Skip to main content

Enable open banking for your customers' accounts

Open banking is available for all Griffin payment accounts, including accounts held by your customers.

This guide explains how to integrate with open banking so your customers can share their account data or approve payments with third-party providers (TPPs). A TPP is a regulated fintech that accesses bank accounts via open banking on behalf of customers, such as accounting software, payment initiators, and financial data aggregators.

For information about access to your own bank accounts via open banking, see Integrate with open banking.

info

Open banking is only available for accounts in live mode.

Under the Payment Services Regulations (PSRs), you are required to support open banking access for any payment accounts you offer to your customers. A payment account is any account used to execute payment transactions and offer general-purpose payment services — this includes embedded accounts and operational accounts. You must have this integration in place before going live with any accounts that we have agreed are payment accounts.

Scope

This guide covers inbound open banking — allowing regulated TPPs to access accounts held at Griffin on behalf of your customers. This includes both account information (AISP) and payment initiation (PISP). The same integration covers both use cases.

Griffin is not an AISP or PISP. We do not provide access to accounts held at other banks. If you need to access your customers' accounts at other institutions — for example, to initiate inbound payments or read external transaction data — you would need to integrate with a TPP directly.

How it works

We've partnered with tell.money to provide open banking APIs that follow the UK Open Banking standard. Tell Money handles the TPP-facing APIs and the developer portal. Griffin handles all resource requests — when a TPP asks for account data or initiates a payment, the request comes to Griffin and we respond with data or execute the payment.

What you need to handle is authentication, consent, and registration:

  1. A TPP requests access to your customer's account via Tell Money.
  2. Tell Money redirects the customer to your app with a ConsentId and CallbackURL.
  3. Your app authenticates the customer using your own login and SCA.
  4. Your app retrieves the consent details from Tell Money and shows the customer what the TPP is requesting.
  5. If the customer approves, your backend grants the consent via Tell Money's API.
  6. Your backend registers the consent with Griffin so Griffin can validate subsequent resource requests.
  7. Your backend redirects the customer back to Tell Money's callback URL.
  8. The TPP can now access the account data. Resource requests flow from Tell Money to Griffin — you don't need to handle these.

Once consent is granted and registered, all resource traffic goes directly between Tell Money and Griffin. You don't need to build any APIs for TPPs to call, and you don't need to respond to data requests. A "data request" here can mean an AISP reading account information or a PISP initiating a payment — the same flow handles both.

What your customers see

From your customer's perspective, the experience looks like this:

  1. They connect to a TPP (for example, an accounting app or a merchant checkout) and select their account provider — this can be branded with your logo, not Griffin's.
  2. They're redirected to your app and asked to authenticate.
  3. Once authenticated, they see what the TPP is requesting and approve or decline.
  4. They're redirected back to the TPP, which can now access their account data or initiate a payment.
  5. Later, they can view and revoke consents from your app.

Your customer doesn't interact with Griffin or Tell Money directly at any point. The whole experience happens within your app, under your brand.

Prerequisites

You'll need to complete a few things before you can start building.

1. SCA verification

Your authentication method must meet the Strong Customer Authentication requirements set out in the SCA-RTS. We'll verify this before you go live. If you already have an SCA-compliant authentication flow (for example, because you're a regulated payment service provider), you can use it here. If you're not sure whether your setup meets the standard, get in touch and we'll help you work through it.

To start the process, contact your customer success manager or email support@griffin.com. We'll send you an SCA questionnaire covering the details of your authentication setup. Our payments operations and engineering teams will review it, and we'll work with you to resolve any questions.

2. Gateway setup

We'll set up a dedicated Tell Money gateway for your organisation. Each gateway is branded under your name — when your customers select a bank in a TPP's interface, they'll see your brand, not Griffin's. TPPs integrate with your specific gateway, not a shared Griffin integration.

The gateway configuration includes your Authorisation URL (where Tell Money redirects your customers) and your API functionality (which open banking operations you support). We handle the setup — you just need to provide your Authorisation URL.

3. Tell Money credentials

Once your gateway is set up, we'll share your Tell Money API credentials. You'll need these to call Tell Money's consent API during the authorisation flow and to build your consent dashboard. Different credentials are used per environment (integration and production).

4. Griffin API key

You'll need a Griffin API key with the Team admin role to register and manage consents. This is separate from your Tell Money credentials.

The authorisation flow

The authorisation flow involves calls to both the Tell Money API and the Griffin API. For the Tell Money side (retrieving consent details and granting consents), see Tell Money's authorisation docs. This guide covers the full end-to-end flow, including the Griffin-specific steps.

When a TPP requests access to one of your customer's accounts, Tell Money redirects the customer to your Authorisation URL with two querystring parameters:

https://your-app.example.com/open-banking/consent?ConsentId={ConsentId}&CallbackURL={CallbackURL}

Your app needs to handle this redirect and walk the customer through the consent process.

Step 1: Authenticate the customer

Authenticate the customer using your existing login flow. Your authentication must be SCA-compliant (see the SCA requirements above).

Call Tell Money's API to get the details of what the TPP is requesting:

curl "https://aspsp.tell.systems/api/consent/{ConsentId}" \
  -H "Authorization: Basic $TELL_CREDENTIALS"

The response includes the TPP's name, the permissions they've requested, and the scope of the consent (account information or payment initiation).

To display the consent screen, you'll need to show the customer which accounts the TPP is requesting access to. Use the list bank accounts API to retrieve the customer's accounts. The account-url field in each account response is what you'll use later when registering the consent with Griffin.

Display a consent page to your customer showing:

  • The name of the TPP requesting access.
  • What they'll be able to do (based on the scope and permissions).
  • Which account(s) will be shared — let the customer choose if they have multiple.
  • A clear approve and decline action.

If the customer approves, call Tell Money's Post Outcome endpoint:

curl "https://aspsp.tell.systems/api/consent/{ConsentId}" \
  -X 'POST' \
  -H "Authorization: Basic $TELL_CREDENTIALS"

In the request body, include:

  • UserId — your identifier for the customer who authenticated and approved the consent. This will be included in all future resource requests from Tell Money, so use a stable identifier.
  • AccountIds — the list of accounts the customer has authorised. For payment initiation consents, this must be a single account. Use the Griffin bank account ID (e.g. ba.ICAgICAgIC) — this is the last segment of the account-url returned by the list bank accounts API. When you register the consent with Griffin in the next step, you'll send the full URL (e.g. /v0/bank/accounts/ba.ICAgICAgIC) instead.
  • Status — whether the customer approved or rejected the consent.

After granting the consent with Tell Money, register it with Griffin so that Griffin can validate the TPP's subsequent resource requests:

curl "https://api.griffin.com/v0/organizations/{organization-id}/open-banking/tell-consents" \
  -X 'POST' \
  -H "Authorization: GriffinAPIKey $GRIFFIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "tell-consent-id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "tell-gateway-id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
    "tell-consent-scope": "accounts",
    "tell-consent-permissions": [
      "ReadAccountsDetail",
      "ReadBalances",
      "ReadTransactionsDetail"
    ],
    "bank-account-urls": [
      "/v0/bank/accounts/ba.ICAgICAgIC"
    ],
    "tell-consent-expiry": "2026-07-01T00:00:00Z"
  }'
FieldRequiredDescription
tell-consent-idYesThe consent ID from Tell Money (UUID).
tell-gateway-idYesYour Tell Money gateway ID (UUID).
tell-consent-scopeYesaccounts or payments.
tell-consent-permissionsYesThe permissions granted — must match what was agreed during the consent flow. These are UK Open Banking permissions (e.g. ReadAccountsDetail, ReadBalances).
bank-account-urlsYesThe bank account URLs the customer authorised access to. Must contain at least one account. These are the full URLs for the same account IDs you sent to Tell Money as AccountIds — e.g. ba.ICAgICAgIC becomes /v0/bank/accounts/ba.ICAgICAgIC.
tell-consent-expiryNoWhen the consent expires. If omitted, the consent does not expire automatically.

A successful response returns the registered consent:

{
  "tell-consent-url": "/v0/open-banking/tell-consents/3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "tell-consent-id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "tell-consent-scope": "accounts",
  "tell-consent-permissions": [
    "ReadAccountsDetail",
    "ReadBalances",
    "ReadTransactionsDetail"
  ],
  "tell-consent-status": "authorised",
  "bank-account-urls": [
    "/v0/bank/accounts/ba.ICAgICAgIC"
  ],
  "created-at": "2026-04-01T12:00:00Z",
  "tell-consent-expiry": "2026-07-01T00:00:00Z"
}

Payments consents

For payment initiation (PISP), register the consent with "tell-consent-scope": "payments". Per Tell Money's requirements, payments consents should reference a single bank account — the account the payment will be debited from. Payments consents are single-use: after the payment is executed, Griffin marks the consent as consumed and rejects any further requests against it.

curl "https://api.griffin.com/v0/organizations/{organization-id}/open-banking/tell-consents" \
  -X 'POST' \
  -H "Authorization: GriffinAPIKey $GRIFFIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "tell-consent-id": "9a2b4c6d-8e0f-1a2b-3c4d-5e6f7a8b9c0d",
    "tell-gateway-id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
    "tell-consent-scope": "payments",
    "tell-consent-permissions": [
      "ReadAccountsDetail",
      "ReadBalances"
    ],
    "bank-account-urls": [
      "/v0/bank/accounts/ba.ICAgICAgIC"
    ]
  }'
caution

You must register the consent with Griffin before redirecting the customer back to Tell Money. If you don't, Griffin will reject resource requests from Tell Money for this consent.

If the Griffin registration fails after you've already granted the consent with Tell Money, redirect the customer to the CallbackURL without completing the flow — Tell Money will treat this as a declined consent request.

Step 6: Redirect back to Tell Money

After registering the consent, redirect the customer to the CallbackURL that was provided in the original querystring. This takes the customer back to the TPP to complete their journey.

The resource flow

Once consent is granted and registered, TPPs can access account data or initiate a payment. These resource requests are handled entirely by Tell Money and Griffin — your backend is not involved.

  1. The TPP sends a resource request to Tell Money.
  2. Tell Money forwards it to Griffin with the consent ID and account details.
  3. Griffin validates the consent (checking it's registered, not revoked, not expired, and that the requested account is covered).
  4. If valid, Griffin returns the requested data or executes the payment.
  5. Tell Money returns the response to the TPP.

If the consent has been revoked or has expired, Griffin rejects the request and the TPP receives an error.

Managing consents

Your customers have the right to review and revoke their open banking consents at any time. You must provide a consent management interface in your app where customers can see all active consents and revoke any they no longer want.

Tell Money provides an API for listing all consents for a customer:

curl "https://aspsp.tell.systems/api/users/{UserId}/consents" \
  -H "Authorization: Basic $TELL_CREDENTIALS"

This returns an array of consents with the TPP name, permissions, and status. Display them in whatever way fits your app's design, and provide a revoke action for each active consent.

When a customer wants to revoke a TPP's access, you need to revoke the consent in both Tell Money and Griffin.

1. Revoke with Tell Money:

curl "https://aspsp.tell.systems/api/consent/{ConsentId}" \
  -X 'DELETE' \
  -H "Authorization: Basic $TELL_CREDENTIALS"

This stops Tell Money from forwarding any further resource requests for this consent.

2. Revoke with Griffin:

curl "https://api.griffin.com/v0/open-banking/tell-consents/{consent-id}/actions/revoke" \
  -X 'POST' \
  -H "Authorization: GriffinAPIKey $GRIFFIN_API_KEY"

This ensures Griffin rejects any resource requests that may still be in flight. The response includes the updated consent with tell-consent-status set to revoked:

{
  "tell-consent-url": "/v0/open-banking/tell-consents/3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "tell-consent-id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "tell-consent-scope": "accounts",
  "tell-consent-permissions": [
    "ReadAccountsDetail",
    "ReadBalances",
    "ReadTransactionsDetail"
  ],
  "tell-consent-status": "revoked",
  "bank-account-urls": [
    "/v0/bank/accounts/ba.ICAgICAgIC"
  ],
  "created-at": "2026-04-01T12:00:00Z",
  "tell-consent-expiry": "2026-07-01T00:00:00Z",
  "tell-consent-revoked-at": "2026-04-15T09:30:00Z"
}
info

Always revoke with both Tell Money and Griffin. If either revocation fails, retry it.