Built by the community
Navigation
Metrics
Program
Service DeskPricingPoliciesDocument RepositoryLive Ecosystem
Developer Docs
TPP — Open Finance StandardsLFI — Integration GuideAPI SpecsKnowledge BaseRelease Notes & Erratas
NewsGitHub
TPP · Trust Framework · Applications

Redirect URIs 2 min read

Every application in the Trust Framework must have a configured RedirectURI. This RedirectURI is a specific, web address controlled by your application. It acts as the callback destination where the LFI sends the user after they complete authentication and authorizing the consent.

OAuth flow
OAuth flow

The following guide outlines how your RedirectURI can meet FAPI 2.0 requirements while still enabling deep linking into a mobile app.

01 FAPI 2.0 Constraint

Redirect URIs must be HTTPS — no custom URL schemes

FAPI 2.0 does not allow non-HTTPS redirect URIs. Therefore, you will not be able to use a custom URL scheme (e.g., myapp://home).

To remain compliant with FAPI 2.0 and still support deep linking into your application, follow the steps below.

02 Step 1

Set up an HTTPS-based Universal / App Link

You'll need to make your app respond to a secure URL like:

Callback URL
https://yourapp.com/callback?code=fbe03604-baf2-4220-b7dd-05b14de19e5c&state=d2fe5e2c-77cd-4788-b0ef-7cf0fc8a3e54&iss=https://auth1.altareq1.sandbox.apihub.openfinance.ae

For how to validate the callback (state, iss, single-use code, replay protection), see Handling Authorization Callbacks.

03 Step 2

Handle the redirect in your app

Once the user is redirected to the HTTPS URL:

  • If your app is installed, it should open and process the URL (e.g., extract the authorization code).
  • If your app is not installed, it should fall back to an appropriate web page to either complete the user journey on web or to encourage the user to install the app.

By adopting this approach, you can continue supporting deep linking while ensuring compliance with the security standards required by FAPI 2.0.

Additional Resources

Platform documentation

Vendor guides for setting up the secure HTTPS-based deep links Apple and Google require on iOS and Android.

iOS · Apple

Supporting Universal Links in Your App

Apple's Xcode documentation covering the Associated Domains entitlement, the apple-app-site-association file your HTTPS host must serve, and how iOS routes a tapped link straight to your app when it's installed (and to Safari when it isn't).

Open on developer.apple.com
Android

Android App Links

Google's training guide covering verified App Links, the assetlinks.json Digital Asset Links file your HTTPS host must serve, intent filters with android:autoVerify="true", and how Android opens your app directly without the disambiguation dialog.

Open on developer.android.com