Tink · Arazzo Workflow

Tink Onboard A User And Access Their Bank Data

Version 1.0.0

Create a permanent Tink user, delegate bank authorization, exchange the code for a user token, and list their accounts.

1 workflow 2 source APIs 1 provider
View Spec View on GitHub Open BankingPSD2Payment InitiationAccount AggregationRisk DecisioningPay by BankFinanceBankingEuropeVisaArazzoWorkflows

Provider

tink-com

Workflows

onboard-user-and-list-accounts
Create a Tink user, obtain a delegated grant and user token, then list their accounts.
Provisions a permanent user, delegates bank authorization to obtain a Tink Link URL and authorization code, exchanges the code for a user access token, and lists the consented bank accounts.
4 steps inputs: clientAccessToken, externalUserId, locale, market, scope outputs: accounts, refreshToken, userAccessToken, userId
1
createUser
createUser
Create a permanent Tink user keyed by your external user id so the user can be re-authorized for continuous-access products later.
2
delegateAuthorization
createDelegatedAuthorizationGrant
Mint a delegated authorization code for the user. The returned code is exchanged for a user token, and the customer follows the Tink Link flow to authenticate with their bank.
3
exchangeCodeForToken
createOauthToken
Exchange the delegated authorization code for a user access token using the authorization_code grant type.
4
listAccounts
listAccounts
List the bank accounts the user has consented to share, using the freshly issued user access token.

Source API Descriptions

openapi
oauthApi https://raw.githubusercontent.com/api-evangelist/tink-com/refs/heads/main/openapi/tink-oauth-api-openapi.yml
openapi
dataApi https://raw.githubusercontent.com/api-evangelist/tink-com/refs/heads/main/openapi/tink-data-api-openapi.yml

Arazzo Workflow Specification

tink-com-user-data-access-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Tink Onboard A User And Access Their Bank Data
  summary: Create a permanent Tink user, delegate bank authorization, exchange the code for a user token, and list their accounts.
  description: >-
    The canonical Tink continuous-access onboarding flow. It creates a
    permanent Tink user identified by an external id, mints a delegated
    authorization grant that returns a Tink Link URL the customer follows to
    authenticate with their bank, exchanges the resulting authorization code
    for a user access token, and then lists the bank accounts the user has
    consented to share. Every step spells out its request inline so the flow
    can be read and executed without opening the underlying OpenAPI
    description.
  version: 1.0.0
sourceDescriptions:
- name: oauthApi
  url: ../openapi/tink-oauth-api-openapi.yml
  type: openapi
- name: dataApi
  url: ../openapi/tink-data-api-openapi.yml
  type: openapi
workflows:
- workflowId: onboard-user-and-list-accounts
  summary: Create a Tink user, obtain a delegated grant and user token, then list their accounts.
  description: >-
    Provisions a permanent user, delegates bank authorization to obtain a Tink
    Link URL and authorization code, exchanges the code for a user access
    token, and lists the consented bank accounts.
  inputs:
    type: object
    required:
    - clientAccessToken
    - externalUserId
    - market
    - locale
    - scope
    properties:
      clientAccessToken:
        type: string
        description: A client (client_credentials) access token authorized to create users and grants.
      externalUserId:
        type: string
        description: Your own stable identifier for the end user (e.g. a customer id).
      market:
        type: string
        description: ISO 3166-1 alpha-2 market code for the user (e.g. GB).
      locale:
        type: string
        description: The user locale (e.g. en_US).
      scope:
        type: string
        description: The data-product scopes to request (e.g. accounts:read,transactions:read).
  steps:
  - stepId: createUser
    description: >-
      Create a permanent Tink user keyed by your external user id so the user
      can be re-authorized for continuous-access products later.
    operationId: createUser
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.clientAccessToken"
    requestBody:
      contentType: application/json
      payload:
        external_user_id: $inputs.externalUserId
        market: $inputs.market
        locale: $inputs.locale
        retention_class: PERMANENT
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/user_id
  - stepId: delegateAuthorization
    description: >-
      Mint a delegated authorization code for the user. The returned code is
      exchanged for a user token, and the customer follows the Tink Link flow
      to authenticate with their bank.
    operationId: createDelegatedAuthorizationGrant
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.clientAccessToken"
    requestBody:
      contentType: application/x-www-form-urlencoded
      payload:
        external_user_id: $inputs.externalUserId
        scope: $inputs.scope
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      authorizationCode: $response.body#/code
  - stepId: exchangeCodeForToken
    description: >-
      Exchange the delegated authorization code for a user access token using
      the authorization_code grant type.
    operationId: createOauthToken
    requestBody:
      contentType: application/x-www-form-urlencoded
      payload:
        grant_type: authorization_code
        code: $steps.delegateAuthorization.outputs.authorizationCode
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userAccessToken: $response.body#/access_token
      refreshToken: $response.body#/refresh_token
  - stepId: listAccounts
    description: >-
      List the bank accounts the user has consented to share, using the freshly
      issued user access token.
    operationId: listAccounts
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $steps.exchangeCodeForToken.outputs.userAccessToken"
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      accounts: $response.body#/accounts
  outputs:
    userId: $steps.createUser.outputs.userId
    userAccessToken: $steps.exchangeCodeForToken.outputs.userAccessToken
    refreshToken: $steps.exchangeCodeForToken.outputs.refreshToken
    accounts: $steps.listAccounts.outputs.accounts