Authorization Requirements v2.13 min read
This page defines the required error handling behaviour when the consent authorization fails after the end user has been authenticated. The LFI MUST invoke POST /auth/{interactionId}/doFail with the exact error and error_description values specified below.
For all authorization failure scenarios, the LFI MUST PATCH the consent to Rejected before calling doFail — the end user has been identified during the authentication step. For the full doFail API specification, see the POST /auth/{interactionId}/doFail API Reference.
Error scenarios
1. End user explicitly cancels or declines the consent
The end user reviews the consent details and chooses to decline or cancel the authorization.
erroraccess_deniederror_descriptionuser_rejected_consent2. End user lacks eligible accounts or access
The end user does not have any accounts or sufficient access rights to authorize the consent. For example:
- The end user has no eligible accounts for the requested consent type
- The end user's accounts do not support the requested payment rail or currency
- The consent has
IsSingleAuthorizationset totruebut the end user does not have sufficient authority to authorize the payment independently — for example, where the payment would require an additional approver (subsequent authorizer)
errorinvalid_requesterror_descriptionuser_lacks_eligible_accounts3. Consent type not supported by LFI
POST /consent/action/validate endpoint to reject unsupported consents at creation time — before the end user is redirected to the LFI. If this error is reported persistently or frequently, Nebras may require the LFI to implement the POST /consent/action/validate endpoint.The LFI does not support the consent type or configuration requested by the TPP.
erroraccess_deniederror_descriptionconsent_not_supported4. End user session expires
The end user's session with the LFI expires before they complete the authorization of the consent.
erroraccess_deniederror_descriptionsession_expired5. LFI internal technical error
The LFI encounters an internal technical error during the authorization process — for example, an internal service failure or inability to retrieve account data.
errorserver_errorerror_descriptionlfi_internal_error6. LFI fails to communicate with API Hub
The LFI cannot communicate with the API Hub during the authorization process — for example, a failure when calling PATCH /consents/{consentId} to update the consent status.
errorserver_errorerror_descriptionapi_hub_communication_errorThe LFI MUST attempt to PATCH the consent to Rejected before calling doFail, but if the API Hub is unreachable, the LFI MUST still call doFail to redirect the end user back to the TPP.
7. LFI temporarily unavailable
The LFI cannot complete authorization due to high load or temporary capacity constraints at the LFI's systems.
errortemporarily_unavailableerror_descriptionlfi_temporarily_unavailableThe LFI MUST PATCH the consent to Rejected before calling doFail — the end user has been identified during the authentication step.
Summary
error code that is not supported by the FAPI 2.0 Security Profile, the API Hub will overwrite it with invalid_request.access_denieduser_rejected_consentinvalid_requestuser_lacks_eligible_accountsaccess_deniedconsent_not_supportedaccess_deniedsession_expiredserver_errorlfi_internal_errorserver_errorapi_hub_communication_errortemporarily_unavailablelfi_temporarily_unavailableFor all scenarios above, the LFI MUST PATCH the consent to Rejected before calling doFail, except scenario 6 where the API Hub may be unreachable — in which case the LFI MUST make a best-effort attempt.