Skip to Content

Access tokens

To access a Lunar user’s resources through the Open Banking APIs you need a client id and secret identifying you as an integrator.

Users

To access user’s data you will then have to perform an OAuth2 authorization code grant .

The grant is started by calling the https://auth.openbanking.prod.lunar.app/oauth2/auth endpoint. This is an OAuth2 authorization server. This will start the grant and redirect the call to a web form instructing the user on how to authenticate and authorize access to the TPP. When the user has authorized access the https://auth.openbanking.prod.lunar.app/oauth2/token endpoint is used to get an access token.

The API is not documented as it is a standard OAuth2 API. There are OAuth2 clients available in almost all languages, so use one that is tested and stable instead of implementing your own.

The authentication and authorization flow is a decoupled OpenID Connect flow where the user will grant the TPP access to its resources in the Lunar app. When an access token is requested, the user receives a push message in the Lunar app where it can accept the grant. Once that is done the TPP will receive an access token that can be used to interact with the resource APIs.

Even though auth.openbanking.prod.lunar.app/.well-known/openid-configuration  indicates support for both client_secret_post and client_secret_basic authentication only client_secret_basic is supported. For more details see RFC6749#2.3.1 .

Extra parameters

In addition to the standard OAuth2 parameters, the following extra parameters for the /auth endpoint are supported:

Nationality

To specify a user’s nationality, you can add the optional nationality parameter.

Valid values: dk, no, se

Refresh tokens

Access tokens are short-lived and will expire after a period of time. To maintain ongoing access to a user’s resources without requiring them to re-authenticate, you can use refresh tokens.

To receive a refresh token along with your access token, include the offline scope in your /oauth2/auth request. Since all TPPs are granted the offline scope by default, you can always request it.

When the offline scope is included, the token response will contain a refresh_token field:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "xRxGGEpVawiUak6He367W3oeOfh...",
  "scope": "PSP_AI offline"
}

Once you have a refresh token, you can exchange it for a new access token by making a request to the token endpoint:

POST https://auth.openbanking.prod.lunar.app/oauth2/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <base64(client_id:client_secret)>
 
grant_type=refresh_token&refresh_token=<REFRESH_TOKEN>

The response will include a new access token (and potentially a new refresh token).

Refresh tokens enable long-lived access to user resources, which is essential for use cases like recurring account aggregation or scheduled payments where the user should not need to re-authenticate frequently.

Refresh tokens are valid for 180 days. This effectively means that any user consent collected is valid for 180 days before it will need renewal.

Token revocation

If a user wants to revoke their consent, the TPP is responsible for revoking the refresh token.

Revocation Endpoint: POST https://auth.openbanking.prod.lunar.app/oauth2/revoke

This endpoint follows the OAuth2 revocation endpoint specification (RFC 7009) , and is also listed in the .well-known/openid-configuration  endpoint.

Token Types

You can revoke both access tokens and refresh tokens:

  • Access Tokens: Immediately invalidate API access
  • Refresh Tokens: Prevent future token renewal

To completely revoke the user’s consent, the refresh token should be revoked.

Example Request

curl \
  -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -u "your-client-id:your-client-secret" \
  -d "token=<REFRESH_TOKEN>&token_type_hint=refresh_token" \
  https://auth.openbanking.prod.lunar.app/oauth2/revoke

Response

Successful revocation returns HTTP 200 with an empty response body. The token is immediately invalidated and cannot be used for further API calls.

Scopes

By default all TPPs are granted the tpp:write and offline scopes.

Other available values are

  • PSP_AI used for account
  • PSP_PI used for payments

Managing your integration

To modify TPP information, you need to authenticate using an OAuth2 client credentials grant . This grant type is used for machine-to-machine authentication where no user interaction is required.

All TPPs can request the tpp:write scope by default, which is required for modifying TPP settings.

The OAuth2 API is not documented as it follows the standard OAuth2 specification. There are OAuth2 clients available in almost all languages, so use one that is tested and stable instead of implementing your own.

Obtaining a TPP access token

To get an access token for TPP operations, make a client credentials request:

POST https://auth.openbanking.prod.lunar.app/oauth2/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <base64(client_id:client_secret)>
 
grant_type=client_credentials&scope=tpp:write

Updating redirect URIs

Redirect URIs are the allowed callback URLs that can be used during OAuth2 authorization flows. You can update your registered redirect URIs using the PATCH /tpp/redirect-uris endpoint.

Request:

PATCH https://api.openbanking.prod.lunar.app/tpp/redirect-uris
Content-Type: application/json
Authorization: Bearer <ACCESS_TOKEN>
X-Request-ID: <UNIQUE_REQUEST_ID>
 
{
  "redirectUris": [
    "https://mycompany.com/oauth2/callback",
    "https://mycompany.com/alternative-callback"
  ]
}

Response: 204 No Content on success.

The X-Request-ID header is required and should be a unique identifier for the request. This is used for idempotency - if you retry a request with the same ID, you’ll get the same result.

The complete flow for updating redirect URIs is as follows:

Verifying your certificate

You can verify that your eIDAS certificate is correctly configured by calling the /tpp/verify endpoint. This is useful for troubleshooting mTLS connectivity issues.

GET https://api.openbanking.prod.lunar.app/tpp/verify

This endpoint requires mTLS with your eIDAS certificate. A 200 OK response indicates your certificate is valid and properly configured.

Last updated on
Register as a third party providerClient Management