When using our API as part of a native or mobile app we recommend the following practices to handle the authorisation process and redirects.

Auth Request API

Using our Auth Request API to create authorisation urls can allow you to by pass some or all redirects through Moneyhub API to your registered redirect url.
This has the advantage of avoiding having intermediate web pages through the authorisation flow and allow you to have an App2app flow when the user has the Banking app installed in their device.
Below is a breakdown of how this can be achieved:

Outward journey

An organisation can bypass Moneyhub's redirect in the outward journey if:

• They have their own custom consent screen
• Moneyhub has approved their custom consent screen and enabled the bypass consent screen option for their API client
• Use the Auth requests API to create authorisation urls

📘

When an organisation do not meets this criteria an intermediary web page owned by Moneyhub will be displayed to ask for consent to the user before redirecting to the bank's authorisation url

Inward Journey

An organisation can bypass Moneyhub's redirect in the callback from the bank if:

• They have their own AIS/PIS permissions
• Have registered with each relevant bank to use their redirect uri
• Use Moneyhub as Technical Service Provider (TSP), and have uploaded their Open banking certificates in our admin portal

📘

When an organisation do not meets this criteria an intermediary redirect through Moneyhub's API will take place between the bank and the organisation redirect url.

Device browser

Mobile apps have the choice to open urls either on a webview or the device browser. We recommend using the device browser to open the authorisation url as it is known that session cookies and any other data stored in local storage is not shared between webviews and the device browser.

Some of our authorisation flows, such as payments, rely on session cookies to be able to finalise the payment once that the user is redirected back from the bank so it is important that the same browser instance starts and finalise the authorisation.

It is also important to launch urls to the device browser so the Mobile OS can open directly Banking apps if the user has them installed in their device to allow an app2app flow.

Universal and Deep links

In order to handle the redirect directly in your mobile app without needing an intermediate web page we recommend setting up Universal links for iOS and Android app links.
This will allow for the mobile device to open automatically your app so it can handle the redirect.

Here are some resources that can help with your implementation:

iOS: https://developer.apple.com/documentation/xcode/allowing-apps-and-websites-to-link-to-your-content
Android: https://developer.android.com/training/app-links/verify-android-applinks
React Native: https://reactnative.dev/docs/linking
Expo: https://docs.expo.dev/guides/deep-linking/

📘

The mobile app needs to extract all authorisation params that are being sent by the bank from query params and/or hash fragment when it receives the redirect from the banking provider.

App2app Authentication

App2app is a mechanism that allows mobile apps performing OAuth2 or OpenID Connect based authentication to offer a much simpler faster flow if the user already has an app provided by their banking provider installed on their mobile device.

Below is a detailed diagram of how this can be achieved using Moneyhub's API following the recommendations described above.