The re-authentication flow provides a simple path for end-users to follow and reconnect their account after the expiration of the first consent, providing a shorter user journey compared to setting up their account for the first time.
Main Points
- The authentication URI is generated by an API call to the
/reauthuri
endpoint. More info here. - The response from the
/reauthuri
endpoint will return a direct link to the bank. This means that even if you are using the TrueLayer consent page and the TrueLayer Bank Selection Auth Dialog screens, the user will skip those and will be taken directly to the bank page. They will be taken to their bank for authorisation. - On the bank side, the user experience is identical to the first time the user authenticated.
- The
redirect_uri
needs to be the same one being used in the original authentication link (or direct bank link). - The optional
state
parameter can also be passed in the request body and then will be returned as parameter alongside theredirect_uri
to help with user reconciliation. - Once the user has authenticated, a
code
will be received that is going to be exchanged for TrueLayer tokens, just like the first time the user went through the authentication. It’s worth noting that:
-
- The
credentials_id
returned will be consistent (i.e. identical, stable) to the current ones (representing that it’s the same user going through re-authentication. - The
refresh_token
returned will also be identical to the original one.
- The
Regarding the refresh_token
being passed in the reauthuri
request
refresh_tokens
can be utilised to renew the consent for a user whose existing consent period has not expired yet. In this scenario, the consent period is going to be renewed for another 90 days.- It can also be used to renew the consent for a user whose existing consent period has expired. In this case, the user’s consent can be renewed as long as it is within 90 days of their previous consent period expiring.
In other words, a refresh_token
is valid for 90 days after being created and still can be used to renew the consent for another 90 days after consent has lapsed.
Why is it still in beta? What is missing?
-
The
/reauthuri
endpoint is well tested and has been in use by customers for some time now. It can be considered reliable and stable. -
Is still marked as Beta because it doesn’t currently support European banks, for example, Caisse d’Epargne (FR) or Sparkasse (DE) that require an additional auth inputs field in the request (see more information here).
More
Check out our comprehensive documentation on the /reauthuri
endpoint.
Comments
0 comments
Please sign in to leave a comment.