Skip to main content
Skip table of contents

Consent frequency validation

General information

The Berlin Group standard defines that frequencyPerDay parameter as the indication of the requested maximum frequency for an access without PSU involvement per day.

The frequency needs to be greater or equal to one.

In order to identify whether PSU is involved in the request or not for all GET Account Data requests, the PSU-IP-Address has to be added to the request header.

The forwarded IP Address header field consists of the corresponding HTTP request IP address field between PSU and TPP. It shall be contained if and only if this request was actively initiated by the PSU.

There is a default time slot of 5 minutes (depending on the Bank configuration) from the first request in which the XS2A server does not include the frequencyPerDay. This allows retrieval of multiple accounts and account data without including the PSU. Otherwise the frequencyPerDay would not be sufficient if a PSU has multiple accounts.

Validation rules

XS2A validates the access frequency for a consent if a request to XS2A AIS doesn't contain the header PSU-IP-Address.

XS2A checks the validity of the IP address value (at least with the regexp).

Consent frequency is only validated during the calls to /accounts endpoints!

Examples of XS2A behavior

Example 1

Prerequisites

  1. Consent status = valid.

  2. Consent frequency = 4.

Case

Within one day XS2A has received 4 requests to AIS with given consent and all 4 requests contain the header PSU-IP-Address with a valid IP address.

The same day later, XS2A received the 5th request to AIS with the given consent.

Result

Same day XS2A doesn't reject the 5th request to AIS with given consent no matter whether PSU-IP-Address header is given there or not.

Example 2

Prerequisites

  1. Consent status = valid.

  2. Consent frequency = 4

Case

Within one day, XS2A has received 6 requests to AIS with given consent

  • 2 requests contain the header PSU-IP-Address with a valid IP address.

  • 4 requests don't contain the header PSU-IP-Address.

The same day later, XS2A receives 1 more request to AIS with given consent that contains the header PSU-IP-Address with a valid IP address.

Result

XS2A doesn't reject this request.

Example 3

Prerequisites

  1. Consent status = valid.

  2. Consent frequency = 4

Case

Within one day, XS2A has received 6 requests to AIS with given consent

  • 2 requests contain the header PSU-IP-Address with a valid IP address.

  • 4 requests don't contain the header PSU-IP-Address.

The same day later, XS2A receives 1 more request to AIS with given consent that doesn't contain the header PSU-IP-Address with a valid IP address.

Result

XS2A rejects it with HTTP status code 429 and a corresponding error message.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close