# Connect Flow
source: https://developer.mastercard.com/open-finance-europe/documentation/unlicensed/aiia-data/tutorials/connect-flow-tutorial/index.md

This guide details how to give consent and connect their banks.

#### Prerequisites: {#prerequisites}

* You must have created an App. Make sure you have recorded the `CLIENT_ID` and `CLIENT_SECRET`.
* Your `REDIRECT_URL` must be whitelisted for your project.
* This tutorial uses `curl` in order to send requests and receive responses.

### Step 1 - Client Starts Connect Flow {#step-1---client-starts-connect-flow}

To start the Connect Flow, call the endpoint by doing the following:

API Reference: `GET /v1/oauth/connect`

#### Request {#request}

* Specify a `REDIRECT_URL` where the user will be redirected after finishing the supervised login flow.

```shell
curl -G \
  https://api-sandbox.aiia.eu/v1/oauth/connect \
  -d client_id=<CLIENT_ID> \
  -d redirect_uri=<REDIRECT_URL> \
  -d scope="accounts" \
  -d response_type=code
```

​

#### Response {#response}

If the request is successful, a 302 response will be returned and the location header will include the url to redirect the user to.

```shell
Location=https://api.aiia.eu/v1/oauth/connect?client_id=%3Cstring%3E&redirect_uri=%3Cstring%3E&response_type=%3Cstring%3E`
```

### Step 2 - User Connect Account​ {#step-2---user-connect-account}

The user onboards Account through the UI and authorized to access the beneficiary account, navigates to URL and completes:

* Signing up
* Accept Consent if presented
* Choose Bank
* Log Into Bank
* Choose Account
* Accept consent to pass data to Client's app
* Due Diligence

![](https://static.developer.mastercard.com/content/open-finance-europe/uploads/UserOnboardsaccount.PNG)

### Step 3 - User redirected and code received {#step-3---user-redirected-and-code-received}

Once end users have completed the connection flow, they will be redirected back to your specified `redirect_uri`. This redirect will have a query parameter called `code` sent with it, which you need to gain an access token.

User is redirected back to provided `redirect_uri` With a `code` and a `ConsentID`

Along with the `code`, you get a `consentId`. This id is your representation of a user and is valid as long the user has given his or her consent for you to fetch data. A good idea is to store this id along with your tokens. We use this id when we send you webhooks.
Note: `code` is not URL safe, meaning that it will be URL encoded. code will need to be URL decoded before the next step. Some web frameworks may do this automatically.

### Step 4 - Client Exchanges code for tokens {#step-4---client-exchanges-code-for-tokens}

The `code` retrieved from the previous step will be exchanged for an `accessToken` for use to retrieve accounts and transactions.

API Reference: `POST /v1/oauth/token`

#### Request {#request-1}

* Use the `CODE` retrieved from the previous step to get the access token.

```shell
curl -X POST \
  https://api-sandbox.aiia.eu/v1/oauth/token \
  -u <CLIENT_ID>:<CLIENT_SECRET>
  -H 'Content-Type: application/json' \
  -d '{
        "grant_type" : "authorization_code",
        "code": "<CODE>",
        "redirect_uri" : "<REDIRECT_URL>"
      }'
```

Note: The `code` can only be used once and expires after one minute.

#### Response {#response-1}

If the request is successful, the response will look like:

```json
{
  "access_token": "eyJhbGciOiJIUzI1Ni978juanR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJmYTE4OTI3MS1mOTY1LTRmNWMtOTlmOS1lNDViNzNiYzI4MzkiLCJjbGllbnRJZCI6InZpaWEtZnBwIiwicm9sZSI6IkNsaWVudFVzZXIiLCJzZ67623aW9uSWQiOiJlZmE1NWU0ZS0xZTUxLTQ1YWMtYWEyYy01OThhNjFjMTZlOTYiLCJuYmYiOjE1Njc0MTQxNzMsImV4cCI6MTU2NzQxNzc3MywiaWF0IjoxNTY3NDE0MTczfQ.7QD6zGcdonYy79384buXOqsykWrbWa3L6LW4d9uzb-zA",
  "expires_in": 3600,
  "redirect_uri": "https://httpbin.org/anything",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI687234pXVCJ9.eyJ1c2VySWQiOiJmYTE4OTI3MS1mOTY1LTRmNWMtOTlmOS1lNDViNzNiYzI4MzkiLCJjbGllbnRJZCI6InZpaWEtZnBwIiwiY29uc2VudElkIjoiYTYyODExYWYtNzUxMS00ZWQ0LoyiauasiYTEtMjAwNzc2NGQ1MTIwIiwic2Vzc2lvbklkIjoiZWZhNTVlNGUtMWU1MS00NWFjLWFhMmMtNTk4YTYxYzE2ZTk2Iiwicm9sZSI6IlJlZnJlc2hUb2tlbiIsIm5iZiI6MTU2NzQxNDE3MywiZXhwIjoxNTY4NjIzNzczLCJpYXQiOjE1Njc0MTQxNzN9.5-x0NNg5lMxPnZRYtu983764q0sbPcSb7U9b23e3Zwx0Ss9I",
  "token_type": "bearer"
}
```

* Record the `access_token` for next tutorials.
* You can use the `refresh_token` for token refreshing.
