# One Time Flow
source: https://developer.mastercard.com/open-finance-europe/documentation/unlicensed/aiia-data/connect/one-time-flow/index.md

Note: This is a preview feature. This feature may undergo some slight changes until it is out of preview.

When end users sign up and connect to your service, they first need to give consent and connect their banks. With the one-time flow, end users now have the option of performing a one-time connect and share flow, which will then delete all their data within a 24-hour period. This is useful if you only need to receive data from the user once, and you want to avoid the Hub account creation steps from the onboarding flow. However, if you need continued access to end-user data, we recommend you use our regular flow.

To start the one-time flow, call the endpoint by doing the following:

```shell
curl -G \
  https://api-sandbox.aiia.eu/v1/oauth/connect \
  -d client_id=<CLIENT_ID> \
  -d redirect_uri=<REDIRECT_URL> \
  -d scope="accounts" \
  -d response_type=code
```

The `redirect_uri` is where you will be sent to after finishing the log-in flow. This needs to match one of the redirects you specified when you created your application in the [Developer Portal](https://devportal.openbanking.mastercard.com/).
Note: The `flow` parameter, which was previously used for controlling the flow, is deprecated in favour of the `scope` parameter. Instead of `flow=OneTimeUser`, use `scope=accounts`.

The response will be a `301 Moved Permanently` that you need to follow. Look in the location header to figure out where you should redirect to.

```HTTP
Location=https://api.aiia.eu/v1/oauth/connect?client_id=%3Cstring%3E&redirect_uri=%3Cstring%3E&response_type=%3Cstring%3E
```

After you have redirected the end users to the URL, they will go through the following steps:

#### Step 1 {#step-1}

In the first step, the end user is notified that your service uses our service. Here, the end user gives us consent to retrieve and share bank data with your service, and that the bank data will be deleted within 24 hours. This is also where the end user accepts our terms of use and privacy policy.

![Step 1](https://static.developer.mastercard.com/content/open-finance-europe/uploads/flow-step-1ia.png)

#### Step 2 {#step-2}

In the next step, the end user has progressed to our connection flow.
Here, the end user will choose the bank provider they want to use.

![Step 2](https://static.developer.mastercard.com/content/open-finance-europe/uploads/flow-step-2ia.png)

#### Step 3 {#step-3}

Now the end user needs to log in to their bank account using one of the available log-in methods.

![Step 3](https://static.developer.mastercard.com/content/open-finance-europe/uploads/flow-step-3i.png)

#### Step 4 {#step-4}

The end user will be presented with a list of possible bank accounts that will be shared with your service through our APIs.

![Step 4](https://static.developer.mastercard.com/content/open-finance-europe/uploads/flow-step-4i.png)

#### Step 5 {#step-5}

In the last step, a success screen is displayed to the end user. When the end user clicks on the **Accept** button, they are sent back to your service using the redirectURL you have provided. This is also where end users can claim their account if they want to.

![Step 5](https://static.developer.mastercard.com/content/open-finance-europe/uploads/flow-step-5i.png)

#### Access token retrieval {#access-token-retrieval}

Once end users have completed the connection flow, they are redirected back to your specified `redirect_uri`. This redirect will have a query parameter called `code` that demands an access token.
Note: `code` is not URL safe, meaning that it will be [URL encoded](https://developer.mozilla.org/en-US/docs/Glossary/percent-encoding). `code` will need to be URL decoded before the next step. Some web frameworks may do this automatically.

With that code, you can call the endpoint like this:

```shell
curl -X POST \
  https://api-sandbox.aiia.eu/v1/oauth/token \
  -u <CLIENT_ID>:<CLIENT_SECRET>
  -H 'Content-Type: application/json' \
  -d '{
        "grant_type" : "authorization_code"
        "code": "<CODE>"
        "redirect_uri" : "<REDIRECT_URL>"
      }'
```

Along with the `code`, you get a `consentId`. This ID is your representation of a user and is valid as long the user has given you consent. it is recommended that you store this ID along with your tokens. We use this ID when we send you webhooks.

##### Authorization header in `/oauth/token` {#authorization-header-in-oauthtoken}

The `Authorization` header in `/oauth/token` endpoints uses `Basic` HTTP Authentication scheme (which is defined in [rfc7617](https://tools.ietf.org/html/rfc7617)).
In other words, the value of the header is `Basic {"<CLIENT_ID>:<CLIENT_SECRET>" string encoded as base64}`.

Here are code examples of how to do in C#, Java, JavaScript and Python:
* Csharp

```csharp
string GenerateBasicAuthorizationHeaderValue(string clientId, string clientSecret)
{
  var credentials = $"{clientId}:{clientSecret}";
  var credentialsByteData = Encoding.GetEncoding("iso-8859-1").GetBytes(credentials);
  var base64Credentials = Convert.ToBase64String(credentialsByteData);
  return $"Basic {base64Credentials}";
}

```

The response contains two tokens, `access_token` and `refresh_token`. An example of a successful response:

```json
{
  "access_token": "eyJhbGciOiJIUzI1Ni978juanR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJmYTE4OTI3MS1mOTY1LTRmNWMtOTlmOS1lNDViNzNiYzI4MzkiLCJjbGllbnRJZCI6InZpaWEtZnBwIiwicm9sZSI6IkNsaWVudFVzZXIiLCJzZ67623aW9uSWQiOiJlZmE1NWU0ZS0xZTUxLTQ1YWMtYWEyYy01OThhNjFjMTZlOTYiLCJuYmYiOjE1Njc0MTQxNzMsImV4cCI6MTU2NzQxNzc3MywiaWF0IjoxNTY3NDE0MTczfQ.7QD6zGcdonYy79384buXOqsykWrbWa3L6LW4d9uzb-zA",
  "expires_in": 3600,
  "redirect_uri": "https://httpbin.org/anything",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI687234pXVCJ9.eyJ1c2VySWQiOiJmYTE4OTI3MS1mOTY1LTRmNWMtOTlmOS1lNDViNzNiYzI4MzkiLCJjbGllbnRJZCI6InZpaWEtZnBwIiwiY29uc2VudElkIjoiYTYyODExYWYtNzUxMS00ZWQ0LoyiauasiYTEtMjAwNzc2NGQ1MTIwIiwic2Vzc2lvbklkIjoiZWZhNTVlNGUtMWU1MS00NWFjLWFhMmMtNTk4YTYxYzE2ZTk2Iiwicm9sZSI6IlJlZnJlc2hUb2tlbiIsIm5iZiI6MTU2NzQxNDE3MywiZXhwIjoxNTY4NjIzNzczLCJpYXQiOjE1Njc0MTQxNzN9.5-x0NNg5lMxPnZRYtu983764q0sbPcSb7U9b23e3Zwx0Ss9I",
  "token_type": "bearer"
}
```

You now have an access token to the end user.

## Keeping state {#keeping-state}

Keeping state in a multi-tenant application is essential and can be done with Connect Flow, as we allow you to choose how you want to do it.

#### Wildcard {#wildcard}

We support wildcards in all your redirect URLs, but what is a wildcard exactly and how do I use it?

A wildcard is a catch-all functionality, where you place a `*` in your registered redirect URL (e.g. `https://mydomain.com/aiia-callback/*`)
Note: We do not support wildcard in domain and subdomain.

#### OAuth State {#oauth-state}

The primary reason for using the state parameter is to mitigate CSRF attacks. You can also use the state parameter to encode an application state that will round-trip to the client application after the Connect Flow is complete. In this way, the application can redirect the user to where they were before the authentication process happened.

```shell
curl -G \
  https://api-sandbox.aiia.eu/v1/oauth/connect \
  -d client_id=<CLIENT_ID> \
  -d redirect_uri=<REDIRECT_URL> \
  -d response_type=code  \
  -d state={your_state}
```