Connect an account

Before accessing any bank data, users must connect their account to your application.

To authenticate a user, you will need to:

  1. Specify the data you'd like the user to share.
  2. Ask the user to select their provider (bank).
  3. Collect the user's consent to share that data.
  4. Send the user to their mobile banking app or online banking where they'll select the account(s) they'd like to connect (they can choose more than one).
  5. Intercept the user upon their return from their online/mobile banking and exchange a one-time code for an access token.

We manage this entire flow for you, as well as providing APIs if you'd like to implement certain parts within your app or website. Regulated clients can manage this entire flow through APIs so that the user never interacts with a TrueLayer UI.

Once you have an access token, you can use this to authenticate requests to the Verification API.

Generate an auth link


Before you begin, go to Console and sign up. Note your client_id and client_secret. You’ll need these to make API calls.

If you already use our Data API, you will need a new client_id to use Verification API. You can get a new client_id by creating a new application in the Console.

To get started, you need to generate an authentication link. You'll need the verification scope to access the service. Once authentication link is generated, you need to whitelist your redirect uris in the App Settings in the console.

Your users can connect their account(s) to your app with the auth link. The link takes them to our auth dialog where we collect consent from a user before sending them on to their respective provider. Note that authentication links require JavaScript so that they can function in web browsers.

The following is an example of an auth link:<your_client_id>&redirect_uri=<your_redirect_URI>&scope=verification&providers=uk-ob-monzo uk-ob-hsbc uk-oauth-all

Generate an access token

The user opens the auth link in their browser via the client app or browser and follows the steps detailed to link their bank account(s). Once they have connected their bank account(s), make the following call to the Redirect URI with the scope and code. You can also use our Postman collection to make the following requests.

curl --location --request GET '<your_redirect_uri>?code=<users_unique_code>&scope=verification'

The client can then use this user-specific code to generate a user-specific access token using the following API call:

export CLIENT_ID="your-client-id"
export CLIENT_SECRET="your-client-secret"
export CALLBACK_URI="your redirect uri"
export CODE="your-code"

curl --location --request POST '' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=$CLIENT_ID' \
--data-urlencode 'client_secret=$CLIENT_SECRET' \
--data-urlencode 'redirect_uri=$CALLBACK_URI' \
--data-urlencode 'code=$CODE'

You'll get a response like the following:

    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjE0NTk4OUIwNTdDOUMzMzg0MDc4MDBBOEJBNkNCOUZFQjMzRTk1MTBSUzI1NiIsInR5cCI6ImF0K2p3dCIsIng1dCI6IkZGbUpzRmZKd3poQWVBQ291bXk1X3JNLWxSQSJ9.eyJuYmYiOjE2MTUzODg2ODEsImV4cCI6MTYxNTM5MjI4MSwiaXNzIjoiaHR0cHM6Ly9hdXRoLnRydWVsYXllci",
    "expires_in": 3600,
    "token_type": "Bearer",
    "refresh_token": "B921073229D5B520F47EC1D8970982D77C8BAA06B818C357D281",
    "scope": "verification"

You get an access_token in the response. You can use this token to authenticate calls to the Verification API. This token lasts for up to one hour.

Once you have the access_token, use our Postman collection to test the Verification API.