# App to App Authentication Toolkit
source: https://developer.mastercard.com/open-finance-us/documentation/experience-design-guide/connect-enhancements-and-features/app-to-app-auth-best-practices/index.md
App to App authentication is a feature that enables mobile users to permission access to their data by signing in with their financial institution's (FI's) mobile app if downloaded on the device they are using. The customer can sign in using the applicable biometric login features for the FI. If the app is not downloaded, the customer is directed to log in through the FI's website in a browser window.
### Why is App to App Important? {#why-is-app-to-app-important}
App to App Authentication can help increase the success rates of customers by directing them to their bank app to log in and authenticate their data. This reduces friction in the experience by enabling customers to log in as they typically do, thereby reducing dropout.
**In two surveys conducted by the Open Finance Mastercard research team, we discovered:**
* more than 70% of participants primarily use a mobile phone to access and manage their primary checking account daily or every 2-3 days.
* more than 80% of participants prefer to be (or are comfortable with being) directed to their bank app to log in to their account.
## What Does App to App Authentication Look Like for an End User? {#what-does-app-to-app-authentication-look-like-for-an-end-user}
The following Figma diagram shows the user flow from the data recipient (the partner app), via the data access platform (Mastercard Data Connect), to the data provider (the chosen FI's banking app), and back.
For the best viewing experience of app to app, click the **full screen** option or **zoom** using the controls located on the right.
The following sequence diagram shows the interaction between the Partner application which is using Mastercard Open Finance, Mastercard, the mobile OS, and the FI application (banking app) and FI server.
The Partner application is also known as the Data Recipient (they are authenticating so their users can obtain their banking data) and the Financial Institution (bank) is also known as the Data Provider.
Diagram app-to-app
For the app to app flow to work, both the partner's app and the Financial Institution's app will need to implement Universal links (iOS) or App Links (Android).
The following sections give advice on how to configure universal links/app links for both the FI (as data provider) and the partner (as data recipient).
## How Can Financial Institutions Support App to App? {#how-can-financial-institutions-support-app-to-app}
To enable seamless authentication within your mobile banking app, follow these steps:
#### Define a New Consent URL {#define-a-new-consent-url}
Here is an example of what your newly configured consent URL will look like:
##### Example {#example}
New Path:
* Bash
```bash
GET /api/v1/mobile/oauth/authorize-url
```
Old Path:
* Bash
```bash
GET /api/v1/oauth/authorize-url
```
The new endpoint functions the same as the old one, except that your mobile app is now set up to intercept the URL and redirect the customer to the mobile consent experience, where biometric authentication is available.
#### Configure the new Consent URL as a Claimed HTTPS URL (Universal Link/App Link) {#configure-the-new-consent-url-as-a-claimed-https-url-universal-linkapp-link}
The newly configured consent URL needs to be set up as a claimed HTTPS URL (Universal Link on iOS / App Link on Android) so that users can be redirected to the bank's mobile app authentication flow instead of opening a web browser.
Your universal link should redirect users to your authentication flow in the mobile app.
If the user clicks on this URL and the bank does not support Universal links, it will open in a web browser instead of the bank's mobile app.
To ensure that the bank's mobile app is opened instead of a web browser, the financial institution should set up Universal Links (iOS) or App Links (Android).
#### iOS Configuration (Universal Links) {#ios-configuration-universal-links}
In the `apple-app-site-association` file hosted at `/well-known/apple-app-site-association`:
```json
{
"applinks": {
"apps": [],
"details": [
{
"appID": "ABCDE12345.com.example.app",
"paths": [ "/auth/*" ]
}
]
}
}
```
For more information on how to configure Universal Links, see [Apple's developer documentation](https://developer.apple.com/ios/universal-links/).
#### Android Configuration (App Links) {#android-configuration-app-links}
In the `/app/src/main/AndroidManifest.xml`:
Here is an example for the `assetlink.json`: `https://bank.example.com/well-known/assetlinks.json`
```xml
```
For more information on how to configure App Links, see the [Android developer documentation](https://developer.android.com/training/app-links).
#### Ensure Your Mobile App Supports App-to-App Authentication {#ensure-your-mobile-app-supports-app-to-app-authentication}
Your mobile app must:
* intercept the Universal/App Link (for example, `https://bank.example.com/auth/link`) and extract the authorization URL.
* open the OAuth 2.0 authorization flow within the app.
* authenticate the end user and allow them to select and share accounts.
* retrieve the OAuth 2.0 authorization code upon user consent.
#### Redirect the User Back with an Authorization Code {#redirect-the-user-back-with-an-authorization-code}
Once authentication is complete:
* redirect the user to the pre-registered redirect URI (provided by the data access platform).
* attach the authorization code to the redirect URI.
* the data access platform can then exchange this code for an access token.
Example redirect URI:
* URI
```URI
https://aggregator.example.com/callback?code=AUTHORIZATION_CODE&state=randomStateValue
```
## How Partners should Implement App to App Authentication {#how-partners-should-implement-app-to-app-authentication}
There are two main requirements to use the app to app authentication enhancement:
* Create your domain's `redirectUrl` through a Universal link (iOS)/App Link (Android).
* Configure your `redirectUrl`.
The Mastercard SDKs redirect users to the Financial Institution's app if it is installed and the `redirectUrl` (Universal Link or App Link) ensures the end user is redirected from the Financial Institution's app back to your application.
For further information about how to integrate app to app within the Data Connect experience using our mobile SDKs, see the following pages in our integration guide:
* [App to App Authentication with Data Connect](https://developer.mastercard.com/open-finance-us/documentation/connect/integrating/index.md#app-to-app-authentication)
* [App to App support (Data Connect iOS SDK)](https://developer.mastercard.com/open-finance-us/documentation/connect/integrating/sdk/ios/ios-sdk/index.md#app-to-app-support)
* [App to App support (Data Connect Android SDK)](https://developer.mastercard.com/open-finance-us/documentation/connect/integrating/sdk/android/android-sdk/index.md#app-to-app-support)
Note:
#### Additional info {#additional-info}
There is no customization. However, if the native browser is not used by a user, a redirect button may appear within the flow after connecting their accounts via the Financial Institution's app.
* Supported Browsers:
iOS: Automatic Redirect: Safari
Redirect Button: Chrome, Edge, Firefox
* Supported Browsers:
Android: Automatic Redirect: Chrome, Edge, Native Browser
Redirect Button: Firefox
Tip: If you have any questions or need assistance with the customer experience or development, [contact us](https://developer.mastercard.com/open-finance-us/documentation/support/index.md).
Next: [Building a user-friendly FI search experience](https://developer.mastercard.com/open-finance-us/documentation/experience-design-guide/connect-enhancements-and-features/fi-search-experience/index.md)