The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded Agent header field of the HTTP request between PSU and TPP, if available.

HTTP method used at the PSU ? TPP interface, if available. Valid values are:

• GET
• POST
• PUT
• PATCH
• DELETE

UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID needs to be unaltered until removal from device.

The forwarded Geo Location of the corresponding http request between PSU and TPP if available.

Client ID of the PSU in the ASPSP client interface. Might be mandated in the ASPSP's documentation. It might be contained even if an OAuth2 based authentication was performed in a pre-step or an OAuth2 based SCA was performed in an preceding AIS service in the same session. In this case the ASPSP might check whether PSU-ID and token match, according to ASPSP documentation.

Type of the PSU-ID, needed in scenarios where PSUs have several PSU-IDs as access possibility. In this case, the mean and use are then defined in the ASPSP's documentation.

Might be mandated in the ASPSP's documentation. Only used in a corporate context.

Might be mandated in the ASPSP's documentation. Only used in a corporate context.

A comma separated list of attributes, where the first entry will have a higher priority than the next or to every SCA Approach which is not indicated at all, e.g. "decoupled, redirect, embedded" or "decoupled" This attribute may be ignored by the ASPSP

URI of the TPP, where the transaction flow shall be redirected to after a Redirect. Mandated for the Redirect SCA Approach. It is recommended to always use this header field.

If this URI is contained, the TPP is asking to redirect the transaction flow to this address instead of the Client-Redirect-URI in case of a negative result of the redirect SCA method. This might be ignored by the ASPSP.

If it equals "true", the API Client prefers to start the authorisation process separately, e.g. because of the usage of a signing basket or because of asynchronous authorisation. This preference might be ignored by the ASPSP, if a signing basket is not supported as functionality or if asynchronous authorisation is not supported. If it equals "false" or if the parameter is not used, there is no preference of the API Client. This especially indicates that the API Client assumes a direct authorisation of the transaction in the next step, without using a signing basket.

URI for the Endpoint of the Client API to which the status of the resource should be sent. This header field may by ignored by the ASPSP if the resource status push function is not supported for the related API client.

The string has the form status=X1, ..., Xn where Xi is one of the constants SCA, PROCESS, LAST and where constants are not repeated. The usage of the constants supports the of following semantics: SCA: A notification on every change of the scaStatus attribute for all related authorisation processes is preferred by the API Client. PROCESS: A notification on all changes of consentStatus or transactionStatus attributes is preferred by the API Client. LAST: Only a notification on the last consentStatus or transactionStatus as available in the XS2A interface is preferred by the API Client. This header field may be ignored, if the ASPSP does not support resource notification services for the related API Client.

This header might be used by API Clients to inform the ASPSP about the brand used by the API Client towards the PSU. This information is meant for logging entries to enhance communication between ASPSP and PSU or ASPSP and API Client. This header might be ignored by the ASPSP.

When API Client include a signature according to this signature profile, they also must include a "Digest" header as defined in [RFC3230]. The "Digest" Header contains a Hash of the message body. If the message does not contain a body, the "Digest" header must contain the hash of an empty byte list. The only hash algorithms that may be used to calculate the Digest within the context of this specification are SHA-256 and SHA-512 as defined in [RFC5843].

The attribute x-jws-signature contains the JSON Web Signature.

ID of the request, unique to the call, as determined by the initiating party.

Indicates the signature profile used for signing (parts of) the body. Shall be used if the body is signed.

Indicates the encryption profile used for the encryption of (parts of) the body.

Contains a List of names of data elements/ attributes of the body which contain encrypted information

Might be mandated by the ASPSP, if a commercial agreement is needed for the usage of the service.

The forwarded IP Address header field consists of the corresponding http request IP Address field between PSU and TPP. If not available, the TPP shall use the IP Address used by the TPP when submitting this request.

Set of elements used to reference a payment instruction.

Specifies the means of payment that will be used to move the amount of money. Usage: Only used for cross-border transactions. If no paymentMethod is explicitly stated, paymentMethod will be interpreted as TRF (Credit Transfer).

Specifies the high level purpose of the instruction based on a set of pre-defined categories; provided as code.

Ultimate party that owes an amount of money to the (ultimate) creditor. Restriction to the schema are applied depending on the product.

Amount of money to be moved between the debtor and creditor, before deduction of charges, expressed in the currency as ordered by the initiating party.

Unambiguous identification of the account of the creditor to which a credit entry will be posted as a result of the payment transaction.

Financial institution servicing an account for the creditor.

Party to which an amount of money is due.

Ultimate party to which an amount of money is due.

Specifies the purpose of the instruction based the code set ExternalPurpose1Code from ISO 20022.

Information supplied to enable the matching/reconciliation of an entry with the items that the payment is intended to settle, such as commercial invoices in an accounts' receivable system, in an unstructured form.

Information supplied to enable the matching/reconciliation of an entry with the items that the payment is intended to settle, such as commercial invoices in an accounts' receivable system, in a structured form.

Request related information which is not directly linked to the payment transaction. Only applicable for request to pay services and extended payment services.

Unambiguous identification of the account of the debtor to which a debit entry will be made as a result of the transaction.

Party that owes an amount of money to the (ultimate) creditor.

Date at which the initiating party requests the clearing agent to process the payment.

Extended Payment Initiation Service. The default list is:

• deferred-payments for XDPIS
• secured-deferred-payments for XDFPIS
• multiple-deferred-payments for XMDPIS
• secured-multiple-deferred-payments for XMDFPIS

The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.

The forwarded Agent header field of the HTTP request between PSU and TPP, if available.

HTTP method used at the PSU ? TPP interface, if available. Valid values are:

• GET
• POST
• PUT
• PATCH
• DELETE

UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID needs to be unaltered until removal from device.

The forwarded Geo Location of the corresponding http request between PSU and TPP if available.

Client ID of the PSU in the ASPSP client interface. Might be mandated in the ASPSP's documentation. It might be contained even if an OAuth2 based authentication was performed in a pre-step or an OAuth2 based SCA was performed in an preceding AIS service in the same session. In this case the ASPSP might check whether PSU-ID and token match, according to ASPSP documentation.

Type of the PSU-ID, needed in scenarios where PSUs have several PSU-IDs as access possibility. In this case, the mean and use are then defined in the ASPSP's documentation.

Might be mandated in the ASPSP's documentation. Only used in a corporate context.

Might be mandated in the ASPSP's documentation. Only used in a corporate context.

A comma separated list of attributes, where the first entry will have a higher priority than the next or to every SCA Approach which is not indicated at all, e.g. "decoupled, redirect, embedded" or "decoupled" This attribute may be ignored by the ASPSP

URI of the TPP, where the transaction flow shall be redirected to after a Redirect. Mandated for the Redirect SCA Approach. It is recommended to always use this header field.

If this URI is contained, the TPP is asking to redirect the transaction flow to this address instead of the Client-Redirect-URI in case of a negative result of the redirect SCA method. This might be ignored by the ASPSP.

If it equals "true", the API Client prefers to start the authorisation process separately, e.g. because of the usage of a signing basket or because of asynchronous authorisation. This preference might be ignored by the ASPSP, if a signing basket is not supported as functionality or if asynchronous authorisation is not supported. If it equals "false" or if the parameter is not used, there is no preference of the API Client. This especially indicates that the API Client assumes a direct authorisation of the transaction in the next step, without using a signing basket.

URI for the Endpoint of the Client API to which the status of the resource should be sent. This header field may by ignored by the ASPSP if the resource status push function is not supported for the related API client.

The string has the form status=X1, ..., Xn where Xi is one of the constants SCA, PROCESS, LAST and where constants are not repeated. The usage of the constants supports the of following semantics: SCA: A notification on every change of the scaStatus attribute for all related authorisation processes is preferred by the API Client. PROCESS: A notification on all changes of consentStatus or transactionStatus attributes is preferred by the API Client. LAST: Only a notification on the last consentStatus or transactionStatus as available in the XS2A interface is preferred by the API Client. This header field may be ignored, if the ASPSP does not support resource notification services for the related API Client.

This header might be used by API Clients to inform the ASPSP about the brand used by the API Client towards the PSU. This information is meant for logging entries to enhance communication between ASPSP and PSU or ASPSP and API Client. This header might be ignored by the ASPSP.

When API Client include a signature according to this signature profile, they also must include a "Digest" header as defined in [RFC3230]. The "Digest" Header contains a Hash of the message body. If the message does not contain a body, the "Digest" header must contain the hash of an empty byte list. The only hash algorithms that may be used to calculate the Digest within the context of this specification are SHA-256 and SHA-512 as defined in [RFC5843].

The attribute x-jws-signature contains the JSON Web Signature.

ID of the request, unique to the call, as determined by the initiating party.

Indicates the signature profile used for signing (parts of) the body. Shall be used if the body is signed.

Indicates the encryption profile used for the encryption of (parts of) the body.

Contains a List of names of data elements/ attributes of the body which contain encrypted information

Might be mandated by the ASPSP, if a commercial agreement is needed for the usage of the service.

The forwarded IP Address header field consists of the corresponding http request IP Address field between PSU and TPP. If not available, the TPP shall use the IP Address used by the TPP when submitting this request.

Set of elements used to reference a payment instruction.

Specifies the means of payment that will be used to move the amount of money. Usage: Only used for cross-border transactions. If no paymentMethod is explicitly stated, paymentMethod will be interpreted as TRF (Credit Transfer).

Specifies the high level purpose of the instruction based on a set of pre-defined categories; provided as code.

Ultimate party that owes an amount of money to the (ultimate) creditor. Restriction to the schema are applied depending on the product.

Amount of money to be moved between the debtor and creditor, before deduction of charges, expressed in the currency as ordered by the initiating party.

Unambiguous identification of the account of the creditor to which a credit entry will be posted as a result of the payment transaction.

Financial institution servicing an account for the creditor.

Party to which an amount of money is due.

Ultimate party to which an amount of money is due.

Specifies the purpose of the instruction based the code set ExternalPurpose1Code from ISO 20022.

Information supplied to enable the matching/reconciliation of an entry with the items that the payment is intended to settle, such as commercial invoices in an accounts' receivable system, in an unstructured form.

Information supplied to enable the matching/reconciliation of an entry with the items that the payment is intended to settle, such as commercial invoices in an accounts' receivable system, in a structured form.

Request related information which is not directly linked to the payment transaction. Only applicable for request to pay services and extended payment services.

Unambiguous identification of the account of the debtor to which a debit entry will be made as a result of the transaction.

Party that owes an amount of money to the (ultimate) creditor.

Date at which the initiating party requests the clearing agent to process the payment.

Extended Payment Initiation Service. The default list is:

• deferred-payments for XDPIS
• secured-deferred-payments for XDFPIS
• multiple-deferred-payments for XMDPIS
• secured-multiple-deferred-payments for XMDFPIS

The addressed payment product endpoint, e.g. for SEPA Credit Transfers (SCT). The ASPSP will publish which of the payment products/endpoints will be supported. The following payment products are supported:

• For request bodies with JSON encoding: -- sepa-credit-transfers -- micro-sepa-credit-transfers -- instant-sepa-credit-transfers -- target-2-payments -- cross-border-credit-transfers The ASPSP will publish which of the payment products/endpoints will be supported. For definitions of basic non euro generic products see [oFA PFDom]. Further products might be published by the ASPSP within its XS2A documentation. These new product types will end in further endpoints of the XS2A Interface.

URI for the Endpoint of the Client API to which the status of the resource should be sent. This header field may by ignored by the ASPSP if the resource status push function is not supported for the related API client.

The string has the form status=X1, ..., Xn where Xi is one of the constants SCA, PROCESS, LAST and where constants are not repeated. The usage of the constants supports the of following semantics: SCA: A notification on every change of the scaStatus attribute for all related authorisation processes is preferred by the API Client. PROCESS: A notification on all changes of consentStatus or transactionStatus attributes is preferred by the API Client. LAST: Only a notification on the last consentStatus or transactionStatus as available in the XS2A interface is preferred by the API Client. This header field may be ignored, if the ASPSP does not support resource notification services for the related API Client.

This header might be used by API Clients to inform the ASPSP about the brand used by the API Client towards the PSU. This information is meant for logging entries to enhance communication between ASPSP and PSU or ASPSP and API Client. This header might be ignored by the ASPSP.

When API Client include a signature according to this signature profile, they also must include a "Digest" header as defined in [RFC3230]. The "Digest" Header contains a Hash of the message body. If the message does not contain a body, the "Digest" header must contain the hash of an empty byte list. The only hash algorithms that may be used to calculate the Digest within the context of this specification are SHA-256 and SHA-512 as defined in [RFC5843].

The attribute x-jws-signature contains the JSON Web Signature.

ID of the request, unique to the call, as determined by the initiating party.

Indicates the signature profile used for signing (parts of) the body. Shall be used if the body is signed.

Indicates the encryption profile used for the encryption of (parts of) the body.

Contains a List of names of data elements/ attributes of the body which contain encrypted information

Might be mandated by the ASPSP, if a commercial agreement is needed for the usage of the service.