openapi: "3.0.0" info: title: "Account Aggregation User Consent API" version: "1.0" contact: name: "3rd Party Aggregation" url: "https://developer.chase.com/?id=aggregation" email: "ThirdParty.Support@chase.com" servers: - url: "https://api2-oauth.chase.com" description: "Production API Gateway (oauth)" - url: "https://api2-oauth-qa01.chase.com" description: "QA API Gateway 1 (oauth)" - url: "https://api-oauth-qa02.chase.com" description: "QA API Gateway 2 (oauth)" - url: "https://api2-oauth-qa05.chase.com" description: "QA API Gateway 5 (oauth)" - url: "https://api-oauth-qa07.chase.com" description: "QA API Gateway 7 (oauth)" paths: /aggregator-oauth/v1/ping: get: tags: - "Client Authentication" summary: "Heath checks on the OAuth API." description: "Used to perform health checks on the OAuth API." parameters: - in: "header" name: "client-id" schema: type: "string" required: true description: "Application client ID" responses: "200": description: "OK" "401": description: "Missing or invalid client ID" content: application/json: schema: $ref: "#/components/schemas/GenericErrorResponse" examples: Missing or invalid client ID: value: error: "invalid_client" "500": description: "Internal Server Error" content: application/json: schema: $ref: "#/components/schemas/GenericErrorResponse" examples: Internal Server Error: value: error: "internal_server_error" /aggregator-oauth/v1/authorize: get: tags: - "Client Authentication" summary: "Request authorization from user for application data access" operationId: "oauthAuthorizationRedirect" description: "Prompts user to login to Chase and provide consent to access accounts and data elements. The user will be redirected to the specified URL upon completion.\n" parameters: - in: "query" name: "response_type" required: true schema: type: "string" description: 'Should always be set to "code"' - in: "query" name: "client_id" required: true schema: type: "string" description: "Application client ID" - in: "query" name: "redirect_uri" required: true schema: type: "string" description: "URI used by the Chase UI to redirect the user after authorization" - in: "query" name: "state" required: true schema: type: "string" description: "Value used to prevent cross-site forgery and recreate expired sessions." - in: "query" name: "scope" required: true schema: type: "string" description: 'Should always be set to "aggregator"' responses: "302": description: "User's browser is redirected to Chase's authentication page" headers: location: schema: type: "string" format: "url" example: "https://www.chase.com/oauth" description: "Chase client authentication URL" "400": description: "Mising or invalid redirect URI" content: text/html: examples: Mising or invalid redirect URI: value: "Access Denied

Invalid Request : Access Denied

\n" "401": description: "Missing or invalid client ID" content: text/html: examples: Missing or invalid client id: value: "Unauthorized

Unauthorized Client

\n" callbacks: Missing or Invalid response_type or scope: "{$request.query.redirect_uri}": get: parameters: - in: "query" name: "error" schema: type: "string" enum: - "unsupported_response_type" - "server_error" description: "Error code" - in: "query" name: "error_description" schema: type: "string" description: "Error description" - in: "query" name: "state" schema: type: "string" description: "State value provided in the original client authorization call. Used to prevent cross-site forgery and resume expired sessions." responses: "200": description: "Acknowledged" Client Successfully Authorized: "{$request.query.redirect_uri}": get: parameters: - in: "query" name: "code" required: true schema: type: "string" example: "AAJWsnOTOuRF1K7MX1c2R3R_REDACT" description: "Authorization code" - in: "query" name: "state" required: true schema: type: "string" example: "DIFFICULT_TO_GUESS_STATE_VALUE" description: "State value provided in the original client authorization call. Used to prevent cross-site forgery and resume expired sessions." - in: "query" name: "authorization2" required: true schema: type: "string" description: "Chase unique customer token. Most likely an unused value." responses: "200": description: "Server accepts the client's browser redirect and continues the authentication flow" "303": description: "Server accepts the client's browser redirect and continues the authentication flow" /aggregator-oauth/v1/mobile/authorize: get: tags: - "Client Authentication" summary: "Request authorization from user for application data access" operationId: "mobileOAuthAuthorizationRedirect" description: "Prompts user to login to Chase and provide consent to access accounts and data elements. The user will be redirected to the registered redirect URL for the application upon completion of the consent flow\n\nThis URL should be launched from within a browser or a secure web container such as [SFSafariViewController](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller) or [Chrome Custom Tabs](https://developer.chrome.com/multidevice/android/customtabs). This URL should not be launched within insecure containers that allow the mobile app to intercept user input and thus intercepting user credentials.\n\nThe Chase mobile app, when installed, will intercept this endpoint to deliver the consent experience in the native mobile application.\n\n*Note: The Chase mobile app will launch the redirect using the OS defined default browser. If a non-default browser was used to launch the consent flow, the redirect will occur within the OS defined default browser that does not have the original browser session. The client must reconstruct the browser session using the `state` parameter.*\n" parameters: - in: "query" name: "response_type" required: true schema: type: "string" description: 'Should always be set to "code"' - in: "query" name: "client_id" required: true schema: type: "string" description: "Application client ID" - in: "query" name: "redirect_uri" required: true schema: type: "string" description: "URI used by the Chase UI to redirect the user after authorization" - in: "query" name: "state" required: true schema: type: "string" description: "Value used to prevent cross-site forgery and recreate expired sessions." - in: "query" name: "scope" required: true schema: type: "string" description: 'Should always be set to "aggregator"' responses: "302": description: "User's browser is redirected to Chase's authentication page" headers: location: schema: type: "string" format: "url" example: "https://www.chase.com/oauth" description: "Chase client authentication URL" "400": description: "Mising or invalid redirect URI" content: text/html: examples: Mising or invalid redirect URI: value: "Access Denied

Invalid Request : Access Denied

\n" "401": description: "Missing or invalid client ID" content: text/html: examples: Missing or invalid client id: value: "Unauthorized

Unauthorized Client

\n" callbacks: Missing or Invalid response_type or scope: "{$request.query.redirect_uri}": get: parameters: - in: "query" name: "error" schema: type: "string" enum: - "unsupported_response_type" - "server_error" description: "Error code" - in: "query" name: "error_description" schema: type: "string" description: "Error description" - in: "query" name: "state" schema: type: "string" description: "State value provided in the original client authorization call. Used to prevent cross-site forgery and resume expired sessions." responses: "200": description: "Acknowledged" Client Successfully Authorized: "{$request.query.redirect_uri}": get: parameters: - in: "query" name: "code" required: true schema: type: "string" example: "AAJWsnOTOuRF1K7MX1c2R3R_REDACT" description: "Authorization code" - in: "query" name: "state" required: true schema: type: "string" example: "DIFFICULT_TO_GUESS_STATE_VALUE" description: "State value provided in the original client authorization call. Used to prevent cross-site forgery and resume expired sessions." - in: "query" name: "authorization2" required: true schema: type: "string" description: "Chase unique customer token. Most likely an unused value." responses: "200": description: "Server accepts the client's browser redirect and continues the authentication flow" "303": description: "Server accepts the client's browser redirect and continues the authentication flow" /aggregator-oauth/v1/token: post: tags: - "Client Authentication" summary: "Retrieve user token for application" operationId: "oauthGetApplicationToken" description: "Returns a user access token that is valid for 15 minutes and refresh token is valid for 90 days. Every time a new user access token is provisioned for an app user, a new and refreshed aggregator token is also provisioned for your aggregator.\n\nClient Authentication:\n\n- Clients should authenticate using HTTP Basic Authentication. For example, Authorization: Basic Base64Encode(\"client_id\":\"client_secret\"). This is RECOMMENDED. \n- Alternatively, they may post their client_id and client_secret information as a formData parameter. This is NOT RECOMMENED and is limited to clients unable to directly utilize the HTTP Basic Authentication Scheme.\n\nThe table below indicates the required parameters for each specific grant_type options. Empty cells indicate a parameter is ignored for that specific grant type.\n\n| grant_type | authorization_code | refresh_token |\n|---------------|--------------------|---------------|\n| client_id | required* | required* |\n| client_secret | required* | required* |\n| code | required | |\n| redirect_uri | required | |\n| refresh_token | | required |\n" requestBody: required: true content: application/x-www-form-urlencoded: schema: $ref: "#/components/schemas/RetrieveApplicationTokenRequest" responses: "200": description: "Valid token" content: application/json: schema: $ref: "#/components/schemas/RetrieveApplicationTokenResponse" "400": description: "Missing or invalid code, refresh_token, grant_type or redirect_uri" content: application/json: schema: $ref: "#/components/schemas/GenericErrorResponse" examples: Missing or invalid code: value: error: "invalid_grant" Missing or invalid grant_type: value: error: "invalid_request" error_description: "Invalid request" Missing or invalid redirect_uri: value: error: "invalid_grant" "401": description: "Invalid client_id or client_secret" content: application/json: schema: $ref: "#/components/schemas/GenericErrorResponse" examples: Invalid client_id or client_secret: value: error: "invalid_client" /aggregator-oauth/v1/revoke: post: tags: - "Client Authentication" summary: "Revoke application access token" description: "\nA user can choose to revoke access via Account Safe on Chase.com at anytime, revoking the token automatically. Access to the user's data can be self-revoked by using this call.\n\nA valid application token is required. The revocation of the access/refresh token is immediate and new access/refresh tokens cannot be granted. The user will be required to reinitiate the OAuth process to generate a new application token.\n\nClient Authentication:\n\n- Clients should authenticate using HTTP Basic Authentication. For example, Authorization: Basic Base64Encode(\"client_id\":\"client_secret\"). This is RECOMMENDED. \n- Alternatively, they may post their client_id and client_secret information as a formData parameter. This is NOT RECOMMENED and is limited to clients unable to directly utilize the HTTP Basic Authentication Scheme.\n" parameters: - in: "header" name: "Authorization" schema: type: "string" required: true description: 'Basic ' requestBody: required: true content: application/x-www-form-urlencoded: schema: type: "object" required: - "token" properties: client_id: type: "string" description: "Application client ID, must be provided using HTTP Basic Authentication." client_secret: type: "string" description: "Application client secret, must be provided using HTTP Basic Authentication." token: type: "string" description: "Token to revoke" token_type_hint: type: "string" enum: - "access_token" - "refresh_token" description: "Token hint type. Should be access_token or refresh_token." responses: "200": description: "OK" "400": description: "Missing or invalid code, refresh_token, grant_type or redirect_uri" content: application/json: schema: $ref: "#/components/schemas/GenericErrorResponse" examples: Null or empty token: value: error: "invalid_request" "401": description: "Invalid client_id or client_secret" content: application/json: schema: $ref: "#/components/schemas/GenericErrorResponse" examples: Invalid client_id or client_secret: value: error: "invalid_client" components: schemas: RetrieveApplicationTokenRequest: type: "object" properties: grant_type: type: "string" enum: - "authorization_code" - "refresh_token" description: "Type of grant used to generate the application token" code: type: "string" description: "'code' value from the authorize endpoint callback. Required if grant_type is set to authorization_code" refresh_token: type: "string" description: "'refresh_token' from a previous call to this endpoint. Required if grant_type is set to refresh_token" client_id: type: "string" description: "Application client ID, must be provided using HTTP Basic Authentication." client_secret: type: "string" description: "Application client secret, must be provided using HTTP Basic Authentication." redirect_uri: type: "string" format: "url" description: "URI to send the token response to. Required if grant_type is set to authorization_code" required: - "grant_type" - "client_id" - "client_secret" example: grant_type: "authorization_code" code: "AAJWsnOTOuRF1K7MX1c2R3R_REDACT" client_id: "XYZAB12321VBF" client_secret: "SUPER_SECRET" redirect_uri: "https://localhost:5015/" RetrieveApplicationTokenResponse: type: "object" properties: token_type: type: "string" description: "Type of token. Should always be 'bearer'" example: "bearer" access_token: type: "string" description: "Access token" example: "AAIEVFRBWNbgIyVtsc7mUj8f..." expires_in: type: "number" description: "Number of seconds the access token is valid for" example: 259200 refresh_token: type: "string" description: "Token used to refresh" example: "AAJBNy8U9UTEfJee8X1Rv2uoa0b73..." refresh_token_expires_in: type: "string" description: "Number of seconds the refresh token is valid for" example: 31536000 GenericErrorResponse: type: "object" required: - "error" properties: error: type: "string" description: "Error code" example: "invalid_grant" error_description: type: "string" description: "Description of the error" example: "Invalid Request"