The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded Agent header field of the HTTP request between PSU and TPP, if available.

HTTP method used at the PSU ? TPP interface, if available. Valid values are:

• GET
• POST
• PUT
• PATCH
• DELETE

UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID needs to be unaltered until removal from device.

The forwarded Geo Location of the corresponding http request between PSU and TPP if available.

Client ID of the PSU in the ASPSP client interface. Might be mandated in the ASPSP's documentation. It might be contained even if an OAuth2 based authentication was performed in a pre-step or an OAuth2 based SCA was performed in an preceding AIS service in the same session. In this case the ASPSP might check whether PSU-ID and token match, according to ASPSP documentation.

Type of the PSU-ID, needed in scenarios where PSUs have several PSU-IDs as access possibility. In this case, the mean and use are then defined in the ASPSP's documentation.

Might be mandated in the ASPSP's documentation. Only used in a corporate context.

Might be mandated in the ASPSP's documentation. Only used in a corporate context.

A comma separated list of attributes, where the first entry will have a higher priority than the next or to every SCA Approach which is not indicated at all, e.g. "decoupled, redirect, embedded" or "decoupled" This attribute may be ignored by the ASPSP

URI of the TPP, where the transaction flow shall be redirected to after a Redirect. Mandated for the Redirect SCA Approach. It is recommended to always use this header field.

If this URI is contained, the TPP is asking to redirect the transaction flow to this address instead of the Client-Redirect-URI in case of a negative result of the redirect SCA method. This might be ignored by the ASPSP.

If it equals "true", the API Client prefers to start the authorisation process separately, e.g. because of the usage of a signing basket or because of asynchronous authorisation. This preference might be ignored by the ASPSP, if a signing basket is not supported as functionality or if asynchronous authorisation is not supported. If it equals "false" or if the parameter is not used, there is no preference of the API Client. This especially indicates that the API Client assumes a direct authorisation of the transaction in the next step, without using a signing basket.

URI for the Endpoint of the Client API to which the status of the resource should be sent. This header field may by ignored by the ASPSP if the resource status push function is not supported for the related API client.

The string has the form status=X1, ..., Xn where Xi is one of the constants SCA, PROCESS, LAST and where constants are not repeated. The usage of the constants supports the of following semantics: SCA: A notification on every change of the scaStatus attribute for all related authorisation processes is preferred by the API Client. PROCESS: A notification on all changes of consentStatus or transactionStatus attributes is preferred by the API Client. LAST: Only a notification on the last consentStatus or transactionStatus as available in the XS2A interface is preferred by the API Client. This header field may be ignored, if the ASPSP does not support resource notification services for the related API Client.

true: The client requests the ASPSP to perform a VOP check, where applicable. false: The API Client requests the ASPSP not to perform a VOP check.
Reasons for this are e.g. that the API client has already performed the VOP check in a TPP scenario or is requiring an opt out in a direct access scenario.
The related VOP check could have been performed up front via the dedicated VOP API, if provided by the ASPSP. not used: The API Client does not request to perform a VOP request. An ASPSP may ignore this header

This attribute contains the X-Request-ID of the related request on the dedicated VOP API. This attribute might be ignored by the ASPSP. If the ASPSP offers the dedicated VOP API, it might mandate the usage of this attribute via the ASPSP documentation and then make the usage of this attribute mandatory, if applicable to the related payment product and if VOP has not been opted out.

This header might be used by API Clients to inform the ASPSP about the brand used by the API Client towards the PSU. This information is meant for logging entries to enhance communication between ASPSP and PSU or ASPSP and API Client. This header might be ignored by the ASPSP.

When API Client include a signature according to this signature profile, they also must include a "Digest" header as defined in [RFC3230]. The "Digest" Header contains a Hash of the message body. If the message does not contain a body, the "Digest" header must contain the hash of an empty byte list. The only hash algorithms that may be used to calculate the Digest within the context of this specification are SHA-256 and SHA-512 as defined in [RFC5843].

The attribute x-jws-signature contains the JSON Web Signature.

ID of the request, unique to the call, as determined by the initiating party.

Indicates the signature profile used for signing (parts of) the body. Shall be used if the body is signed.

Indicates the encryption profile used for the encryption of (parts of) the body.

Contains a List of names of data elements/ attributes of the body which contain encrypted information

This data element may be contained, if the payment initiation transaction is part of a session, i.e. combined AIS/PIS service. This then contains the consentId of the related AIS consent, which was performed prior to this payment initiation.

The forwarded IP Address header field consists of the corresponding http request IP Address field between PSU and TPP. If not available, the TPP shall use the IP Address used by the TPP when submitting this request.

Set of elements used to reference a payment instruction.

Specifies the means of payment that will be used to move the amount of money. Usage: Only used for cross-border transactions. If no paymentMethod is explicitly stated, paymentMethod will be interpreted as TRF (Credit Transfer).

Amount of money to be moved between the debtor and creditor, before deduction of charges, expressed in the currency as ordered by the initiating party.

Unambiguous identification of the account of the creditor to which a credit entry will be posted as a result of the payment transaction.

Financial institution servicing an account for the creditor.

Party to which an amount of money is due.

Ultimate party to which an amount of money is due.

Information supplied to enable the matching/reconciliation of an entry with the items that the payment is intended to settle, such as commercial invoices in an accounts' receivable system, in an unstructured form.

The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded Agent header field of the HTTP request between PSU and TPP, if available.

HTTP method used at the PSU ? TPP interface, if available. Valid values are:

• GET
• POST
• PUT
• PATCH
• DELETE

UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID needs to be unaltered until removal from device.

The forwarded Geo Location of the corresponding http request between PSU and TPP if available.

Client ID of the PSU in the ASPSP client interface. Might be mandated in the ASPSP's documentation. It might be contained even if an OAuth2 based authentication was performed in a pre-step or an OAuth2 based SCA was performed in an preceding AIS service in the same session. In this case the ASPSP might check whether PSU-ID and token match, according to ASPSP documentation.

Type of the PSU-ID, needed in scenarios where PSUs have several PSU-IDs as access possibility. In this case, the mean and use are then defined in the ASPSP's documentation.

Might be mandated in the ASPSP's documentation. Only used in a corporate context.

Might be mandated in the ASPSP's documentation. Only used in a corporate context.

A comma separated list of attributes, where the first entry will have a higher priority than the next or to every SCA Approach which is not indicated at all, e.g. "decoupled, redirect, embedded" or "decoupled" This attribute may be ignored by the ASPSP

URI of the TPP, where the transaction flow shall be redirected to after a Redirect. Mandated for the Redirect SCA Approach. It is recommended to always use this header field.

If this URI is contained, the TPP is asking to redirect the transaction flow to this address instead of the Client-Redirect-URI in case of a negative result of the redirect SCA method. This might be ignored by the ASPSP.

If it equals "true", the API Client prefers to start the authorisation process separately, e.g. because of the usage of a signing basket or because of asynchronous authorisation. This preference might be ignored by the ASPSP, if a signing basket is not supported as functionality or if asynchronous authorisation is not supported. If it equals "false" or if the parameter is not used, there is no preference of the API Client. This especially indicates that the API Client assumes a direct authorisation of the transaction in the next step, without using a signing basket.

URI for the Endpoint of the Client API to which the status of the resource should be sent. This header field may by ignored by the ASPSP if the resource status push function is not supported for the related API client.

The string has the form status=X1, ..., Xn where Xi is one of the constants SCA, PROCESS, LAST and where constants are not repeated. The usage of the constants supports the of following semantics: SCA: A notification on every change of the scaStatus attribute for all related authorisation processes is preferred by the API Client. PROCESS: A notification on all changes of consentStatus or transactionStatus attributes is preferred by the API Client. LAST: Only a notification on the last consentStatus or transactionStatus as available in the XS2A interface is preferred by the API Client. This header field may be ignored, if the ASPSP does not support resource notification services for the related API Client.

true: The client requests the ASPSP to perform a VOP check, where applicable. false: The API Client requests the ASPSP not to perform a VOP check.
Reasons for this are e.g. that the API client has already performed the VOP check in a TPP scenario or is requiring an opt out in a direct access scenario.
The related VOP check could have been performed up front via the dedicated VOP API, if provided by the ASPSP. not used: The API Client does not request to perform a VOP request. An ASPSP may ignore this header

This attribute contains the X-Request-ID of the related request on the dedicated VOP API. This attribute might be ignored by the ASPSP. If the ASPSP offers the dedicated VOP API, it might mandate the usage of this attribute via the ASPSP documentation and then make the usage of this attribute mandatory, if applicable to the related payment product and if VOP has not been opted out.

This header might be used by API Clients to inform the ASPSP about the brand used by the API Client towards the PSU. This information is meant for logging entries to enhance communication between ASPSP and PSU or ASPSP and API Client. This header might be ignored by the ASPSP.

When API Client include a signature according to this signature profile, they also must include a "Digest" header as defined in [RFC3230]. The "Digest" Header contains a Hash of the message body. If the message does not contain a body, the "Digest" header must contain the hash of an empty byte list. The only hash algorithms that may be used to calculate the Digest within the context of this specification are SHA-256 and SHA-512 as defined in [RFC5843].

The attribute x-jws-signature contains the JSON Web Signature.

ID of the request, unique to the call, as determined by the initiating party.

Indicates the signature profile used for signing (parts of) the body. Shall be used if the body is signed.

Indicates the encryption profile used for the encryption of (parts of) the body.

Contains a List of names of data elements/ attributes of the body which contain encrypted information

This data element may be contained, if the payment initiation transaction is part of a session, i.e. combined AIS/PIS service. This then contains the consentId of the related AIS consent, which was performed prior to this payment initiation.

The forwarded IP Address header field consists of the corresponding http request IP Address field between PSU and TPP. If not available, the TPP shall use the IP Address used by the TPP when submitting this request.

Unique identification as assigned by the sending party to unambiguously identify this bulk payment. This attribute may be used by ASPSPs or communities as an optional field.

Specifies the means of payment that will be used to move the amount of money. Usage: Only used for cross-border transactions. If no paymentMethod is explicitly indicated, paymentMethod will be interpreted as "TRF" (Credit Transfer).

If this element equals true, the PSU pre-fers only one booking entry. If this element equals false, the PSU prefers individual booking of all contained individual transactions. The ASPSP will follow this preference according to contracts agreed on with the PSU.

Number of individual transactions con-tained in the related bulk.

Total of all individual amounts included in the group, irrespective of currencies.

Unambiguous identification of the account of the debtor to which a debit entry will be made as a result of the transaction.

Payment service: Possible values are:

• payments
• bulk-payments
• periodic-payments

The payment product, under which the payment under paymentId has been initiated. It shall be checked by the ASPSP, if the payment-product is matching the payment initiation addressed by paymentId.

When API Client include a signature according to this signature profile, they also must include a "Digest" header as defined in [RFC3230]. The "Digest" Header contains a Hash of the message body. If the message does not contain a body, the "Digest" header must contain the hash of an empty byte list. The only hash algorithms that may be used to calculate the Digest within the context of this specification are SHA-256 and SHA-512 as defined in [RFC5843].

The attribute x-jws-signature contains the JSON Web Signature.

Payment service: Possible values are:

• payments
• bulk-payments
• periodic-payments

The payment product, under which the payment under paymentId has been initiated. It shall be checked by the ASPSP, if the payment-product is matching the payment initiation addressed by paymentId.

When API Client include a signature according to this signature profile, they also must include a "Digest" header as defined in [RFC3230]. The "Digest" Header contains a Hash of the message body. If the message does not contain a body, the "Digest" header must contain the hash of an empty byte list. The only hash algorithms that may be used to calculate the Digest within the context of this specification are SHA-256 and SHA-512 as defined in [RFC5843].

The attribute x-jws-signature contains the JSON Web Signature.

Payment service: Possible values are:

• payments
• bulk-payments
• periodic-payments

The payment product, under which the payment under paymentId has been initiated. It shall be checked by the ASPSP, if the payment-product is matching the payment initiation addressed by paymentId.

The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded Agent header field of the HTTP request between PSU and TPP, if available.

HTTP method used at the PSU ? TPP interface, if available. Valid values are:

• GET
• POST
• PUT
• PATCH
• DELETE

UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID needs to be unaltered until removal from device.

The forwarded Geo Location of the corresponding http request between PSU and TPP if available.

Client ID of the PSU in the ASPSP client interface. Might be mandated in the ASPSP's documentation. It might be contained even if an OAuth2 based authentication was performed in a pre-step or an OAuth2 based SCA was performed in an preceding AIS service in the same session. In this case the ASPSP might check whether PSU-ID and token match, according to ASPSP documentation.

Type of the PSU-ID, needed in scenarios where PSUs have several PSU-IDs as access possibility. In this case, the mean and use are then defined in the ASPSP's documentation.

Might be mandated in the ASPSP's documentation. Only used in a corporate context.

Might be mandated in the ASPSP's documentation. Only used in a corporate context.

A comma separated list of attributes, where the first entry will have a higher priority than the next or to every SCA Approach which is not indicated at all, e.g. "decoupled, redirect, embedded" or "decoupled" This attribute may be ignored by the ASPSP

URI of the TPP, where the transaction flow shall be redirected to after a Redirect. Mandated for the Redirect SCA Approach. It is recommended to always use this header field.

If this URI is contained, the TPP is asking to redirect the transaction flow to this address instead of the Client-Redirect-URI in case of a negative result of the redirect SCA method. This might be ignored by the ASPSP.

If it equals "true", the API Client prefers to start the authorisation process separately, e.g. because of the usage of a signing basket or because of asynchronous authorisation. This preference might be ignored by the ASPSP, if a signing basket is not supported as functionality or if asynchronous authorisation is not supported. If it equals "false" or if the parameter is not used, there is no preference of the API Client. This especially indicates that the API Client assumes a direct authorisation of the transaction in the next step, without using a signing basket.

URI for the Endpoint of the Client API to which the status of the resource should be sent. This header field may by ignored by the ASPSP if the resource status push function is not supported for the related API client.

The string has the form status=X1, ..., Xn where Xi is one of the constants SCA, PROCESS, LAST and where constants are not repeated. The usage of the constants supports the of following semantics: SCA: A notification on every change of the scaStatus attribute for all related authorisation processes is preferred by the API Client. PROCESS: A notification on all changes of consentStatus or transactionStatus attributes is preferred by the API Client. LAST: Only a notification on the last consentStatus or transactionStatus as available in the XS2A interface is preferred by the API Client. This header field may be ignored, if the ASPSP does not support resource notification services for the related API Client.

This header might be used by API Clients to inform the ASPSP about the brand used by the API Client towards the PSU. This information is meant for logging entries to enhance communication between ASPSP and PSU or ASPSP and API Client. This header might be ignored by the ASPSP.

When API Client include a signature according to this signature profile, they also must include a "Digest" header as defined in [RFC3230]. The "Digest" Header contains a Hash of the message body. If the message does not contain a body, the "Digest" header must contain the hash of an empty byte list. The only hash algorithms that may be used to calculate the Digest within the context of this specification are SHA-256 and SHA-512 as defined in [RFC5843].

The attribute x-jws-signature contains the JSON Web Signature.

The payment product, under which the payment under paymentId has been initiated. It shall be checked by the ASPSP, if the payment-product is matching the payment initiation addressed by paymentId.

When API Client include a signature according to this signature profile, they also must include a "Digest" header as defined in [RFC3230]. The "Digest" Header contains a Hash of the message body. If the message does not contain a body, the "Digest" header must contain the hash of an empty byte list. The only hash algorithms that may be used to calculate the Digest within the context of this specification are SHA-256 and SHA-512 as defined in [RFC5843].