Consent & Open Banking
OAuth 2.0 flows, SCA, and SAMA Open Banking compliance.
Open Banking requires explicit user consent before accessing financial data. Hyperscale implements OAuth 2.0 with PKCE (Proof Key for Code Exchange) following RFC 7636, with Strong Customer Authentication (SCA) as required by SAMA.
Authorization Flow
Step through the complete consent journey from authorization request to token exchange.
Available OAuth Scopes
accounts:readView account balances and details
accounts:writeOpen and manage accounts
transactions:readView transaction history
payments:writeInitiate payments and transfers
cards:readView card details and limits
cards:writeIssue and manage cards
SCA Exemptions
Strong Customer Authentication may be exempted for low-value transactions (<SAR 200), recurring payments with fixed amounts, trusted beneficiaries, and low-risk transactions based on fraud analysis. Exemptions are evaluated in real-time by the issuing bank.
OAuth Scopes
Request only the scopes your application needs. Each scope requires explicit user consent.
accounts:readlowView account balances, details, and statements
accounts:writehighOpen new accounts, modify account settings
transactions:readmediumView transaction history and details
payments:writehighInitiate payments and transfers
cards:readmediumView card details, limits, and transactions
cards:writehighIssue cards, set limits, freeze/unfreeze
Strong Customer Authentication
SCA requires two of three factors: knowledge (PIN), possession (device), inherence (biometric).
Biometric
Fingerprint or Face ID verification
OTP
One-time password via SMS or authenticator
Hardware Key
FIDO2/WebAuthn security keys
PIN + Device
PIN combined with registered device
When SCA May Be Skipped
Certain transactions may qualify for SCA exemption. Exemptions are evaluated by the issuing bank in real-time.
Low Value
Transactions below threshold may skip SCA
Trusted Beneficiary
Recurring transfers to saved recipients
Low Risk TRA
Transaction Risk Analysis flags low fraud risk
Recurring Fixed
Subscription payments with fixed amount
Exemption Liability: When an exemption is applied and fraud occurs, liability shifts to the party that applied the exemption. Choose exemptions carefully based on your risk appetite.
Consent Validity
Different consent types have different validity periods. Users can revoke consent at any time.
| Consent Type | Validity | Renewable |
|---|---|---|
Account Access | 90 days | |
Payment Initiation | One-time | |
Recurring Payment | Until cancelled | |
Standing Order | Per order terms |
SAMA Open Banking Framework
Saudi Arabia's Open Banking framework mandates specific requirements for Third Party Providers.
TPP Registration
- Registration with SAMA as Third Party Provider
- Fintech license or regulatory sandbox participation
- Technical capability assessment
- Professional indemnity insurance
Consumer Protection
- Clear consent language in Arabic and English
- Explicit scope description before consent
- 90-day maximum access validity
- One-click consent revocation
Data Standards
- SAMA-defined API specifications
- Standard data formats for accounts and transactions
- Mandatory response fields and structures
- Error code standardization
Security
- TLS 1.2 minimum for all communications
- OAuth 2.0 with PKCE mandatory
- Certificate-based client authentication
- Request signing with JWS
Reference: SAMA Open Banking Policy and API Specifications are available at sama.gov.sa. Hyperscale maintains compliance with the latest published specifications.
Consent-first by design
Every data access requires explicit user consent. Every consent is auditable. Every user can revoke at any time.