# Connect Destination Account
source: https://developer.mastercard.com/open-finance-europe/documentation/unlicensed/aiia-pay/tutorials/connect-destination-account-tutorial/index.md

This guide details how to give consent and connect a bank account to send and receive payments.

#### Prerequisites: {#prerequisites}

* You must have created an App. Make sure you have recorded the `CLIENT_ID` and `CLIENT_SECRET`.
* Your `REDIRECT_URL` must be whitelisted for your project.
* This tutorial uses `curl` in order to send requests and receive responses.

### Step 1 - Client Starts Connect Flow {#step-1---client-starts-connect-flow}

To start the Connect Flow, call the endpoint by doing the following:

API Reference: `GET /v1/oauth/connect`

#### Request {#request}

* Specify a `REDIRECT_URL` where the user will be redirected after finishing the supervised login flow.

```shell
curl -G \
  https://api-sandbox.aiia.eu/v1/oauth/connect \
  -d client_id=<CLIENT_ID> \
  -d redirect_uri=<REDIRECT_URL> \
  -d scope="payments:inbound payments:outbound" \
  -d response_type=code
```

​

#### Response {#response}

If the request is successful, a 302 response will be returned and the location header will include the url to redirect the user to.

```shell
Location=https://api.aiia.eu/v1/oauth/connect?client_id=%3Cstring%3E&redirect_uri=%3Cstring%3E&response_type=%3Cstring%3E`
```

### Step 2 - User Chooses Account​ {#step-2---user-chooses-account}

The user onboards Account through the UI and authorized to access the beneficiary account, navigates to URL and completes:

* Signing up
* Accept Consent if presented
* Choose Bank
* Log Into Bank
* Choose Account
* Accept consent to pass data to Client's app
* Due Diligence

![](https://static.developer.mastercard.com/content/open-finance-europe/uploads/UserOnboardsaccount.PNG)

### Step 3 - User redirected and code received {#step-3---user-redirected-and-code-received}

Once end users have completed the connection flow, they will be redirected back to your specified redirect_uri. This redirect will have a query parameter called code sent with it, which you need to gain an access token.

User is redirected back to provided `REDIRECT_URL` With a `code` and a `ConsentID`

Along with the `code`, you get a `consentId`. This id is your representation of a user and is valid as long the user has given his or her consent for you to fetch data. A good idea is to store this id along with your tokens. We use this id when we send you webhooks.
Note: `code` is not URL safe, meaning that it will be URL encoded. code will need to be URL decoded before the next step. Some web frameworks may do this automatically.

### Step 4 - Client Exchanges code for tokens {#step-4---client-exchanges-code-for-tokens}

The `code` retrieved from the previous step will be exchanged for an `accessToken` for use to retrieve accounts and transactions.

API Reference: `POST /v1/oauth/token`

#### Request {#request-1}

* Use the `CODE` retrieved from the previous step to get the access token.

```shell
curl -X POST \
  https://api-sandbox.aiia.eu/v1/oauth/token \
  -u <CLIENT_ID>:<CLIENT_SECRET>
  -H 'Content-Type: application/json' \
  -d '{
        "grant_type" : "authorization_code"
        "code": "<CODE>"
        "redirect_uri" : "<REDIRECT_URL>"
      }'
```

Note: The `code` can only be used once and expires after one minute.

#### Response {#response-1}

If the request is successful, the response will look like:

```json
{
  "access_token": "eyJhbGciOiJIUzI1Ni978juanR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJmYTE4OTI3MS1mOTY1LTRmNWMtOTlmOS1lNDViNzNiYzI4MzkiLCJjbGllbnRJZCI6InZpaWEtZnBwIiwicm9sZSI6IkNsaWVudFVzZXIiLCJzZ67623aW9uSWQiOiJlZmE1NWU0ZS0xZTUxLTQ1YWMtYWEyYy01OThhNjFjMTZlOTYiLCJuYmYiOjE1Njc0MTQxNzMsImV4cCI6MTU2NzQxNzc3MywiaWF0IjoxNTY3NDE0MTczfQ.7QD6zGcdonYy79384buXOqsykWrbWa3L6LW4d9uzb-zA",
  "expires_in": 3600,
  "redirect_uri": "https://httpbin.org/anything",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI687234pXVCJ9.eyJ1c2VySWQiOiJmYTE4OTI3MS1mOTY1LTRmNWMtOTlmOS1lNDViNzNiYzI4MzkiLCJjbGllbnRJZCI6InZpaWEtZnBwIiwiY29uc2VudElkIjoiYTYyODExYWYtNzUxMS00ZWQ0LoyiauasiYTEtMjAwNzc2NGQ1MTIwIiwic2Vzc2lvbklkIjoiZWZhNTVlNGUtMWU1MS00NWFjLWFhMmMtNTk4YTYxYzE2ZTk2Iiwicm9sZSI6IlJlZnJlc2hUb2tlbiIsIm5iZiI6MTU2NzQxNDE3MywiZXhwIjoxNTY4NjIzNzczLCJpYXQiOjE1Njc0MTQxNzN9.5-x0NNg5lMxPnZRYtu983764q0sbPcSb7U9b23e3Zwx0Ss9I",
  "token_type": "bearer"
}
```

* Record the `access_token` for next step.
* You can use the `refresh_token` for token refreshing.

### Step 5 - Retrieve Destination {#step-5---retrieve-destination}

The `accessToken` will be used to retrieve the accounts and get the `destinationId` for payments.

API Reference: `GET /v1/accounts`

#### Request {#request-2}

* Use the `ACCESS_TOKEN` retrieved from the previous tutorial to get the user accounts.

```shell
curl -X GET https://api.aiia.eu/v1/accounts \ 
    -H 'Authorization: Bearer <ACCESS_TOKEN>'
```

#### Response {#response-2}

If the request is successful, the response will look like:

```json
{
  "accounts": [
    {
        "accountProvider": {
            "id": "TestDataBank1",
            "name": "Test bank with data #1 DKK"
        },
        "available": {
            "currency": "DKK",
            "value": 6439.15
        },
        "availableBalance": null,
        "booked": {
            "currency": "DKK",
            "value": 6439.15
        },
        "bookedBalance": 6439.15,
        "currency": "DKK",
        "id": "ZmExODkyNzEtZjk2NS00ZjVjLTk5ZjktZTQ1Y682zYmMyODM5fFRlc3REYXRhQmFuazF8N2aXM5ZFIzd0gzLWhSNWJhY21nSEZCdy4x",
        "destinationId": "ZmEx3DkyNzEtZjk2NS12ZjVjLTk5ZjktZTQ1Y682zYmMyODM5fFRlc2REYXRhQmFuazF8N2aXM5ZFIzd0gzLWhSNWJhY21nSEZCdy4x",
        "isOrphaned": false,
        "lastSynchronized": "2019-09-02T08:52:16.5816944Z",
        "nagApiAccountId": "T6t4Pk9uNDgiz7JCKcK3vis9dR3wH3-hR5bacmgHFBw.1",
        "name": "Direct Debit",
        "number": {
            "bban": "0001-245787654",
            "bbanParsed": {
                "accountNumber": "245787654",
                "bankCode": "0001"
            },
            "bbanType": "0001-245787654",
            "card": null,
            "iban": null
        },
        "owner": "Christian Thomsen",
        "syncStatus" : "Queued",
        "type": "Consumption"
    }
  ]
}
```

* Record the `destinationId` for next step.
