Build your authorize URL

Build an authorize URL using the well-known configuration link

On the production and sandbox environments, the "scaOauth" property of a consent creation is the following:

  "_links": {
    "scaOAuth": {
      "href": ""https://{brandId}{branchId}/xs2a-service/.well-known/openid-configuration?authorizationId=3418308b-f732-4d6e-99db-cc51023b248b""

You have to call this URL and retrieve the “authorization_enpoint” property in the response:

    "issuer": "https://{brandId}{branchId}/xs2a-service",
    "authorization_endpoint": "https://{brandId}{branchId}/xs2a-service/authorize/3418308b-f732-4d6e-99db-cc51023b248b",
    "token_endpoint": "https://{brandId}{branchId}/xs2a-service/oauth2/token",
    "scopes_supported": [
    "response_types_supported": [
    "grant_types_supported": [
    "subject_types_supported": [

With this property, you will be able to build your authorize URL with the following parameters:

URI parameter Description
scope This parameter corresponds to the consentId of the consent creation or the paymentId of the payment initiation
client_id This parameter corresponds to your NCA id
state Dynamic value that you have to set in order to prevent XSRF attacks
redirect_uri This parameter corresponds to the URI where the OAuth2 server is redirecting the PSU after the authorization.
NB : this redirect_uri has to be the same used for the consent creation or payment initiation
code_challenge This parameter corresponds to PKCE challenge according to cryptographic RFC 7636 which is used to prevent code injection attacks
response_type Type of the response. This value has to be set to “code
code_challenge_method Optional parameter which corresponds to the code verifier transformation method ("S256")

Following these instructions your authorize URL should look like this and is now valid to process the authorization of the PSU:



This process to build the authorize URL is the same for a payment initiation or a payment cancellation with SCA.