Step 5 : Accessing protected resources (POST)



Okay. So you've successfully made some GET calls. Let's make a POST call, and dive straight into Payment .

We will do a payment POST example here. (POST URL: /banks/BANK_ID/accounts/ACCOUNT_ID/VIEW_ID/transactions) See documentation


If you created some accounts in Step 1, you should be the owner of those accounts, and can make payments with them. You can also see the BANK_IDs of your private accounts in the GET example in the previous step.


This is the ACCOUNT_ID of the account that you wish to make payment from. You can also see the ACCOUNT_IDs of your private accounts in the GET example in the previous step.


This is the VIEW_ID. You can read about Views in the documentations, but let's default this to "owner" for now.


This is your access_token from the previous step. (This is the access_token from Step 3, and NOT the oauth_token from Step 1 and Step 2. The key is still called oauth_token though.)


This is your Consumer_Key from the step 1.
[Help me put in the Consumer_Key from the image in step 1]


This is any random string. Nonces are non-reusable. The API will reject calls when a nonce was already seen once.
[Help me put in a random GUID]


We will come to this in a minute.


This must be set to either HMAC-SHA1 or HMAC-SHA256
[Help me put in HMAC-SHA1]
[Help me put in HMAC-SHA256]


This is the current Unix Timestamp, you can find the live timestamp from here
[Help me put in the current timestamp]


This is optional, but let's put in 1.0
[Help me put 1.0]


Once you have entered all the fields (except oauth_signature), you can click on the button below to generate the Signature Base String.


Signature Base String =

A few notes about the Base String:
- Format: "METHOD" + "&" + urlencoded(url) + "&" + oauth_parameters
- oauth_parameters: "key1=value1&key2=value2&key3=value3"
- oauth_parameters have to be sorted in ascending key order
- oauth_parameters needs to be urlencoded
- URL encoding is case-sensitive. "=" is encoded to "%3D", not "%3d".

With your Base String, we can now create the oauth_signature.
We need the Consumer_Secret we got from the step 1 AND also the access_token_secret in the previous step as the encryption key. You should of course never reveal your secret keys to anyone, but this is a sandbox and a tutorial.

[Help me put in the Consumer_Secret from the image in the previous step]


This is the access_token_secret we got at the end of the previous step.

With the Base String, and the Consumer_Secret and access_token_secret, we can now generate the signature.

The Signature is constructed with a keyed-hash message authentication code (HMAC) of the Base String message, using your Consumer_Secret and "&" and oauth_token_secret as the key. Consult your favourite language's documentation for this support.

Important to note that the key is (Consumer_Secret + "&" + access_token_secret), or "cigypcclbz3hurf3af2rgrk2qfjwjqtsborpugei&rk2qfjwjqtsborpugeicigypcclbz3hurf3af2rg" as an example.


Signature =


With the Signature, we can now construct the Authorization header string to make the http call.


Authorization String =


Along with the Authorization String, we will also need a Body which might look like this...


With the authorization string and the POST Body, you can make the call with tools like Fiddler or Chrome extension Postman .

1) Make sure you are Composing a request
2) Make sure you have POST as the method
3) Make sure your api endpoint is https://apisandbox.openbankproject.com/obp/v1.2.1/banks/BANK_ID/accounts/ACCOUNT_ID/VIEW_ID/transactions or the right point appropriate to your BASE-URL in the previous Steps. Make sure you substitute BANK_ID, ACCOUNT_ID, and VIEW_ID with the right details at the top of this page. Note especially the addition of "/obp/v1.2.1" in the url
4) Copy and paste the Authorization String into the header. AND Make sure you have "Content-Type: text/json" in a new line in the header too
5) Copy and paste the Body text into the Request Body field
6) Execute!


If nothing went wrong, you should get a reply that looks like "{"$outer":{"$outer":{}},"transaction_id":"7ad2bdc9-3a46-40b1-910c-4fdd297c78df"}".

You've successfully completed an authenticated POST call and made a payment.



Congratulations, you've finished the quick walkthrough of the OAuth 3-legged authentication, and OBP API.

Did you find a problem with the walkthrough? Or need further help with OAuth or the OBP API? Or want to contribute to this walkthrough? Drop me a line at s
w
eechern@ma
l.com





[See example code in C# for this step] [php example code coming soon]