Versions Compared

Version Old Version 2 New Version 3
Changes made by

Chris Wood

Chris Wood

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleMENU
Table of Contents
stylenone

1. API Flows

1.1 Step 1: Agree Insurance Consent

The flow MUST begin with a User who provides consent to a TPP to access their insurance information from a LFI that they already have a relationship.

1.2 Step 2: Authorize Insurance Access Consent

The TPP MUST now request the User to authorize the consent. Please refer to the Authentication and Authorizationpage to review the supported Authorization Flows.

The TPP MUST construct a Rich Authorization Request (https://www.rfc-editor.org/rfc/rfc9396) with the authorization_details populated with the User’s consent

The TPP MUST include an insurance consent with all the REQUIRED data permissions that the User intends to provide to the TPP.

The TPP MUST include a UUID v4 as the ConsentId as a unique identifier for the insurance consent.

A TPP MAY be a broker for data to other parties, so it is valid for a User to have multiple consentsfor the same resource(s), with different consent or authorization parameters agreed upon.

1.2.1 Security and Access Control

Authorization Code Grant

The TPP MUST use an authorization code grant to obtain a token to access all other API resources.

1.3 Step 3: Access Data

1.3.1 Request Data

The TPP MUST have a valid access token (with scope) from the OFP authorization server.

The TPP MUST use the valid access token to retrieve User data from the OFP resource server.

The LFI MUST return an API response when provided with a valid request from the OFP.

The OFP MUST return an API response when provided with a valid access token request from the TPP.

2. Sequence Diagram

The flows illustrate the API interactions completing successfully, with no API Errors.

image-20240520-105634.pngImage Removeduae-insurance-sequence-diagram.pngImage Added

3. Examples

The following are non-normative examples of API access and usage of the Insurance Information API.

3.1 The TPP Redirects the User to Authorize Insurance Consent

3.1.1 Request: TPP Uses RAR (Rich Authorization Request) via a PAR (Pushed Authorization Request) Endpoint with the OFP to Obtain a Request URI

Create a RAR Request JWT with these values:

  • kid is a valid signing key ID for the TPP on the Open Finance Directory

  • iss is client id (UUID v4)

  • state is a UUID v4 value

  • response_type MUST be code

  • redirect_uri is the TPP’s redirect URI

The authorization_details contain the User’s insurance consent details, and a UUID v4 which is a unique identifier for the insurance consent.

Code Block
{
    "typ": "JWT",
    "alg": "PS256",
    "kid": "e4ce77c498e77000a25aa7b40e4a83f9"
}
.
{
    "iss": "s6BhdRkqt3",
    "aud": "https://server.example.com",
    "response_type": "code",
    "redirect_uri": "https://openbanking.tpp1.ae/simple-redirect-url",
    "scope": "insurance",
    "state": "2616df22-899e-468b-b7af-927145b067cc",
    "authorization_details": [
        {
            "Type": "urn:openfinanceuae:insurance-consent:v1.0-rc1",
            "Consent": {
                "ConsentId": "6a6a826f-0930-4eb0-b365-a8eac3032828",
                "Permissions": [
                    "ReadMotorInsurancePolicies",
                    "ReadMotorInsuranceCustomerBasic",
                    "ReadMotorInsuranceCustomerPaymentDetails"
                ],
                "ExpirationDateTime": "2024-03-28T15:27:13+030",
                "Purpose": [
                    "MotorInsuranceQuote"
                ]
            }
        }
    ]
}

Create the RAR Request using the signed JWT, and authenticated using private_key_jwt.

The request parameter JWT includes the ConsentId, a UUID v4 that was originally generated by the TPP.

Code Block
POST /open-finance/v1/par HTTP/1.1
Host: auth1.openfinanceplatform.ae
Content-Type: application/x-www-form-urlencoded
Accept: application/json
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJIUzI1NiJ9.ew0KICAiaXNzIjogImM4NDIyNzg3LTFkZmYtNDI0ZC1iNjIwLTM1NmMwODcwYmVkNCIsDQogICJzdWIiOiAiYzg0MjI3ODctMWRmZi00MjRkLWI2MjAtMzU2YzA4NzBiZWQ0IiwNCiAgImF1ZCI6ICJhdXRoMS5sYWIub3BlbmJhbmtpbmcuc2EiLA0KICJqdGkiOiAiYThmZDQ2ZjctYTNiMy00MGQ5LTk2ZjctNDk1YmEyMGFiMTZmIiwNCiAgImV4cCI6IDE1MTYyMzkwMjINCn0.nvY2tG7D3_ioVI55nRJ7apBzoGbP9sofMLd7Dni4YbI
&request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6ImU0Y2U3N2M0OThlNzcwMDBhMjVhYTdiNDBlNGE4M2Y5In0.eyJpc3MiOiJzNkJoZFJrcXQzIiwiaWF0IjoxNjY5MzkzMTU0LCJleHAiOjE2NjkzOTM0OTYsIm5iZiI6IjE2NjkzOTMxNTQiLCJhdWQiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9sZmkubGFiLm9wZW5iYW5raW5nLmFlL2F1dGgiLCJzY29wZSI6Im9wZW5pZCBhY2NvdW50cyIsInN0YXRlIjoiYWYwaWZqc2xka2oiLCJhdXRob3JpemF0aW9uX2RldGFpbHMiOlt7IlR5cGUiOiJBY2NvdW50QWNjZXNzQ29uc2VudCIsIkRhdGEiOnsiQ29uc2VudElkIjoiMzk5ZTAwNjUtOTkwNy00MmNjLTgyYjktMWVjNGYyNzNlM2U5IiwiQ3JlYXRpb25EYXRlVGltZSI6IjIwMjQtMDMtMjdUMTU6Mjc6MTMrMDMwMCIsIkNvbnNlbnRTdGF0dXMiOiJBdXRob3JpemVkIiwiQ29uc2VudFN0YXR1c1VwZGF0ZURhdGVUaW1lIjoiMjAyNC0wMy0yN1QxNjoyNzoxMyswMzAwIiwiUGVybWlzc2lvbnMiOlsiUmVhZEFjY291bnRzQmFzaWMiLCJSZWFkQWNjb3VudHNEZXRhaWwiLCJSZWFkQmFsYW5jZXMiLCJSZWFkQmVuZWZpY2lhcmllc0Jhc2ljIiwiUmVhZEJlbmVmaWNpYXJpZXNEZXRhaWwiLCJSZWFkVHJhbnNhY3Rpb25zQmFzaWMiLCJSZWFkVHJhbnNhY3Rpb25zRGV0YWlsIiwiUmVhZFRyYW5zYWN0aW9uc0NyZWRpdHMiLCJSZWFkVHJhbnNhY3Rpb25zRGViaXRzIiwiUmVhZFNjaGVkdWxlZFBheW1lbnRzQmFzaWMiLCJSZWFkU2NoZWR1bGVkUGF5bWVudHNEZXRhaWwiLCJSZWFkRGlyZWN0RGViaXRzIiwiUmVhZFN0YW5kaW5nT3JkZXJzQmFzaWMiLCJSZWFkU3RhbmRpbmdPcmRlcnNEZXRhaWwiXSwiQXV0aG9yaXphdGlvbkV4cGlyYXRpb25UaW1lV2luZG93IjoiNzIwOjAwOjAwIiwiRXhwaXJhdGlvbkRhdGVUaW1lIjoiMjAyNC0wMy0yOFQxNToyNzoxMyswMzAwIiwiVHJhbnNhY3Rpb25Gcm9tRGF0ZVRpbWUiOiIyMDI0LTAzLTI1VDEyOjE5OjI0KzAzMDAiLCJUcmFuc2FjdGlvblRvRGF0ZVRpbWUiOiIyMDI0LTAzLTI3VDEyOjE5OjI0KzAzMDAiLCJBY2NvdW50VHlwZSI6WyJVQUVPRi5SZXRhaWwiXSwiQWNjb3VudFN1YlR5cGUiOlsiQ3VycmVudEFjY291bnQiXSwiQ29uc2VudFB1cnBvc2UiOlsiQWNjb3VudCBBZ2dyZWdhdGlvbiIsIkUtU3RhdGVtZW50Il19fV19.8T2xivs2zqFdxyrs8h3TWsMxigzk9QcsamU9Dj-2GDs

3.1.2 Response: The OFP Provides the Request URI for the TPP

Code Block
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store
{
  "request_uri": "urn:ietf:params:oauth:request_uri:6esc_11ACC5bwc014ltc14eY22c",
  "expires_in": 60
}

3.2 The TPP Redirects the User to Their LFI with the Request URI to Authorize the Consent

Code Block
GET /auth?client_id=c8422787-1dff-424d-b620-356c0870bed4&request_uri=urn:ietf:params:oauth:request_uri:6esc_11ACC5bwc014ltc14eY22c
Host: openbanking.lfi.ae

3.3 The User Logs into Their LFI, Reviews and Authorizes the Consent Request, and Confirms They Wish to Share Insurance Policies with the TPP

The LFI confirms insurance consent properties in the OFP.

Code Block
POST /consents/6a6a826f-0930-4eb0-b365-a8eac3032828
host: auth1.openfinanceplatform.ae
Content-Type: application/json
{
  "psuIdentifiers": [
    "userId": "33f81f80-6223-4ae1-927a-fec19169ecef"
  ],
  "insurancePoliciesIds": [
    "176794ea-ee8c-4621-b824-b8cfa95db0ff"
  ]
}

The LFI then confirms authorization of insurance consent in the OFP.

Code Block
POST /auth/aac-1a672e83-d1e5-42bc-b8e1-60a490ec52fd/doConfirm
host: auth1.openfinanceplatform.ae
Content-Type: application/x-www-form-urlencoded
InsurancePolicyInformation.PolicyReference=f91d07d0-6d8f-4e0e-9fb4-0ac61f84d115
&InsurancePolicyInformation.PolicyReference=bed6cb83-956e-4795-86c3-0f4254ae1cab

3.4 The LFI Returns an Authorization Code to the TPP

Code Block
302 Found
Location: https://openbanking.tpp1.ae/simple-redirect-url?
code=ce2aeabf-599c-4475-9171-1f6d8c1a49dc
&state=2616df22-899e-468b-b7af-927145b067cc

3.5 The TPP Exchanges the Authorization Code for an Insurance API Access Token with the OFP

Code Block
POST /token HTTP/1.1
Host: as1.openfinanceplatform.ae
Content-Type: application/x-www-form-urlencoded
Accept: application/json
grant_type=authorization_code
&code=ce2aeabf-599c-4475-9171-1f6d8c1a49dc
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJIUzI1NiJ9.ew0KICAiaXNzIjogImM4NDIyNzg3LTFkZmYtNDI0ZC1iNjIwLTM1NmMwODcwYmVkNCIsDQogICJzdWIiOiAiYzg0MjI3ODctMWRmZi00MjRkLWI2MjAtMzU2YzA4NzBiZWQ0IiwNCiAgImF1ZCI6ICJhdXRoMS5sYWIub3BlbmJhbmtpbmcuc2EiLA0KICJqdGkiOiAiYThmZDQ2ZjctYTNiMy00MGQ5LTk2ZjctNDk1YmEyMGFiMTZmIiwNCiAgImV4cCI6IDE1MTYyMzkwMjINCn0.nvY2tG7D3_ioVI55nRJ7apBzoGbP9sofMLd7Dni4YbI
&redirect_uri=https%3A%2F%2Fopenbanking.tpp1.ae%2Fsimple-redirect-url

3.6 The OFP Returns an Access Token, Refresh Token, and ID Token to the TPP

Code Block
HTTP/1.1 200 OK
Content-Type:application/json
{
    "access_token": "caa1b60d-61ff-4cd8-a4e1-2d18c8696de0",
    "expires_in": 432000,
    "token_type": "Bearer",
    "scope": "openid%20insurance",
    "state": "2616df22-899e-468b-b7af-927145b067cc",
    "refresh_token": "266f5f15-eb81-4a02-bf05-e25063ca445f",
    "id_token": "eyJhbGciOiJQUzI1NiIsImtpZCI6IkM4a3FRRlZoUFVOUnZTN1ljamZBSEVSTEVDZEFfamZENXJjb1NXVkMwY2sifQ.eyJzdWIiOiJhYWMtMWE2NzJlODMtZDFlNS00MmJjLWI4ZTEtNjBhNDkwZWM1MmZkIiwib3BlbmJhbmtpbmdfaW50ZW50X2lkIjoiYWFjLTFhNjcyZTgzLWQxZTUtNDJiYy1iOGUxLTYwYTQ5MGVjNTJmZCIsInBzdV9pZGVudGlmaWVycyI6eyJjb21wYW55SWQiOiIxMjM0NSJ9LCJpc3MiOiJodHRwczovL2F1dGgxLmxhYi5vcGVuYmFua2luZy5zYSIsImF1ZCI6ImM4NDIyNzg3LTFkZmYtNDI0ZC1iNjIwLTM1NmMwODcwYmVkNCIsImlhdCI6MTY1OTg2NDEzMywiZXhwIjoxNjU5ODY1MDMzLCJub25jZSI6ImZmMzljMGQxLTIyN2EtNGM3My1iYjA1LTA4NDY0ZjA1MmU4NSIsImF1dGhfdGltZSI6MTY1OTg2NDEzMywiYXpwIjoiYzg0MjI3ODctMWRmZi00MjRkLWI2MjAtMzU2YzA4NzBiZWQ0IiwicmVmcmVzaF90b2tlbl9leHBpcmVzX2F0IjoxNjY3NjQwMTMzLCJjX2hhc2giOiI5UWhXZVlzWnd6NzF0NWhjdlI2OU5BIiwic19oYXNoIjoiNHN0R0QtYTFjS3dFSjVwWFZYOEdnUSIsImFjciI6InVybjpvcGVuYmFua2luZzpwc2QyOnNjYSJ9.AfunjbLyzOMQXtZfAl4563cKxTYbXhzZk5IFrJ864w1aF9_XpIQe1iH5H17xIXL_1XmjbPiPMzx55025NMyDOMwPSRBDu9bIb37EyUlVVtVevxxwVeyOixcOx-NoNMHO4qTKyznhCM_oJmNmq5n8N9xSbmyJSGDIusGiiyXyNt0egnK4xkvPFwri4FJd3IUIdUWOCuUO9RlckBQottUiyo4UazrAaShpn4GIsl_1fj8U2Ga5v4t_6jRG7oEndwQoDruLrftFnwvDWJYD2NSm5LKUb2z4HTb-89aPihcGpCrSrnxqyB6kiAculoJAhZhC8TBY40G3l-6qjc5Ey71JHA"
}

The TPP can now request insurance policy information using the access token.

3.7 Get a List of Insurance Policies

3.7.1 Request: Insurance Policies Resource

Code Block
GET /open-finance/insurance/v1.0-rc1/insurance-policies HTTP/1.1
Host: rs1.openfinanceplatform.ae
Accept: application/json
x-fapi-interaction-id: 942a7ee7-d29a-45aa-93b7-c5f292d86602
Authorization: Bearer caa1b60d-61ff-4cd8-a4e1-2d18c8696de0

3.7.2 Response: Insurance Policies Resource

Code Block
HTTP/1.1 200 OK
Content-Type: application/json
x-fapi-interaction-id: 942a7ee7-d29a-45aa-93b7-c5f292d86602
{
    "Data": [
      {
        "InsurancePolicyId": "176794ea-ee8c-4621-b824-b8cfa95db0ff",
        "PolicyType": "Motor",
        "Customer": {
          "CustomerId": "dcaaef9c-63cb-4c57-9f2a-a4986c4a958e",
          "FullName": "Hamad Ali",
          "PrimaryLanguage": "English"
        }
      }
    ],
    "Links": {
      "Self": "https://rs1.openfinanceplatform.ae/open-finance/insurance/v1.0-rc1/insurance-policies"
    },
    "Meta": {
      "TotalPages": "1"
    }
  }

3.8 Get an Insurance Policy

3.8.1 Request: Insurance Policy Resource

Code Block
GET /open-finance/insurance/v1.0-rc1/insurance-policies/176794ea-ee8c-4621-b824-b8cfa95db0ff HTTP/1.1
Host: rs1.openfinanceplatform.ae
Accept: application/json
x-fapi-interaction-id: 942a7ee7-d29a-45aa-93b7-c5f292d86602
Authorization: Bearer caa1b60d-61ff-4cd8-a4e1-2d18c8696de0

3.8.2 Response: Insurance Policy Resource

Code Block
HTTP/1.1 200 OK
Content-Type: application/json
x-fapi-interaction-id: 942a7ee7-d29a-45aa-93b7-c5f292d86602
{
  "Data": {
    "InsurancePolicyId": "176794ea-ee8c-4621-b824-b8cfa95db0ff",
    "PolicyType": "Motor",
    "Customer": {
      "CustomerId": "dcaaef9c-63cb-4c57-9f2a-a4986c4a958e",
      "FullName": "Hamad Ali",
      "PrimaryLanguage": "English"
    }
  },
  "Links": {
    "Self": "https://rs1.openfinanceplatform.ae/open-finance/insurance/v1.0-rc1/insurance-policies/176794ea-ee8c-4621-b824-b8cfa95db0ff"
  }
}

3.9 Get Customer Payment Details

3.9.1 Request: Customer Payment Details Resource

Code Block
GET /open-finance/insurance/v1.0-rc1/insurance-policies/176794ea-ee8c-4621-b824-b8cfa95db0ff/customer-payment-details HTTP/1.1
Host: rs1.openfinanceplatform.ae
Accept: application/json
x-fapi-interaction-id: f9ccecd5-2ed1-4299-b233-7c5d8a6a2e0d
Authorization: Bearer caa1b60d-61ff-4cd8-a4e1-2d18c8696de0

3.9.2 Response: Customer Payment Details Resource

Code Block
HTTP/1.1 200 OK
Content-Type: application/json
x-fapi-interaction-id: f9ccecd5-2ed1-4299-b233-7c5d8a6a2e0d
{
  "Data": {
    "SchemeName": "IBAN",
    "Identification": "SA4420000001234567891234",
    "Name": "Mr Hamad Ali"
  },
  "Links": {
    "Self": "https://rs1.openfinanceplatform.ae/open-finance/insurance/v1.0-rc1/insurance-policies/176794ea-ee8c-4621-b824-b8cfa95db0ff/customer-payment-details"
  }
}

4. Further Examples

4.1 The TPP Queries the Insurance Resource for the Status after a User has Authorized the Consent

4.1.1 Request: insurance-consents/{ConsentId} resource

Code Block
GET /open-finance/insurance/v1.0-rc1/insurance-consents/aac-1a672e83-d1e5-42bc-b8e1-60a490ec52fd HTTP/1.1
Host: rs1.openfinanceplatform.ae
Content-Type: application/json
x-fapi-interaction-id: 2e974f01-d111-4078-9a19-7a9b385e637c
Authorization: Bearer e6156449-6f27-4c42-aa5b-36602f73eac9

4.1.2 Response: insurance-consents/{ConsentId} resource

Code Block
HTTP/1.1 200 OK
Content-Type:application/json
x-fapi-interaction-id: 2e974f01-d111-4078-9a19-7a9b385e637c
{
  "Data": {
    "ConsentId": "6a6a826f-0930-4eb0-b365-a8eac3032828",
    "CreationDateTime": "2024-06-27T15:27:13+0300",
    "Status": "Authorized",
    "StatusUpdateDateTime": "2024-06-27T16:27:13+0300",
    "Permissions": [
        "ReadInsurancePoliciesMotor"
    ],
    "ExpirationDateTime": "2024-03-28T15:27:13+030",
    "Purpose": [
        "MotorInsuranceQuote"
    ]
  },
  "Subscription": {
    "Webhook": {
      "Url": "https://api.tpp1.com/webhook/callbackUrl",
      "IsActive": false
    }
  },
  "Links": {
    "Self": "https://rs1.openfinanceplatform.ae/open-finance/insurance/v1.0-rc1/insurance-consents/6a6a826f-0930-4eb0-b365-a8eac3032828"
  },
  "Meta": {}
}

4.2 The TPP Requests the List of Insurance Policies Using an Expired Access Token

4.2.1 Request: insurance-policies collection

Code Block
GET /open-finance/insurance/v1.0-rc1/insurance-policies HTTP/1.1
Host: rs1.openfinanceplatform.ae
Content-Type: application/json
x-fapi-interaction-id: 9a371b79-4e79-4d7d-a77d-380c528ab8c0
Authorization: Bearer caa1b60d-61ff-4cd8-a4e1-2d18c8696de0

4.2.2 Response: 401 Unauthorized

Code Block
HTTP/1.1 401 Unauthorized
Content-Type: application/json
x-fapi-interaction-id: 9a371b79-4e79-4d7d-a77d-380c528ab8c0

4.3 Webhooks

4.3.1 The TPP Creates an Insurance Consent Request with a Webhook Subscription

4.3.1.1 Request: Insurance Consent and Webhook Subscription

Code Block
{
    "typ": "JWT",
    "alg": "PS256",
    "kid": "e4ce77c498e77000a25aa7b40e4a83f9"
}
.
{
    "iss": "s6BhdRkqt3",
    "iat": 1669393154,
    "exp": 1669393496,
    "nbf": 1669393154,
    "aud": "https://server.example.com",
    "response_type": "code",
    "redirect_uri": "https://openbanking.tpp1.ae/simple-redirect-url",
    "scope": "insurance",
    "state": "2616df22-899e-468b-b7af-927145b067cc",
    "authorization_details": [
        {
            "Type": "urn:openfinanceuae:insurance-consent:v1.0-rc1",
            "Consent": {
                "ConsentId": "6a6a826f-0930-4eb0-b365-a8eac3032828",
                "Permissions": [
                    "ReadInsurancePoliciesMotor"
                ],
                "ExpirationDateTime": "2024-03-28T15:27:13+030",
                "Purpose": [
                    "MotorInsuranceQuote"
                ]
            },
            "Subscription": {
                "Webhook": {
                    "Url": "https://api.tpp1.com/webhook/callbackUrl",
                    "IsActive": false
                }
            }
        }
    ]
}

4.3.2 The TPP updates a Webhook Subscription preference with the OFP

4.3.2.1 Request: Activate Webhook events

Code Block
PATCH /open-finance/insurance/v1.0-rc1/insurance-consents/aac-69255d98-ab0e-4758-92a7-cacbf3073efa HTTP/1.1
Host: rs1.lab.api.openbanking.ae
Content-Type: application/json
x-fapi-interaction-id: 3424a379-8274-4686-99bd-f420d08acead
Authorization: Bearer ad297304-1057-4c68-9e76-a96f300a27f1
{
  "Subscription": {
    "Webhook": {
      "IsActive": true
    }
  }
}

4.3.2.2 Response: Webhook events activated

Code Block
HTTP/1.1 204 No Content
x-fapi-interaction-id: 3424a379-8274-4686-99bd-f420d08acead

4.3.3 The TPP unsubscribes their Webhook Subscription with the OFP

4.3.3.1 Request: De-Activate Webhook events

Code Block
PATCH /open-finance/insurance/v1.0-rc1/insurance-consents/aac-69255d98-ab0e-4758-92a7-cacbf3073efa HTTP/1.1
Host: rs1.lab.api.openbanking.ae
Content-Type: application/json
x-fapi-interaction-id: 3424a379-8274-4686-99bd-f420d08acead
Authorization: Bearer ad297304-1057-4c68-9e76-a96f300a27f1
{
  "Subscription": {
    "Webhook": {
      "IsActive": false
    }
  }
}

4.3.3.2 Response: Webhook events de-activated

Code Block
HTTP/1.1 204 No Content
x-fapi-interaction-id: 3424a379-8274-4686-99bd-f420d08acead

4.3.4 The TPP receives data from the OFP (specific to the consent and permissions) via its Webhook

4.3.4.1 The OFP generates a Self Signed JWT Authorization Token for Client Authentication with the TPP.

This JWT Authorization Token MUST be set in the Authorization Header.

Code Block
{
  "alg": "PS256",
  "typ": "JOSE",
  "cty": "json",
  "kid":  "e1be6bf3-76e6-4e53-92b9-c46423757ab1"
}
.
{
 "iss": "https://openbanking.masrif-ahmar.ae",
 "sub": "e75c26bf-1682-401a-a227-ec125f6636ab",
 "aud": "https://api.tpp.com/webhook/callbackUrl",
 "exp": 1661378066,
 "iat": 1661378036,
 "nbf": 1661378036,
 "jti": "274aa39d-d77a-46a9-b832-b2ced47919dd"
}
.
<<signature>>

4.3.4.2 Request: OFP publishes signed/encrypted data to the registered Webhook Url provided by the TPP

The example below shows a signed and encrypted payload with the JWT Authorization Token set in the Authorization Header.

Code Block
POST /webhook/callbackUrl HTTP/1.1
Host: api.tpp.com
x-fapi-interaction-id: 77b0e830-b095-4c6c-94e8-20f83eaa799f
Content-Type: application/jwt
Date: Wed, 24 Aug 2022 07:28:00 AST
Authorization: Bearer eyJhbGciO9.eyJzdWImlhdCI6MTUxNjIzOTAyMn0.iOeN9eg

<<jwe>>

Here, <<jwe>> is a signed and encrypted payload. The JWS encapsulated by the JWE has the structure below:

Code Block
{
  "alg": "PS256",
  "kid": "e1be6bf3-76e6-4e53-92b9-c46423757ab1"
}
.
{
  "iss": "string",
  "exp": 1664950125,
  "nbf": 1664950125,
  "aud": [
    "6uC8HSQ8C59SDSw43Cdm9YWxxjJmDV"
  ],
  "iat": 1661378036,
  "message": {
    "Data": {
      "PolicyType": "Motor",
      "PolicyDetails": {
        "InsurancePolicyId": "176794ea-ee8c-4621-b824-b8cfa95db0ff",
        "CustomerId": "dcaaef9c-63cb-4c57-9f2a-a4986c4a958e",
        ...
      }
    },
    "Links": {
      "Self": "https://rs1.openfinanceplatform.ae/open-finance/insurance/v1.0-rc1/insurance-policies/176794ea-ee8c-4621-b824-b8cfa95db0ff"
    },
    "EventMeta": {
      "EventDateTime": "2022-08-24T07:28:00.556Z",
      "EventResource": "insurance-policies",
      "EventType": "UAEOF.Resource.Updated",
      "ConsentId": "6a6a826f-0930-4eb0-b365-a8eac3032828"
    }
  }
}
.
<<signature>>

4.3.4.3 Response: TPP validates the Self Signed JWT Authorization Token from LFI, stores data, and acknowledges a successful response to the OFP

Code Block
HTTP/1.1 202 Accepted
x-fapi-interaction-id: 77b0e830-b095-4c6c-94e8-20f83eaa799f

5. OpenAPI Specification

See the Insurance API - OpenAPI Documentation page.

6. Notes

  • Customer payment details require the ReadMotorInsuranceCustomerPaymentDetails permission and must be specifically requested using the get /insurance-policies/{InsurancePolicyId}/customer-payment-details operation. This is to ensure a separation of concerns between the main body of data and the payment details.

7. Security

A insurance scope is used for accessing the insurance endpoints.