Skip to content
GitHub

Open Payments flow

This page describes each step in the Open Payments flow at a high level. The sequence diagrams are for illustrative purposes and might not be an exact representation of a given flow.

Assumptions

  • The client’s end-user is the payer.
  • The client already has the payer’s Open Payments-enabled account details and is able to send payments on behalf of the payer.

Get account details

A client retrieves public details about a payee’s Open Payments-enabled account by issuing a GET request to the payee’s wallet address. Details include the asset code and scale of the underlying account, as well as the authorization and resource server URLs which the client needs in order to set up a payment to the payee.

sequenceDiagram
    participant C as Client
    participant WA as Wallet address

    C->>WA: GET wallet address url (e.g. https://wallet.example.com/alice)
    WA->>C: 200 wallet address found, return public account details

Incoming payment

The client first requests/receives a grant from the payee’s authorization server to create an incoming-payment resource. The client then sends a request to the payee-side resource server to create the resource. When created, the resource server returns unique payment details the client will use to address one or more payments to the payee.

sequenceDiagram
    participant C as Client instance
    participant AS as Payee-side
authorization server participant RS as Payee-side
resource server C->>AS: Grant request (POST) with type=incoming-payment AS->>C: 200 OK, returns access token C->>RS: Create incoming payment resource (POST) RS->>C: 201 Incoming payment resource created

Quote

The client requests/receives a grant from the end-user’s authorization server to create a quote resource. The client then sends a request to the end-user’s resource server to create the resource. When created, the resource server returns, among other things, a quote id and the amount it will cost to make the payment.

sequenceDiagram
    participant C as Client instance
    participant AS as Payer-side
authorization server participant RS as Payer-side
resource server C->>AS: Grant request (POST) with type=quote AS->>C: 200 OK, returns access token C->>RS: Create quote resource (POST) RS->>C: 201 Quote resource created

Outgoing payment

Before an outgoing payment resource can be created on the end-user’s account, Open Payments requires the client to send an interactive grant request to the authorization server.

An interactive grant requires explicit consent be collected from the end-user before an access token is issued. While the client must facilitate the interaction, the end-user’s authorization server and identity provider (IdP) are responsible for the interface and collecting consent.

After consent is obtained, the client requests permission to continue the grant request in order to obtain an access token.

sequenceDiagram
    Client instance->>Authorization server (AS): Sends interactive grant request
    Authorization server (AS)-->>Client instance: 200 returns interact redirect uri and continue uri
    Client instance->>Authorization server (AS): Navigates to interact redirect uri
    Authorization server (AS)->>Authorization server (AS): Starts interaction and sets session
    Authorization server (AS)-->>Client instance: 302 temporary redirect to identity provider 
uri with grant info in query string Client instance->>Identity provider (IdP): Redirects to identity provider Identity provider (IdP)->>Identity provider (IdP): Resource owner (e.g. client end-user)
accepts interaction Identity provider (IdP)->>Authorization server (AS): Sends interaction choice Authorization server (AS) -->>Identity provider (IdP): 202 choice accepted Identity provider (IdP)->>Authorization server (AS): Requests to finish interaction Authorization server (AS)->>Authorization server (AS): Ends session Authorization server (AS)-->>Identity provider (IdP): 302 temporary redirect to finish url
(defined in initial grant request)
secured with unique hash and
interact_ref in query string Identity provider (IdP)->>Client instance: Follows redirect Client instance->>Client instance: Verifies hash Client instance->>Authorization server (AS): Sends grant continuation request with
interact_ref in body to continue uri Authorization server (AS)->>Client instance: 200 returns grant access token

Once an access token is acquired, the client can request the creation of the outgoing-payment resource. The setup of the payment is complete and the Open Payments flow ends after the resource is created.

sequenceDiagram

    participant C as Client instance
    participant RS as Payer-side
resource server C->>RS: Create outgoing payment resource (POST) RS->>C: 201 Outgoing payment resource created

Get transaction history

To provide an end-user with their transaction history, the client can retrieve a list of the user’s incoming (received) payments and outgoing (sent) payments.

sequenceDiagram

    participant C as Client
    participant RS as Resource server

    C->>RS: Get list of incoming/outgoing payments 
with wallet-address={url of wallet address} RS->>C: 200 OK

Similarly, the client can provide the end-user with details about a specific incoming or outgoing payment.

sequenceDiagram

    participant C as Client
    participant RS as Resource server

    C->>RS: Get incoming/outgoing payment with 
id={url identifying incoming/outgoing payment} RS->>C: 200 Payment found

Bringing it all together

This diagram brings the aforementioned concepts together, except for getting transaction history, to present a full transaction sequence without delving too deeply into the contents of each request and response. A link to view a larger version of the diagram is provided at the bottom of the page.

As shown below, both the sender and the recipient’s ASEs must operate their own authorization and resource servers. Grant requests for incoming payment and quote resources are typically non-interactive. A grant request for an outgoing payment resource requires explicit consent from the sender (e.g., the client’s end user), which is obtained through the sender’s identity provider.

More information about grant interaction flows can be found in the Grant negotiation and authorization page.

sequenceDiagram
    autonumber
    box rgb(225,245,254) Sender's
account servicing entity participant SIDP as Identity provider participant SRS as Resource server participant SAS as Auth server end participant SC as Client box rgb(232,245,233) Recipient's
account servicing entity participant RW as Wallet address URL participant RAS as Auth server participant RRS as Resource server end SC->>+RW: Sends GET request RW->>-SC: Responds with auth & resource server URLs SC->>+RAS: Sends a non-interactive grant request
(type=incoming-payment) RAS->>-SC: Responds with access token & grant SC->>+RRS: Sends request to create an incoming payment resource RRS->>RAS: Requests validation of access token RAS->>RRS: Access token is validated RRS->>-SC: Incoming payment resource is created SC->>+SAS: Sends non-interactive grant request
(type=quote) SAS->>-SC: Responds with access token and grant SC->>+SRS: Sends request to create a quote resource SRS->>-SC: Quote resource is created SC->>+SAS: Sends interactive grant request
(type=outgoing-payment) SAS->>-SC: Responds with interact redirect uri and continue uri SC->>+SAS: Navigates to interact redirect uri SAS->>SAS: Starts interaction
and sets session SAS->>-SC: Responds with identity provider uri SC->>+SIDP: Navigates (redirects) to identity provider SIDP->>SIDP: Sender accepts interaction,
for eg: confirms payment intent SIDP->>SAS: Sends interaction choice SAS->>SIDP: Accepts choice SIDP->>SAS: Requests to finish interaction SAS->>SAS: Ends session SAS->>SIDP: Redirects to finish url defined in initial grant request SIDP->>-SC: Follows redirect SC->>SC: Verifies hash SC->>+SAS: Sends a grant continuation request SAS->>-SC: Responds with a grant access token SC->>+SRS: Sends request to create an outgoing payment resource SRS->>SAS: Requests validation of access token SAS->>SRS: Access token is validated SRS->>-SC: Outgoing payment resource is created