PIS Common API specific documentation
Changes from the previous version
This is the change log of the PIS Common API, allowing PSD2-regulated TPPs to initiate payments on behalf of the PSU. The top most item is the latest change and the API changes described in it are relative to the version directly below.
Note: With the new v5 model structure following are the changes in “Payment” model:
- The “amount” and “currency” fields are grouped together as single unit “instructed_amount” of type MonetaryAmount.
- The field “fee” renamed to “transaction_fee” and it has field “fee_amount” which consists of “amount” and “currency” as single unit of type MonetaryAmount.
- New fields “bank”, “country”, “creditor_address” are added for Creditor and they are applicable and will be populated for crossborder payments.
Version 5.4
Added examples and updated Endpoint information to latest for Payments v5.
Version 5.3
New authentication method BANKID_SE_DECOUPLED is added for SE Decoupled payment signing (only in Sandbox for now). When this new authentication is specified in Payment Confirm request, the response will only contain the bank_id_authentication_id parameter and not signing redirect url. Therefore, it is only possible to follow decoupled signing mechanism if the new authentication method is specified in request.
Version 5.2
Authentication methods MTA_OFF and QR_RDR have been removed.
Version 5.1
Added the new language parameter to the PUT /confirm service. The service consumer can use the new language parameter to determine which language is to be used in the signing page.
Version 5.0
This is the first version of PIS Common API.
Generic payment services were added:
/v5/payments/v5/payments/<paymentId>/v5/payments/confirm
Note: In the header of requests to v5
X-Nordea-Originating-User-Ipis mandatory. More v4 payment types coming later to v5.
All payment types are listed in version 5 payments endpoints.
Overview
Payment Initiation Services (PIS) Common API consists of three endpoints. The PIS API can be used to query payment details and status and confirm payments. This API supports GET, and PUT HTTP methods.
API Endpoints
The PIS API contains the following endpoints:
| Endpoint | Supported HTTP Methods |
|---|---|
/payments/{paymentType} | POST |
/payments | PUT, GET, DELETE |
/payments/{paymentId} | GET |
/payments/confirm/bankidse/{bankIdSeAuthenticationId} | GET |
Note:
- /payments/confirm/bankidse/{bankIdSeAuthenticationId} is applicable to SE Domestic Payments only. It is to be used in case of Decoupled signing flow.
- /payments/confirm have been deprecated. Only PUT v5/payments is to be used to Confirm single/multiple payments.
The /payments endpoint will return all payments of all types as one list.
Here is an example of the JSON payload format which can be posted to this endpoint, “_type” is an internal defined representation of the account or reference type. The example is cross-border payment.
{
"central_bank_reporting_code": "101",
"charge_bearer": "shar",
"creditor": {
"account": {
"_type": "IBAN",
"value": "HU42117730161111101800000000"
},
"bank": {
"address": {
"line1": "NADOR STREET 16",
"line2": "Budapest, 1051",
"line3": "Hungary"
},
"country": "HU",
"bank_code": null,
"bic": "OTPVHUHB",
"name": "OTP BANK PLC."
},
"creditor_address": {
"line1": "Budapest Street",
"line2": "Budapest 1234",
"line3": "Hungary"
},
"country": "HU",
"message": "Invoice 5071",
"name": "Creditor Name"
},
"debtor": {
"account": {
"_type": "BBAN_SE",
"currency": "SEK",
"value": "41351300039"
},
"message": "Debtor Msg"
},
"external_id": "d630b00a-227c-474e-8d20-1fc2b7141fdc",
"instructed_amount": {
"amount": 534.45,
"currency": "USD"
},
"requested_execution_date": "2025-05-12",
"urgency": "standard"
}'
After the payment is initiated by POST request to this endpoint, it will be available by doing GET request to this endpoint which returns a list of pending payments.
The /payments/{paymentId} endpoint can be used to query payment details by payment id, and it supports only GET HTTP method. The payment id is returned when payment is initiated successfully, and it can be found from the response JSON by the name _id. Moreover, the payment status can be seen in the response by the name payment_status. Full response example of this endpoint can be seen in examples section below.
The PUT /payments endpoint can be used for confirmation of list of payments. The service also allows for individual payment confirmations. Please be aware that processing multiple payments could subsequently result in multiple errors. The post-signing redirect and decoupled solutions are the same as for the single confirmation endpoint. Also note that if 4 payment_id’s are sent, and two of them return errors, the subsequent signing process will only include the two payments with no errors.
In Sandbox: To confirm the payment, call the PUT `/payments` endpoint and subsequently activate the `signing_url` supplied. The received response is mocked and not valid for further processing. To mock the UI payment signing flow see PIS API Scenarios below.
PIS API Scenarios
The scenarios are implemented on PIS API to allow for easier testing of the applications. Developers can request a specific scenario (or list of scenarios) for certain API calls, for example, when confirming a transfer of funds the developer can request that the transaction processing to fail due to missing funds and the corresponding payment status will be represented in the payment details.
There are three scenarios available in PIS API related to payment signing and execution.
PaymentSigningExpiresPaymentMissingFundsPaymentOnHold
PaymentSigningExpires scenario means that the user never signs the payment by MTA (Nordea code app). PaymentMissingFunds in this scenario payment is signed, but there are no funds available. PaymentOnHold in this scenario payment is signed, but the payment is put on hold by Nordea for some reason (for example, fraud).
There are the following scenarios available for adding a mock UI signing flow to the payment confirmation. Adding any of the UI scenarios to the confirmation flow, then calling /confirm is no longer adequate to sign the payment, The mock UI flow has to be followed.
AuthenticationWithUISigningWithUI
AuthenticationWithUI mimics the 2SCA flow and includes authentication before signing. SigningWithUI shows the mock signing screen only and mimics the 1SCA flow. The signing screen also has built in functionality to check a few scenarios whilst mock signing the payment.
There is additionally a scenario available for mocking the date being rolled.
ExecutionDateRolling
ExecutionDateRolling rolls the planned_execution_date compared to the requested_execution_date to mimic that the payment cannot be processed the requested date.
Any scenario is specified either as part of request header or as a query parameter.
Note that the scenarios are available only in the sandbox APIs. They will never be available in the production APIs.
Use `X-Response-Scenarios` for header parameter or query parameter to request scenarios to be applied.
Further details
For further details on payment type field combinations and status codes, recurring payments etc., please refer to the domestic API documentation as well. Also, have a look at the Help Center contents.
PIS Common API examples
Get list of payments
This example shows how to get list of pending payments.
This endpoint URL has the following form:
https://api.nordeaopenbanking.com/personal/v5/payments/
This endpoint supports GET, POST and DELETE HTTP Methods. Here we use GET since we want to get list of payments.
Here is an example request.
$ curl 'https://api.nordeaopenbanking.com/personal/v5/payments' -i -X GET \
-H 'X-Nordea-Originating-Host: <host>' \
-H 'X-Nordea-Originating-Date: <now>' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <access_token>' \
-H 'signature: keyId=\"<your_clientapp_keyid>\",algorithm=\"rsa-sha256\",headers=\"(request-target) x-nordea-originating-host x-nordea-originating-date\",signature=\"<generated_signature>"' \
-H 'X-IBM-Client-Id: <your_client_id>' \
-H 'X-IBM-Client-Secret: <your_client_secret>' \
-H 'X-Nordea-Originating-User-Ip: <psu-ip-address>'
And here is the response:
{
"group_header": {
"message_identification": "ktGb1vWmo-I-FBR_",
"creation_date_time": "2025-05-12T12:32:57.2372768Z",
"http_code": 200
},
"errors": [],
"_links": [],
"response": {
"payments": [
{
"_id": "{crossborder-paymentId}",
"external_id": "d630b00a-227c-474e-8d20-1fc2b7141fdc",
"entry_date_time": "2025-05-12T12:32:49.2083006Z",
"debtor": {
"account": {
"currency": "SEK",
"value": "41351300039",
"_type": "BBAN_SE"
},
"message": "Debtor Msg"
},
"creditor": {
"account": {
"value": "HU42117730161111101800000000",
"_type": "IBAN"
},
"name": "Creditor Name",
"message": "Invoice 5071",
"bank": {
"bic": "CHASUS33",
"bank_code": "FW021000021",
"name": "JPMORGAN CHASE BANK, N.A.",
"address": {
"line1": "270 Park Avenue",
"line2": "Budapest, 1234",
"line3": "Hungary"
},
"country": "HU"
},
"creditorAddress": {
"line1": "Helgeshoj Alle 33",
"line2": "Taastrup 2630",
"line3": "Danmark"
},
"country": "DK"
},
"instructed_amount": {
"amount": "534.45",
"currency": "USD"
},
"payment_status": "PendingConfirmation",
"urgency": "standard",
"requested_execution_date": "2025-05-12",
"planned_execution_date": "2025-05-12",
"charge_bearer": "shar",
"central_bank_reporting_code": "101",
"tpp_messages": [],
"_links": [
{
"rel": "self",
"href": "/v5/payments/{crossborder-paymentId}"
}
]
},
{
"_id": "{domestic-paymentId}",
"external_id": "c869512e-6474-4383-bd9d-2e42b9bfe249",
"entry_date_time": "2025-05-12T09:32:52.676038Z",
"debtor": {
"account": {
"currency": "SEK",
"value": "41350000279",
"_type": "BBAN_SE"
},
"message": "gift to kid"
},
"creditor": {
"account": {
"currency": "SEK",
"value": "32141039525",
"_type": "BBAN_SE"
},
"name": "Beneficiary name",
"message": "creditor msg",
"bank": {}
},
"instructed_amount": {
"amount": "1.32",
"currency": "SEK"
},
"payment_status": "PendingConfirmation",
"requested_execution_date": "2025-05-12",
"planned_execution_date": "2025-05-12",
"tpp_messages": [],
"_links": [
{
"rel": "self",
"href": "/v5/payments/{domestic-paymentId}"
}
]
}
]
}
}
Get payment Detail
This example shows how to query payment information with payment id of domestic payment.
This endpoint URL has the following form:
https://api.nordeaopenbanking.com/personal/v5/payments/{paymentId}
This endpoint supports only the GET HTTP Method.
Here is an example request
$ curl 'https://api.nordeaopenbanking.com/personal/v5/payments/{domestic-paymentId}' -i -X GET \
-H 'X-Nordea-Originating-Host: <host>' \
-H 'X-Nordea-Originating-Date: <now>' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <access_token>' \
-H 'signature: keyId=\"<your_clientapp_keyid>\",algorithm=\"rsa-sha256\",headers=\"(request-target) x-nordea-originating-host x-nordea-originating-date\",signature=\"<generated_signature>"' \
-H 'X-IBM-Client-Id: <your_client_id>' \
-H 'X-IBM-Client-Secret: <your_client_secret>' \
-H 'X-Nordea-Originating-User-Ip: <psu-ip-address>'
And here is how the response looks like:
{
"group_header": {
"message_identification": "a65f0f482b5b6f98",
"creation_date_time": "2025-05-12T09:51:18.324238Z",
"http_code": 200
},
"response": {
"_id": "{domestic-paymentId}",
"external_id": "c869512e-6474-4383-bd9d-2e42b9bfe249",
"entry_date_time": "2025-05-12T09:32:52.676038Z",
"debtor": {
"account": {
"currency": "SEK",
"value": "41350000279",
"_type": "BBAN_SE"
},
"message": "gift to kid"
},
"creditor": {
"account": {
"currency": "SEK",
"value": "32141039525",
"_type": "BBAN_SE"
},
"name": "Beneficiary name",
"message": "creditor msg",
"bank": {}
},
"instructed_amount": {
"amount": "1.32",
"currency": "SEK"
},
"payment_status": "PendingConfirmation",
"requested_execution_date": "2025-05-12",
"planned_execution_date": "2025-05-12",
"tpp_messages": [],
"_links": [
{
"rel": "self",
"href": "/v5/payments/{domestic-paymentId}"
}
]
}
}
Confirm list of payments
This example shows how to confirm list of payments of types domestic and crossborder
This endpoint URL has the following form:
https://api.nordeaopenbanking.com/personal/v5/payments
This endpoint supports only the PUT HTTP Method.
Here is an example request:
$ curl 'https://api.nordeaopenbanking.com/personal/v5/payments' -i -X PUT \
-H 'X-Nordea-Originating-Host: <host>' \
-H 'X-Nordea-Originating-Date: <now>' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <access_token>' \
-H 'digest: <generated_digest>' \
-H 'signature: keyId=\"<your_clientapp_keyid>\",algorithm=\"rsa-sha256\",headers=\"(request-target) x-nordea-originating-host x-nordea-originating-date\",signature="<generated_signature>"' \
-H 'X-IBM-Client-Id: <your_client_id>' \
-H 'X-IBM-Client-Secret: <your_client_secret>' \
-H 'X-Nordea-Originating-User-Ip: <psu-ip-address>' \
-H 'Content-Type: application/json; charset=UTF-8' \
-d '{
"payments_ids":[
"{crossborder-paymentId}",
{domestic-paymentId}
]
}'
And this is how the response looks like:
Note: Cross-Border payments confirm list of payment -service uses redirect signing url’s.
{
"group_header": {
"message_identification": "Rzu_y3aB7IAQQc8G",
"creation_date_time": "2025-05-12T12:34:50.5781144Z",
"http_code": 200
},
"errors": [],
"_links": [
{
"rel": "signing",
"href": "https://<nordeasigninghost>?client_id=<signing-client-id>&code_challenge_method=S256&redirect_uri=https://<host>/v4/payments/sign/callback&response_type=code&code_challenge=<code-challenge>&scope=openid+ndf+agreement&state=<obi-generated-state>&signing_order_id=479aa71b-e7b7-44d1-97ae-898371d6d839"
}
],
"response": {
"payments": [
{
"_id": "{crossborder-paymentId}",
"external_id": "d630b00a-227c-474e-8d20-1fc2b7141fdc",
"entry_date_time": "2025-05-12T12:32:49.2083006Z",
"debtor": {
"account": {
"currency": "SEK",
"value": "41351300039",
"_type": "BBAN_SE"
},
"message": "Debtor Msg"
},
"creditor": {
"account": {
"value": "HU42117730161111101800000000",
"_type": "IBAN"
},
"name": "Creditor Name",
"message": "Invoice 5071",
"bank": {
"bic": "CHASUS33",
"bank_code": "FW021000021",
"name": "JPMORGAN CHASE BANK, N.A.",
"address": {
"line1": "270 Park Avenue",
"line2": "Budapest, 1234",
"line3": "Hungary"
},
"country": "HU"
},
"creditorAddress": {
"line1": "Helgeshoj Alle 33",
"line2": "Taastrup 2630",
"line3": "Danmark"
},
"country": "DK"
},
"instructed_amount": {
"amount": "534.45",
"currency": "USD"
},
"payment_status": "PendingUserApproval",
"urgency": "standard",
"requested_execution_date": "2025-05-12",
"planned_execution_date": "2025-05-12",
"charge_bearer": "shar",
"central_bank_reporting_code": "101",
"tpp_messages": [],
"_links": [
{
"rel": "self",
"href": "/v5/payments/{crossborder-paymentId}"
}
]
},
{
"_id": "{domestic-paymentId}",
"external_id": "c869512e-6474-4383-bd9d-2e42b9bfe249",
"entry_date_time": "2025-05-12T09:32:52.676038Z",
"debtor": {
"account": {
"currency": "SEK",
"value": "41350000279",
"_type": "BBAN_SE"
},
"message": "gift to kid"
},
"creditor": {
"account": {
"currency": "SEK",
"value": "32141039525",
"_type": "BBAN_SE"
},
"name": "Beneficiary name",
"message": "creditor msg",
"bank": {}
},
"instructed_amount": {
"amount": "1.32",
"currency": "SEK"
},
"payment_status": "PendingUserApproval",
"requested_execution_date": "2025-05-12",
"planned_execution_date": "2025-05-12",
"tpp_messages": [],
"_links": [
{
"rel": "self",
"href": "/v5/payments/{domestic-paymentId}"
}
]
}
]
}
}
an example request with the language:
$ curl 'https://api.nordeaopenbanking.com/personal/v5/payments/confirm' -i -X PUT \
-H 'X-Nordea-Originating-Host: <host>' \
-H 'X-Nordea-Originating-Date: <now>' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <access_token>' \
-H 'digest: <generated_digest>' \
-H 'signature: keyId=\"<your_clientapp_keyid>\",algorithm=\"rsa-sha256\",headers=\"(request-target) x-nordea-originating-host x-nordea-originating-date\",signature="<generated_signature>"' \
-H 'X-IBM-Client-Id: <your_client_id>' \
-H 'X-IBM-Client-Secret: <your_client_secret>' \
-H 'X-Nordea-Originating-User-Ip: <psu-ip-address>' \
-H 'Content-Type: application/json; charset=UTF-8' \
-d '{
"payments_ids":[
"{crossborder-paymentId}",
{domestic-paymentId}
],
"language":"sv"
}'
And this is how the response looks like:
Note: Cross-Border payments confirm list of payment -service uses redirect signing url’s.
{
"group_header": {
"message_identification": "Rzu_y3aB7IAQQc8G",
"creation_date_time": "2025-05-12T12:34:50.5781144Z",
"http_code": 200
},
"errors": [],
"_links": [
{
"rel": "signing",
"href": "https://<nordeasigninghost>?client_id=<signing-client-id>&code_challenge_method=S256&redirect_uri=https://<host>/v4/payments/sign/callback&response_type=code&code_challenge=<code-challenge>&scope=openid+ndf+agreement&state=<obi-generated-state>&signing_order_id=479aa71b-e7b7-44d1-97ae-898371d6d839&ui_locales=sv"
}
],
"response": {
"payments": [
{
"_id": "{crossborder-paymentId}",
"external_id": "d630b00a-227c-474e-8d20-1fc2b7141fdc",
"entry_date_time": "2025-05-12T12:32:49.2083006Z",
"debtor": {
"account": {
"currency": "SEK",
"value": "41351300039",
"_type": "BBAN_SE"
},
"message": "Debtor Msg"
},
"creditor": {
"account": {
"value": "HU42117730161111101800000000",
"_type": "IBAN"
},
"name": "Creditor Name",
"message": "Invoice 5071",
"bank": {
"bic": "CHASUS33",
"bank_code": "FW021000021",
"name": "JPMORGAN CHASE BANK, N.A.",
"address": {
"line1": "270 Park Avenue",
"line2": "Budapest, 1234",
"line3": "Hungary"
},
"country": "HU"
},
"creditorAddress": {
"line1": "Helgeshoj Alle 33",
"line2": "Taastrup 2630",
"line3": "Danmark"
},
"country": "DK"
},
"instructed_amount": {
"amount": "534.45",
"currency": "USD"
},
"payment_status": "PendingUserApproval",
"urgency": "standard",
"requested_execution_date": "2025-05-12",
"planned_execution_date": "2025-05-12",
"charge_bearer": "shar",
"central_bank_reporting_code": "101",
"tpp_messages": [],
"_links": [
{
"rel": "self",
"href": "/v5/payments/{crossborder-paymentId}"
}
]
},
{
"_id": "{domestic-paymentId}",
"external_id": "c869512e-6474-4383-bd9d-2e42b9bfe249",
"entry_date_time": "2025-05-12T09:32:52.676038Z",
"debtor": {
"account": {
"currency": "SEK",
"value": "41350000279",
"_type": "BBAN_SE"
},
"message": "gift to kid"
},
"creditor": {
"account": {
"currency": "SEK",
"value": "32141039525",
"_type": "BBAN_SE"
},
"name": "Beneficiary name",
"message": "creditor msg",
"bank": {}
},
"instructed_amount": {
"amount": "1.32",
"currency": "SEK"
},
"payment_status": "PendingUserApproval",
"requested_execution_date": "2025-05-12",
"planned_execution_date": "2025-05-12",
"tpp_messages": [],
"_links": [
{
"rel": "self",
"href": "/v5/payments/{domestic-paymentId}"
}
]
}
]
}
}
Delete list of payments
This example shows how to delete list of payments
Note: Not all payments are removable (see payment status table for further information).
This endpoint URL has the following form:
https://api.nordeaopenbanking.com/personal/v5/payments
This endpoint supports GET, POST and DELETE HTTP Methods. Here we use DELETE since we want to delete payments.
Here is an example request:
$ curl 'https://api.nordeaopenbanking.com/personal/v5/payments' -i -X DELETE \
-H 'X-Nordea-Originating-Host: <host>' \
-H 'X-Nordea-Originating-Date: <now>' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <access_token>' \
-H 'digest: <generated_digest>' \
-H 'signature: keyId=\"<your_clientapp_keyid>\",algorithm=\"rsa-sha256\",headers=\"(request-target) x-nordea-originating-host x-nordea-originating-date\",signature="<generated_signature>"' \
-H 'X-IBM-Client-Id: <your_client_id>' \
-H 'X-IBM-Client-Secret: <your_client_secret>' \
-H 'X-Nordea-Originating-User-Ip: <psu-ip-address>' \
-H 'Content-Type: application/json; charset=UTF-8' \
-d '{
"payments":[
{
payment_id":"{crossborder-paymentId}"
},
{
payment_id":"{domestic-paymentId}"
}
]
}
And this is how the response looks like:
{
"group_header": {
"message_identification": "N61hix1wPXcfKufW",
"creation_date_time": "2025-05-12T12:35:35.9714928Z"
},
"response": [
"{crossborder-paymentId}",
"{domestic-paymentId}"
]
}
SE Decoupled flow using BankIdSe
This example shows how to use SE decoupled flow using bankid_se_authentication_id parameter for domestic payment in SE.
This endpoint URL has the following form:
https://api.nordeaopenbanking.com/personal/v5/payments/confirm/bankidse/{bankIdSeAuthenticationId}
This endpoint supports only the GET HTTP Method.
Here is an example request
$ curl 'https://api.nordeaopenbanking.com/personal/v5/payments/confirm/bankidse/{bankIdSeAuthenticationId}' -i -X GET \
-H 'X-Nordea-Originating-Host: <host>' \
-H 'X-Nordea-Originating-Date: <now>' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <access_token>' \
-H 'signature: keyId=\"<your_clientapp_keyid>\",algorithm=\"rsa-sha256\",headers=\"(request-target) x-nordea-originating-host x-nordea-originating-date\",signature=\"<generated_signature>"' \
-H 'X-IBM-Client-Id: <your_client_id>' \
-H 'X-IBM-Client-Secret: <your_client_secret>' \
-H 'X-Nordea-Originating-User-Ip: <psu-ip-address>'
And here is how the response looks like:
{
"group_header":
{
"message_identification":"78b3dd50a65a767b",
"creation_date_time":"2025-06-17T13:51:27.538277465Z",
"http_code":200
},
"response":
{
"_id": "payment id",
"auto_start_token":"1ed1f937-71cf-4af8-aaf4-fdea57c7c393",
"qr_data":"bankid.3c36331a-0cc7-477f-982b-09ae4ab1abbd.0.91eebaffdd908ec8a0be944d2f10a3be52c15f8d14f04b48503544df059f593a",
"status": "WAITING_FOR_USER"
}
}