Логотип
Логотип
How to Connect
Scenarios
API Documentation
Support
How to get started with the API
How to connect the integration
Token setup
Making changes
Testing API connection
HomeVia Code Flow

Obtaining Tokens via Code Flow

Initial token retrieval

Complete two requests in sequence:

  • a request to obtain the state and code parameters (needed for the token request),
  • a request for the tokens themselves.
Requesting the code and state parameters

To reach the Raiffeisen Bank /authorize endpoint, send a GET request in the following format:

GET https://sso.rbo.raiffeisen.ru/authorize?scope=openid profile email phone&client_id={your_client_id} &response_type=code&redirect_uri={your_redirect_uri}&state={your_state}&nonce={your_nonce}&prompt=login&code_challenge={your_code_challenge}&code_challenge_method=S256
Parameter reference

After the request is sent, you will be redirected to a login page where the end user enters their credentials.

Enter your online banking login and password and click "Sign in". You will be redirected to your system's Redirect URI, and the code and state parameters will be appended automatically. On successful authorization, the response will have status 303 with the following header:

Location: {your_redirect_uri}?code={your_code}&state={your_state}

The code value is the Authorization Code. You will need it in the next step.

Note: each Authorization Code can only be used once.

Access Token Request

Use Basic Authentication in the token request.

Before the request, generate the Authorization Basic string. The Authorization header value is formed from client_id and client_secret, separated by a colon and encoded using the Base64URL Encode algorithm. Below is an example of Base64URL generation for a system where:

  • client_id = a12b123b-0a12-3b4c-123a-12a3456789b1
  • client_secret = clientsecret7Fjfp0ZBr1KtDRbnfV
Base64URL Generation Example
Base64.encode('your_client_id' + ":" + 'your_client_secret') =
YTEyYjEyM2ItMGExMi0zYjRjLTEyM2EtMTJhMzQ1Njc4OWIxOmNsaWVudHNlY3JldDdGamZwMFpCcjFLdERSYm5mVg

To get access tokens, send a POST request:

POST /token
Host: https://sso.rbo.raiffeisen.ru
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {Authorization Basic}

Body:
grant_type=authorization_code&
client_id={your_client_id}&code={your_code}&
redirect_uri={your_redirect_uri}&
code_verifier={your_code_verifier}

The Content-Type header contains the value application/x-www-form-urlencoded. This means that the request body must be in key=value format with & as the delimiter. For example: client_id=my_id&redirect_uri=https%3A%2F%2Fexample.ru%2Fredirect When using CURL, the request body is automatically formatted.

Parameter Description

The response will contain tokens in JSON format:

{
  "access_token": "your_access_token_JWT",
  "token_type": "Bearer",
  "refresh_token": "your_refresh_token",
  "id_token": "your_id_token_JWT"
}

Refreshing tokens with a refresh token

When token expires, API requests will return HTTP 401. To continue, refresh the access token using your refresh_token by sending a POST request:

POST https://sso.rbo.raiffeisen.ru/token
Authorization: Basic {Authorization Basic}
Content-Type: application/x-www-form-urlencoded

Body:
grant_type=refresh_token&
client_id={your_client_id}&
refresh_token={your_refresh_token}
Parameter reference
The response will contain the tokens in JSON:
{
  "access_token": "your_access_token_JWT",
  "token_type": "Bearer",
  "refresh_token": "your_refresh_token",
  "id_token": "your_id_token_JWT"
}
The refresh token is also renewed with each request.

Instructions for obtaining tokens according to the OpenID Connect 1.0 - Code Flow protocol