All APIs are protected by OAuth2 authorization. To receive authorization & access tokens, the PSU has to give consent for the application to access his resources - in case of funds confirmation services these are: accounts funds confirmation. The TPPs that are allowed to provide funds confirmation services according to PSD are called Card Based Payment Instrument Issuer and this particular flow is used normally for card accounts, but not only, to confirm funds before payment.
According to PSD2 directive, the PSU has to give his consent for a TPP to be able to access funds confirmation services API. However, it is not exactly specified how this should be done. It is further assumed, based on current industry practices, that a valid way of giving consent might be as out of band, i.e. based on an agreement between TPP, PSU and bank outside of the scope of the API.
Taking into account the generic consideration above regarding consent, the STET specification allows funds confirmation consent to be given in two distinct ways:
LUXHUB supports both approaches described above; please refer below diagram for details.
Berlin Group specification considers, in its current - 1.3 - implementation, the consent for funds confirmation services as out of scope for the XS2A API. Therefore, the only approach supported is the one based on the Client Credentials flow and this is not part of the Berlin Group specifications.
However, recognizing the market's need, LUXHUB is also supporting an approach similar with the one supported by STET specification, based on dedicated scope for funds confirmation services consent and Authorization Code grant. The scope requested should be "PIIS". In this approach, the PSU will be able to authorize the consent for funds confirmation using SCA, within a similar flow as in the case of account information services consent. Please note that the CBPII consent is not to be mixed with AISP consent, neither business-wise or technically, as in OAuth2 scopes.
Please refer above diagram for details; it is of note that the technical scope used is named "PIIS" in case of Berlin Group implementation as opposed to "cbpii" in case of STET.
Furthermore, please note that with this type of flow only consent for funds confirmation for ALL eligible accounts is possible and not specific account consent. Same is valid for STET standard as described above.
Recently Berlin Group published the so called "Extended value-added services" documentation, among them a proposal of handling consent for funds confirmation via a dedicated API. However the API specification for this is still under review and no reliable version was published.
As such, very few of LUXHUB API providers have implemented this version 2 API form Berlin Group. Please refer to the documentation above for detials of the functionality. In a nutshell, we are talking about a flow very similar with the one for Accounts Information Services consent but with consent request data structure closer to the payment initiation, i.e. the actual account, for which funds confirmation consent request is received, is included in the request body. There is, of course, a dedicated OAuth2 scope for this purpose, i.e. PIS for cleint Credentials Grant to obtain a consent and, respectively, PIIS: for the Authorization code grant for consent authorization - where the consent identifier is obtained as a result of the POST /consents/funds-confirmation request before.