OMSAA API Documentation
Powering the Future of Open Finance
OMSAA (Account Aggregator) provides a robust API ecosystem that enables secure, user-consented, and seamless data exchange between Financial Information Providers (FIPs) and Financial Information Users (FIUs). Our infrastructure transforms fragmented financial data into actionable intelligence, empowering organizations to build superior financial products with trust, security, and transparency.
Key Capabilities
Getting Started with OMSAA
The Account Aggregator (AA) framework is a revolutionary financial data-sharing system that enables individuals and businesses to securely share their financial information with trusted third parties.
As an RBI-regulated framework, OMSAA acts as a secure, digital bridge between Financial Information Providers (FIPs) and Financial Information Users (FIUs). We eliminate the need for physical documents and manual uploads, replacing them with a seamless, encrypted digital data flow that ensures trust, transparency, and compliance.
Why Choose the OMSAA Ecosystem?
- Consent-First Architecture: Data sharing occurs only with explicit, granular, and time-bound user permission.
- Complete User Sovereignty: Users retain full control over who can access their financial data and for how long.
- Universal Data Standards: Standardized data formats across all participating financial institutions ensure consistency and interoperability.
- Accelerated Service Delivery: Significantly reduce processing time for loans, insurance, and wealth-management use cases.
Integration Path
- Register as an FIU: Obtain your API credentials and sandbox access through the OMSAA Developer Portal.
- Configure Webhooks: Set up secure endpoints to receive real-time notifications for consent status updates and data readiness events.
- Initiate Consent: Use OMSAA Consent APIs to trigger a consent request directly to your customer’s registered mobile device.
- Fetch & Decrypt Data: Upon customer approval, leverage the Data Journey APIs to fetch encrypted financial data packets and decrypt them securely within your environment.
The Architecture at a Glance
To help your team visualize how OMSAA fits into the broader financial ecosystem, refer to the technical flow below:
OMSAA API Sequence & Integration Flow
The following outlines the standardized sequence required to integrate with the OMSAA Account Aggregator ecosystem. This flow ensures a secure, RBI-compliant, and frictionless data-sharing experience.
1. Consent Lifecycle
POST /Consent request to OMSAA, defining the purpose, validity,
and fetch frequency.
ConsentHandle, a unique reference used to track the request
progress.
POST /Consent/Notification to the FIU's webhook with
the consentId.
POST /Consent/fetch
request.
2. Secure Data Orchestration
POST /FI/request with the consentId and KeyMaterial to
generate a sessionId.
POST /FI/Notification to the FIU signaling
data is ready.
POST /FI/fetch using the sessionId to receive the
encrypted financial data.
Integration Security & Features
The OMSAA ecosystem is built on the foundation of trust and technical excellence, ensuring that every data exchange is secure and auditable.
| Feature | Description |
|---|---|
| Traceability | ConsentHandle and ConsentId ensure every transaction is uniquely identifiable and auditable across the network. |
| Session Persistence | The SessionID securely links data fetch requests to specific user-approved consent artifacts, maintaining state throughout the data journey. |
| End-to-End Security | Utilizes Diffie-Hellman Key Exchange and robust encryption, ensuring OMSAA never sees the raw data; we only facilitate the secure transit. |
| Privacy by Design | Data is shared strictly on a "need-to-know" basis, governed by the duration and frequency set by the user during the authorization phase. |
Technical Prerequisites
Before initiating your first API call, ensure your environment meets these three security requirements to ensure RBI compliance and data integrity.
client_api_key issued via the Sahamati Token
Service. This token identifies your entity and must be present in the header of every
request.
To ensure non-repudiation and data integrity, every request and response must be signed using a JSON Web Signature (JWS) with a detached payload.
- The signature must be included in the
x-jws-signatureHTTP header. - Refer to the Sahamati Tools for implementation libraries (Java, Node.js, Python).
Follow the OAuth 2.0 flow to retrieve your credentials from the Sahamati Central Registry (CR):
| Parameter | Value / Details |
|---|---|
| Token URL (UAT) | https://uattokens.sahamati.org.in/.../token |
| Grant Type | client_credentials |
| Auth Method | Basic Auth (using your Client ID and Secret) |
API Endpoints & Security
Configure your client to point to the appropriate environment and include the mandatory security headers for every request.
| Environment | Base URL |
|---|---|
| UAT (Testing) | https://uat-app.omsaa.in |
| Production | https://api.omsaa.in |
| Header Key | Description / Expected Value |
|---|---|
| Content-Type | application/json |
| client_api_key | Your unique Bearer token from Sahamati |
| x-jws-signature |
Detached JWS signature of the request body.
Required for all POST operations. |
Consent Flow
Initiate a new consent request to the customer.
This API is intended for AA Client to request generation of digitally signed consent artefacts. The customer has to use the AA application to select accounts and approve consent generation. Once the customer approves the consent request on the AA application, AA generates the digitally signed consent artefacts. Note - The AA Client never sees the account of the customer or directly participates in consent generation.
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "4a4adbbe-29ae-11e8-a8d7-0289437bf331",
"ConsentDetail": {
"consentStart": "2019-12-06T11:39:57.153Z",
"consentExpiry": "2019-12-06T11:39:57.153Z",
"consentMode": "VIEW",
"fetchType": "ONETIME",
"consentTypes": ["PROFILE"],
"fiTypes": ["DEPOSIT"],
"DataConsumer": { "id": "DC1", "type": "FIU" },
"Customer": {
"id": "customer_identifier@AA_identifier",
"Identifiers": [
{ "type": "MOBILE", "value": "919867123456" }
]
},
"Purpose": {
"code": "101",
"refUri": "https://api.rebit.org.in/aa/purpose/101.xml",
"text": "Wealth management service",
"Category": { "type": "string" }
},
"FIDataRange": {
"from": "2023-07-06T11:39:57.153Z",
"to": "2019-12-06T11:39:57.153Z"
},
"DataLife": { "unit": "MONTH", "value": 0 },
"Frequency": { "unit": "HOUR", "value": 1 },
"DataFilter": [
{
"type": "TRANSACTIONAMOUNT",
"operator": ">=",
"value": "20000"
}
]
}
}
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "4a4adbbe-29ae-11e8-a8d7-0289437bf331",
"Customer": {
"id": "customer_identifier@AA_identifier"
},
"ConsentHandle": "39e108fe-9243-11e8-b9f2-0256d88baae8"
}
This API is intended to be used by FIU/AA Client to check the consent status and retrieve the consent ID from AA once the consent is approved by customer.
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "795038d3-86fb-4d3a-a681-2d39e8f4fc3c",
"ConsentHandle": "39e108fe-9243-11e8-b9f2-0256d88baae8"
}
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "795038d3-86fb-4d3a-a681-2d39e8f4fc3c",
"ConsentHandle": "39e108fe-9243-11e8-b9f2-0256d88baae8",
"ConsentStatus": {
"id": "654024c8-29c8-11e8-8868-0289437bf331",
"status": "APPROVED"
}
}
This API is intended for fetching the information associated with the specific consent.
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "0b811819-9044-4856-b0ee-8c88035f8858",
"consentId": "654024c8-29c8-11e8-8868-0289437bf331"
}
{
"ver": "2.0.0",
"txnid": "0b811819-9044-4856-b0ee-8c88035f8858",
"consentId": "XXXX-XXXX-XXXX-XXXX",
"status": "ACTIVE",
"createTimestamp": "2023-06-26T11:39:57.153Z",
"signedConsent": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyNzE5MTNlLTdiOTMtNDlkZC05OTQ5LTFjNzZmZjVmYzVjZiIsImI2NCI6ZmFsc2UsImN
yaXQiOlsiYjY0Il19.ew0KICAgICAgICAiY29uc2VudFN0YXJ0IjogIjIwMTktMDUtMjhUMTE6Mzg6MjAuMzgwKzAwMDAiLA0KICAgICAgICAiY29uc2V
udEV4cGlyeSI6ICIyMDIwLTA1LTI4VDExOjM4OjIwLjM4MSswMDAwIiwNCiAgICAgICAgImNvbnNlbnRNb2RlIjogIlZJRVciLA0KICAgICAgICAiZmV0
Y2hUeXBlIjogIk9ORVRJTUUiLA0KICAgICAgICAiY29uc2VudFR5cGVzIjogWw0KICAgICAgICAgICAgIlBST0ZJTEUiLA0KICAgICAgICAgICAgIlNVT
U1BUlkiLA0KICAgICAgICAgICAgIlRSQU5TQUNUSU9OUyINCiAgICAgICAgXSwNCiAgICAgICAgImZpVHlwZXMiOiBbDQogICAgICAgICAgICAiREVQT1
NJVCIsDQogICAgICAgICAgICAiVEVSTS1ERVBPU0lUIg0KICAgICAgICBdLA0KICAgICAgICAiRGF0YUNvbnN1bWVyIjogew0KICAgICAgICAgICAgIml
kIjogImNvb2tpZWphci1hYUBmaW52dS5pbiIsDQogICAgICAgICAgICAidHlwZSI6ICJBQSINCiAgICAgICAgfSwNCiAgICAgICAgIkRhdGFQcm92aWRl
ciI6IHsNCiAgICAgICAgICAgICJpZCI6ICJCQVJCMEtJTVhYWCIsDQogICAgICAgICAgICAidHlwZSI6ICJGSVAiDQogICAgICAgIH0sDQogICAgICAgI
CJDdXN0b21lciI6IHsNCiAgICAgICAgICAgICJpZCI6ICJkZW1vQGZpbnZ1Ig0KICAgICAgICB9LA0KICAgICAgICAiQWNjb3VudHMiOiBbDQogICAgIC
AgICAgICB7DQogICAgICAgICAgICAgICAgImZpVHlwZSI6ICJERVBPU0lUIiwNCiAgICAgICAgICAgICAgICAiZmlwSWQiOiAiQkFSQjBLSU1YWFgiLA0
KICAgICAgICAgICAgICAgICJhY2NUeXBlIjogIlNBVklOR1MiLA0KICAgICAgICAgICAgICAgICJsaW5rUmVmTnVtYmVyIjogIlVCSTQ4NTk2NDU3OSIs
DQogICAgICAgICAgICAgICAgIm1hc2tlZEFjY051bWJlciI6ICJVQkk4NTIxNzg4MTI3OSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7DQogI
CAgICAgICAgICAgICAgImZpVHlwZSI6ICJERVBPU0lUIiwNCiAgICAgICAgICAgICAgICAiZmlwSWQiOiAiQkFSQjBLSU1YWFgiLA0KICAgICAgICAgIC
AgICAgICJhY2NUeXBlIjogIlNBVklOR1MiLA0KICAgICAgICAgICAgICAgICJsaW5rUmVmTnVtYmVyIjogIlVCSTQ4NTk2NDUiLA0KICAgICAgICAgICA
gICAgICJtYXNrZWRBY2NOdW1iZXIiOiAiVUJJODUyMTc4ODEyIg0KICAgICAgICAgICAgfQ0KICAgICAgICBdLA0KICAgICAgICAiUHVycG9zZSI6IHsN
CiAgICAgICAgICAgICJjb2RlIjogIjEwMSIsDQogICAgICAgICAgICAicmVmVXJpIjogImh0dHBzOi8vYXBpLnJlYml0Lm9yZy5pbi9hYS9wdXJwb3NlL
zEwMS54bWwiLA0KICAgICAgICAgICAgInRleHQiOiAiV2VhbHRoIG1hbmFnZW1lbnQgc2VydmljZSIsDQogICAgICAgICAgICAiQ2F0ZWdvcnkiOiB7DQ
ogICAgICAgICAgICAgICAgInR5cGUiOiAicHVycG9zZUNhdGVnb3J5VHlwZSINCiAgICAgICAgICAgIH0NCiAgICAgICAgfSwNCiAgICAgICAgIkZJRGF
0YVJhbmdlIjogew0KICAgICAgICAgICAgImZyb20iOiAiMjAxOS0wNS0yOFQxMTozODoyMC4zODMrMDAwMCIsDQogICAgICAgICAgICAidG8iOiAiMjAy
MC0wNS0yOFQxMTozODoyMC4zODErMDAwMCINCiAgICAgICAgfSwNCiAgICAgICAgIkRhdGFMaWZlIjogew0KICAgICAgICAgICAgInVuaXQiOiAiTU9OV
EgiLA0KICAgICAgICAgICAgInZhbHVlIjogNA0KICAgICAgICB9LA0KICAgICAgICAiRnJlcXVlbmN5Ijogew0KICAgICAgICAgICAgInVuaXQiOiAiSE
9VUiIsDQogICAgICAgICAgICAidmFsdWUiOiA0DQogICAgICAgIH0sDQogICAgICAgICJEYXRhRmlsdGVyIjogWw0KICAgICAgICAgICAgew0KICAgICA
gICAgICAgICAgICJ0eXBlIjogIlRSQU5TQUNUSU9OQU1PVU5UIiwNCiAgICAgICAgICAgICAgICAib3BlcmF0b3IiOiAiPiIsDQogICAgICAgICAgICAg
ICAgInZhbHVlIjogIjIwMDAwIg0KICAgICAgICAgICAgfQ0KICAgICAgICBdDQogICAgfQ.O3KPh-eTpW2w47QXYidOBe1Hk2y7djVAEcOnZyRRvxQ3cY
18-9ZWiodF16jff-e7yNQgsYZpAy95Fx2Fft8LoYugkYh9_6qHiG_7LCtW8Ng4nCMgZM3Wwsj11ks1msrK5C1ksPrGlTkFhm9-FufNkPTAlW76_5Sb8G_
lOsIj1lB8TrvKpOvPlhEIgsS4WBNdPfv3SBqTV2suw2LvkX3QTilqwuMgXMkrm9-RYL90fweX_yyoyaBWHOJNQaKNuQWPpoRRNHGOx3v4_QiwgrELdfeT
VtKn6R_AsfaBoEthQ3wrc8tY1q0Wx5j0x18NdU2R2C26dHyZ9M11dEH99psA1A",
"ConsentUse": {
"logUri": "string",
"count": 1,
"lastUseDateTime": "2023-07-06T11:39:57.153Z"
}
}
Data Request
This API is used by the FIU to request for financial information from the AA. The AA will validate the request against the signed consent and return a sessionID which can then be used by the FIU to fetch the required data.
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "e8cc6822-d4bb-4eb1-9e1b-4996fbff8acb",
"FIDataRange": {
"from": "2023-07-06T11:39:57.153Z",
"to": "2019-12-06T11:39:57.153Z"
},
"Consent": {
"id": "654024c8-29c8-11e8-8868-0289437bf331",
"digitalSignature": "NdjwMjLortTb10dxcJezkvdOxPVvEdZvIqwqVWOHnE8pS_YDswcRPLTRmds2xO-Tvm_A2cFv1qKYpaZnv8Bl
6xmZoOsG_F8_40gRZqIhz5hF9puzp8lEEhMlZ6NaX2Y2OYkwHcOBBpCIXpLXB4CMWiefUEWjO9zKDd5JJwZ4vLWeT4qgwvPfRqE60B33t
zVlF5E6OA2mKK17sGRXsfrI9obEjL52RMdGo_9bv1HnHfvPlbj5ihj6d_5iTtoh7HUC_X8CrJGvkgkCjP_7of1jPb5QgJ9nx_Yfsxj3vf
8zEseZIVISjF3MwBzW7Di4CpfQl4wlnpkQO9MKu78F69Z9Ig"
},
"KeyMaterial": {
"cryptoAlg": "ECDH",
"curve": "Curve25519",
"params": "cipher=AES/GCM/NoPadding;KeyPairGenerator=ECDH",
"DHPublicKey": {
"expiry": "2023-07-06T11:39:57.153Z",
"Parameters": "string",
"KeyValue": "string"
},
"Nonce": "29512b70-ca84-46b5-9471-63765599cf15"
}
}
{
"ver": "2.0.0",
"timestamp": "2023-06-2611:39:57.153Z",
"txnid": "e8cc6822-d4bb-4eb1-9e1b-4996fbff8acb",
"consentId": "654024c8-29c8-11e8-8868-0289437bf331",
"sessionId": "caa2f259-2dc2-4075-87aa-6d81018b6183"
}
This API is used to fetch financial information from AA once FIU recieves the data ready notification.
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "3dd436f8-0747-4a8f-9001-375e419430be",
"sessionId": "caa2f259-2dc2-4075-87aa-6d81018b6183",
"fipId": "FIP-1",
"linkRefNumber": [
{
"id": "XXXX-XXXX-XXXX"
}
]
}
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "3dd436f8-0747-4a8f-9001-375e419430be",
"FI": [
{
"fipID": "FIP-1",
"data": [
{
"linkRefNumber": "XXXX-XXXX-XXXX",
"maskedAccNumber": "XXXXXXXX4020",
"encryptedFI": "string"
}
],
"KeyMaterial": {
"cryptoAlg": "ECDH",
"curve": "Curve25519",
"params": "cipher=AES/GCM/NoPadding;KeyPairGenerator=ECDH",
"DHPublicKey": {
"expiry": "2023-07-06T11:39:57.153Z",
"Parameters": "string",
"KeyValue": "string"
},
"Nonce": "29512b70-ca84-46b5-9471-63765599cf15"
}
}
]
}
Notifications
This API can be used by AA Client, FIU and FIP to place a request for consent status update to AA in specific use cases. For more details, please refer FAQ section.
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "0b811819-9044-4856-b0ee-8c88035f8858",
"Notifier": {
"type": "FIP",
"id": "FIP-1"
},
"ConsentStatusNotification": {
"consentId": "XXXX0-XXXX-XXXX",
"consentStatus": "REJECTED"
}
}
{
"ver": "2.0.0",
"timestamp": "2023-06-26T06:13:30.967+0000",
"txnid": "f35761ac-4a18-11e8-96ff-0277a9fbfedc",
"response": "OK"
}
This API can be used by AA Client, FIU and FIP to send notifications related to Financial Information (FI) fetch to AA.
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "0b811819-9044-4856-b0ee-8c88035f8858",
"Notifier": {
"type": "FIP",
"id": "FIP-1"
},
"FIStatusNotification": {
"sessionId": "XXXX0-XXXX-XXXX",
"sessionStatus": "ACTIVE",
"FIStatusResponse": [
{
"fipID": "FIP-1",
"Accounts": [
{
"linkRefNumber": "XXXX-XXXX-XXXX",
"FIStatus": "READY",
"description": ""
}
]
}
]
}
}
{
"ver": "2.0.0",
"timestamp": "2023-06-26T06:13:30.967+0000",
"txnid": "f35761ac-4a18-11e8-96ff-0277a9fbfedc",
"response": "OK"
}
This API can be used by FIP to send account linking related notifications to AA in case of direct authentication method of account linking.
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"txnid": "0b811819-9044-4856-b0ee-8c88035f8858",
"Notifier": {
"type": "FIP",
"id": "FIP-1"
},
"AccountLinkStatusNotification": {
"accRefNumber": "XXXX0-XXXX-XXXX",
"customerAddress": "customer_identifier@aa_identifier",
"linkRefNumber": "XXXX-XXXX-XXXX",
"linkStatus": "LINKED"
}
}
{
"ver": "2.0.0",
"timestamp": "2023-06-26T06:13:30.967+0000",
"txnid": "f35761ac-4a18-11e8-96ff-0277a9fbfedc",
"response": "OK"
}
Monitoring
This API can be used by FIPs and FIUs to check availability of AA Application.
{
"ver": "2.0.0",
"timestamp": "2023-06-26T11:39:57.153Z",
"Status": "UP",
"Error": {
"code": 0,
"msg": "string",
"detail": "string"
}
}