SUPPORT
English (US) Deutsch Español Français (France) Italiano

Articles in this section

See more

Browse Sections

    I'm implementing the re-authentication flow. What should I know?

    TrueLayer Support Team
    Last updated
    Follow

    The re-authentication flow provides a simple path for end-users to follow and reconnect their account after the expiration of the first consent, providing a shorter user journey compared to setting up their account for the first time.

    Main Points

    • The authentication URI is generated by an API call to the /reauthuri endpoint. More info here.
    • The response from the /reauthuri endpoint will return a direct link to the bank. This means that even if you are using the TrueLayer consent page and the TrueLayer Bank Selection Auth Dialog screens, the user will skip those and will be taken directly to the bank page. They will be taken to their bank for authorisation.
    • On the bank side, the user experience is identical to the first time the user authenticated.
    • The redirect_uri needs to be the same one being used in the original authentication link (or direct bank link).
    • The optional state parameter can also be passed in the request body and then will be returned as parameter alongside the redirect_uri to help with user reconciliation.
    • Once the user has authenticated, a code will be received that is going to be exchanged for TrueLayer tokens, just like the first time the user went through the authentication. It’s worth noting that:
      • The credentials_id returned will be consistent (i.e. identical, stable) to the current ones (representing that it’s the same user going through re-authentication.
      • The refresh_token returned will also be identical to the original one.

    Regarding the refresh_token being passed in the reauthuri request

    • refresh_tokens can be utilised to renew the consent for a user whose existing consent period has not expired yet. In this scenario, the consent period is going to be renewed for another 90 days.
    • It can also be used to renew the consent for a user whose existing consent period has expired. In this case, the user’s consent can be renewed as long as it is within 90 days of their previous consent period expiring.

    In other words, a refresh_token is valid for 90 days after being created and still can be used to renew the consent for another 90 days after consent has lapsed.

    Why is it still in beta? What is missing?

    • The /reauthuri endpoint is well tested and has been in use by customers for some time now. It can be considered reliable and stable.

    • Is still marked as Beta because it doesn’t currently support European banks, for example, Caisse d’Epargne (FR) or Sparkasse (DE) that require an additional auth inputs field in the request (see more information here).

    More

    Check out our comprehensive documentation on the /reauthuri endpoint.

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.