The re-authentication flow provides a simple path for end-users to follow and reconnect their account after the expiration of the first consent, providing a shorter user journey compared to setting up their account for the first time.
- The authentication URI is generated by an API call to the
/reauthuriendpoint. More info here.
- The response from the
/reauthuriendpoint will return a direct link to the bank. This means that even if you are using the TrueLayer consent page and the TrueLayer Bank Selection Auth Dialog screens, the user will skip those and will be taken directly to the bank page. They will be taken to their bank for authorisation.
- On the bank side, the user experience is identical to the first time the user authenticated.
redirect_urineeds to be the same one being used in the original authentication link (or direct bank link).
- The optional
stateparameter can also be passed in the request body and then will be returned as parameter alongside the
redirect_urito help with user reconciliation.
- Once the user has authenticated, a
codewill be received that is going to be exchanged for TrueLayer tokens, just like the first time the user went through the authentication. It’s worth noting that:
credentials_idreturned will be consistent (i.e. identical, stable) to the current ones (representing that it’s the same user going through re-authentication.
refresh_tokenreturned will also be identical to the original one.
refresh_token being passed in the
refresh_tokenscan be utilised to renew the consent for a user whose existing consent period has not expired yet. In this scenario, the consent period is going to be renewed for another 90 days.
- It can also be used to renew the consent for a user whose existing consent period has expired. In this case, the user’s consent can be renewed as long as it is within 90 days of their previous consent period expiring.
In other words, a
refresh_token is valid for 90 days after being created and still can be used to renew the consent for another 90 days after consent has lapsed.
Why is it still in beta? What is missing?
/reauthuriendpoint is well tested and has been in use by customers for some time now. It can be considered reliable and stable.
Is still marked as Beta because it doesn’t currently support European banks, for example, Caisse d’Epargne (FR) or Sparkasse (DE) that require an additional auth inputs field in the request (see more information here).
Check out our comprehensive documentation on the