Authentication and security

The only way Third Party Account Information Providers can act on the customers’ behalf is if the customer has given explicit consent (authorization) to have such permissions. Consent is valid for up to 90 days. Consent can be revoked by the customer at any time.

To initiate payment on behalf of the customer, the customer will always be asked for Strong Customer Authentication (SCA) to confirm such payment.

Redirect SCA authorization works to access APIs. Customers can give Consent or authorize payments using these SCA methods: MobileSCAN (Latvia, Lithuania), Code card, Code calculator, Mobile-ID (Estonia), Mobile Signature (Lithuania).

APIs are built on EU PSD2 regulation guidelines and standards. No customer data can be accessed by third parties without proper licensing and receiving customer consent or authorization first.

Citadele API contains these endpoints:

  • Get authorization redirect URL – Get the redirection URL where customer authorizes using SCA.
  • Create consent - Create a consent resource, defining access rights to dedicated accounts of a given PSU.
  • Get consent - Reads the exact definition of the given consent.
  • Delete consent - Terminate the addressed consent.
  • Consent status - Read the consent status of the addressed consent.