For HSBC, it is important to note that:
- You can only request transactions older than 90 days during the first 60 minutes of consent;
-
Only the first
access_token
is valid to request the above.
Both points above are a design choice from the bank.
Solution
Make sure not to refresh any HSBC access_tokens
until you retrieve all the data you need.
The flow should be as follows:
- User authenticates;
- You receive an
authorization_code
; - You exchange the code above and receive a pair of
access_token
andrefresh_token
. Do not refresh tokens at this point; - You can retrieve
/accounts
,/balance
and/transactions
(plus any other necessary endpoints);
Refresh tokens if needed to request more data in the future.
As long as the initial token is maintained during the initial /transactions
requests, you should not have a problem requesting historical data.
More
Understand more about SCA limitations in this article.
See all UK banks SCA validity window in the section "What banks and PSPs are supported in the Data API in the UK? 🇬🇧"