https://www.rfc-editor.org/rfc/rfc9110.html.
In Token.io responses to TPP requests, the most important non-standard field is tokenTraceId. This string value is unique to a single request-response flow, captured from the originating request and sent across to the bank to be stored with the request throughout its lifecycle. Serving primarily as an audit-trail aid, TTID is valuable for debugging the message exchange flow during sandbox testing, and for issue resolution in production.
api.token.io adds a tokenTraceId header when it responds to TPP requests. TPPs are encouraged to propagate the tokenTraceId header so that users lacking access to the TPP's logs can provide the TTID when creating a support ticket, thereby giving a precise trace to isolate in the logs during issue investigation.
When the bank reports a 5xx error, Token.io sets "token-external-error":= "true" as a header in the HTTP response, indicating that the "internal" error originates from the bank. When one of Token.io's internal services fails or when the bank reports a 4xx error, this header is not populated.
The absence of this response header should be interpreted as "token-external-error"= "false".
This field will be populated if the status is final and the payment is not successful, and there has been an error that caused payment rejection, or prevented us from reaching the bank and updating the status within allotted time.
The tokenExternalError field can be populated as a result of both 4xx and 5xx errors. We recommend that you only rely on it for 5xx errors.
The Token.io platform supports the following error codes:
gRPC
HTTP
JSON
When a gRPC call completes successfully, the server returns an OK status to the client. If a call isn't successful, gRPC returns one of its error status codes instead, with an optional string error message that provides further details about what happened.
A "bank error" (an error occurring during bank processing of a TPP request) will have a gRPC error code of 12, which means the payment or account information access operation requested is not currently supported/implemented by the bank. Such conditions can be avoided with more granular filtering of bankfeatures using GET v2/banks.
| Error Enum | Value | Meaning |
|---|---|---|
OK | 0 | Operation completed successfully |
CANCELED | 1 | Operation was canceled; typically, by the caller |
UNKNOWN | 2 | Unknown error; e.g., a status value was received from an unknown error space or an API call returned an error with incomplete information. A special case that will generate an Error 2 is when an access_denied status is returned by the bank. This invariably occurs when the user cancels, rejects, or otherwise fails to give consent and authorisation approval to the bank for the TPP's request. |
INVALID_ARGUMENTS | 3 | Client specified an incomplete argument |
DEADLINE_EXCEEDED | 4 | Deadline expired before operation could complete |
NOT_FOUND | 5 | Requested entity, such as a file or directory, was not found |
ALREADY_EXISTS | 6 | Attempt to create entity, such as a file or directory, that already exists |
PERMISSION_DENIED | 7 | Caller does not have the required permission to execute the operation specified. This error message will be accompanied by the reason from the bank. Typically means the access token has expired and the TPP needs its user to re-authenticate with the bank |
RESOURCE_EXHAUSTED | 8 | Resource, such as a per-user quota or file system, is exhausted (out of space) |
FAILED_PRECONDITION | 9 | Operation rejected because the current system state cannot support execution |
ABORTED | 10 | Operation aborted; typically, a concurrency issue is the cause |
OUT_OF_RANGE | 11 | Operation attempted exceeds the valid range; e.g., seeking or reading past EOF |
UNIMPLEMENTED | 12 | Operation not implemented / supported / enabled |
INTERNAL | 13 | Internal error (see alert below) |
UNAVAILABLE | 14 | Service unavailable, likely due to a transient condition; usually corrected with a retry |
DATA_LOSS | 15 | Unrecoverable data loss or corruption |
UNAUTHENTICATED | 16 | Request does not have valid authentication credentials needed to perform the operation |
If you receive an internal server error (HTTP 500 or an rpc status = INTERNAL), this could refer to either an error on Token.io's end or an error on the bank's end.
When the bank reports a 5xx error, Token.io sets "token-external-error"= "true" as a header in the HTTP response, indicating that the "internal" error originates from the bank. When one of Token.io's internal services fails or when the bank reports a 4xx error, this header is not populated.
The absence of this response header should be interpreted as "token-external-error"= "false".
The following table gives a general description of the possible HTTP status codes that could be returned in response to API requests to the Token.io platform. These statuses could be related to business logic or system errors.
| Response Code | Description |
|---|---|
| 400 | Bad request, likely client error - FieldError - An error object providing details about an error related to the debtor bank. Possible error code values include:- PanDetectedError - The error object returned when PAN is detected in the submitted initiation payload: PanDetected.- TokenBankError - An error object providing details about an error related to the debtor bank. |
| 401 | Unauthorized request The request does not have valid authentication credentials needed to perform the operation. |
| 403 | Forbidden request/Permission denied The error returned when the member is not authorized to perform the given operation: PermissionDenied. This error message will be accompanied by the reason from the bank. Typically this means the access token has expired and the TPP needs the user to re-authenticate with the bank. |
| 404 | Resource in request not found The error object returned when given payment cannot be found: Resource.NotFound. |
| 429 | Too many requests Resource exhausted. Too many requests. |
| 500 | An unexpected or internal server error This could refer to either an error on Token.io's end or an error on the bank side. When the bank reports a 5xx error, Token.io sets token-external-error = true as a header in the HTTP response, indicating that the "internal" error originates from the bank. When one of Token.io's internal services fails or when the bank reports a 4xx error, this header is not populated. The absence of this response header should be interpreted as token-external-error = false. |
| 501 | The operation was not implemented The operation was not implemented/supported/enabled by the bank. |
| 503 | Service is unavailable Service is unavailable, likely due to a transient condition; this is usually corrected with a retry. |
| 504 | Gateway has timed out The deadline expired before the operation could complete. |
If you'd prefer to receive error responses in JSON format, add the following header to your request:
token-json-error: true
If the request throws an exception/error, the response body will take the following form:
{
"error": {
"code": 504,
"message": "Deadline exceeded",
"token_trace_id": "123456asdf",
"error_origin": "bank"
}
}Error response fields defined:
codeis the server error codemessageis the string equivalent of a gRPC Error Enum listed in the table abovetokenTraceIdis unique to a single request-response flow captured from the originating request and sent across to the bank to be stored with the request throughout its lifecycle. As described in Response headers, it serves primarily as an audit-trail aid and is valuable for debugging the message exchange flow during sandbox testing, as well as for issue resolution in production.error_origin
The following API changes are considered backward compatible, and should be handled by you:
Adding new API endpoints
Adding new properties to the responses from existing API endpoints
Reordering properties returned from existing API endpoints
Adding optional request parameters to existing API endpoints
Altering the format or length of ids
Altering the message attributes returned by validation failures / other errors
Sending webhooks for new event types
To ensure these changes are handled correctly and do not cause failures on your system we recommend all clients utilise a lenient json parser.
If there is a change that does not fall into the areas mentioned above, we consider that to be a breaking change. We will notify you in advance with a Technical Bulletin to give you enough time to make changes on your side, if applicable.
If you have any feedback about the developer documentation, please contact devdocs@token.io