Our process

Data Security

Account Aggregation User Consent

Obtains a customer's consent to access their data

Overview

The User Consent API uses 3-legged OAuth to obtain a user's consent for an aggregator to access data on the apps' behalf. A successful user consent results in an access token being created and shared with the aggregator. The token can then be used to access data on behalf of the consenting user.

Key features and benefits

  • Obtain user consent
  • Revoke user consent
  • Refresh token

How it works

Account Aggregation User Consent api diagram

  1. Initiate consent

    Redirects the user to GET /aggregator-oauth/v1/mobile/authorize. If the Chase mobile app is installed, it will intercept the URL and redirect the user to the app. If the app is not installed, the user will complete consent within a browser.

  2. Receive callback

    Upon completion of consent, the user is redirected back to the specified redirect URL. If the user agrees to share data with the app, the callback URL will receive a temporary token in the code GET parameter.

    NOTE: The redirect URL must be registered for the app. Multiple redirect URLs cannot be registered for a single app.

  3. Retrieve data access token

    The temporary token must be used to retrieve the Data Access Token using POST /aggregator-oauth/v1/token. This call will return the access_token along with a refresh_token.

    Example response:

            {
    				"token_type": "bearer",
    				"access_token": "AAIEVFRBWNbgIyVtsc7mUj8f...",
    				"expires_in": 259200,
    				"consented_on": 1546546773,
    				"scope": "aggregator",
    				"refresh_token": "AAJBNy8U9UTEfJee8X1Rv2uoa0b73...",
    				"refresh_token_expires_in": 31536000
            }
    
  4. Refresh the data access token

    The Data Access Token is valid for a limited amount of time (typically, 15 minutes). The aggregator is responsible for renewing the Data Access Token before the Refresh Token expires using POST /aggregator-oauth/v1/token. The Data Access Token and the Refresh Token's expiration timestamp is provided in the previous POST /aggregator-oauth/v1/token call.

    If the Refresh Token expires, the user must be redirected back to the consent flow in order to re-obtain the Data Access and the Refresh Tokens.

  5. Revoking consent The POST /aggregator-oauth/v1/revoke endpoint can be used to revoke a valid access token. This endpoint can be evoked if a user discontinues the use of an application.

Use cases

  1. Chase customer chooses to share their financial data:

    A Chase customer will start from within a fintech app and choose to link their Chase accounts with the fintech app. The fintech app will request user consent. The customer will choose which accounts to share and agree to share the accounts. Upon a successful consent, the aggregator will be provided a Data Access and a Refresh Token used to request the customer's data on the fintech app's behalf.

  2. Chase customer revokes consent from Account Safe:

    A Chase customer can choose to revoke consent for an app from the Account Safe page accessible within web and mobile. Immediately, the Data Access Token and the Refresh Token associated with the app will become inactive. API calls will fail. The Chase customer will need to redo consent if they would like the fintech app to regain access.

  3. Chase customer changes consent from Account Safe:

    A Chase customer can make changes to the consent by adding or removing accounts shared with the fintech app. The token will not change, but the accounts that the token will provide access to will.

  4. Aggregator revokes the data access token:

    An aggregator can choose to revoke access for a fintech app by making the appropriate API call. This can be used, but is not limited to, if there is a data breach, offboarding a fintech app by an aggregator or if the user closes their fintech app account or states that the app should no longer access their data.

You may also be interested in