Variable Periodic Schedule — Requirements v2.16 min read

Must conform to the Request JWT requirements — correct aud, signing algorithm (PS256), and expiry window.

Must be included in the POST body (client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer). Authenticates the TPP application — see Client Assertion.

Must be payments openid. If consent.Permissions includes any of ReadAccountsBasic, ReadAccountsDetail, or ReadBalances, must be accounts payments openid — see Account Permissions in a Payment Consent.

Must be urn:openfinanceuae:service-initiation-consent:v2.1.

The consent version in authorization_details[0].type (e.g. urn:openfinanceuae:service-initiation-consent:v2.1) restricts the version of the Payment Initiation endpoints the consent can be used to call (specified in the path, e.g. /open-finance/payment/v2.1/payments). It MUST resolve to an ApiVersion the LFI has published in the Trust Framework for the Payment Initiation API family.

The request must conform exactly to the POST /par OpenAPI schema. No additional or undocumented parameters are permitted.

The decrypted PII payload must conform exactly to the PII schema. No additional or undocumented parameters are permitted.

The Risk block must be fully populated — every field that is known or derivable from the TPP's system must be included. See Risk.

If provided, must reference a valid UAE IBAN held at the LFI and reachable through this API Hub. The account must be in a state that permits payment initiation (e.g. not blocked, dormant, or closed).

Required. Must contain exactly one creditor entry. The Creditor must be a valid UAE domestic creditor — the account must be reachable on a supported UAE domestic rail (AANI or UAEFTS) and, where the LFI can determine the state of the receiving account, in a state able to receive payments. Mandatory fields, IBAN, and BIC derivation rules apply — see creditor field validation requirements.

Must be false or not provided (Delegated SCA is not permitted for this payment type).

Must be "VariablePeriodicSchedule". SinglePayment and FilePayment must not be present.

Required. Defines the maximum amount allowed for a single payment within a period.

Must be AED.

Required. Defines the period boundary (e.g. Week, Month).

Required. The date from which each period is counted. Must not be in the past. Must not be after consent.ExpirationDateTime.

Only 1 payment is allowed per period. Always enforced.

Required. Defines the total number of payments permitted across the lifetime of the consent.

If set, defines the maximum total value of all payments permitted across the lifetime of the consent.

If set, MaximumCumulativeValueOfPayments.Currency must be AED.

The LFI must advertise Variable Periodic Schedule as supported via ApiMetadata.VariablePeriodicSchedule.Supported on its authorisation server entry in the Trust Framework. If the payment type is not supported, the consent validation will fail.

If provided, must reference a previous consent belonging to the same end user. If the original consent in the chain already had a BaseConsentId, the TPP must reuse that same BaseConsentId rather than the immediate prior ConsentId.

Optional; default is false. Omitting or setting to false asserts that the TPP supports the multi-authorization flow — the consent may remain pending while additional authorizers approve before reaching Authorized. Setting to true requests that only accounts solely authorizable by the authenticated customer be offered. The LFI must not reject the consent based on its own platform capability — this is a TPP-side assertion. See Multi-Authorization.

If provided, must not be in the past. Must not be after consent.ExpirationDateTime.

Must not be in the past. Must be less than one year in the future.

If ReadBalances is included, at least one of ReadAccountsBasic or ReadAccountsDetail must also be present.

Must not be present. Domestic payments are denominated in AED only; CurrencyRequest is for non-local currency and international transfers.

If provided, must be a recognised AANI purpose code.

Should be included. Should be a valid UUID (RFC 4122). An invalid value will not cause a failure but tracing will not be possible.

Must contain a valid Bearer access token issued with the payments openid scope (or accounts payments openid where account permissions were included on the consent — see Account Permissions in a Payment Consent). The consent bound to the token must be in Authorized status and the ExpirationDateTime of the Consent must be in the future.

The version in the request URL path (e.g. v2.1 in /open-finance/service-initiation/v2.1/payments) must match the version in the consent's authorization_details[0].type (urn:openfinanceuae:service-initiation-consent:v2.1).

Must match the ConsentId bound to the access token. The Consent must be in Authorized status and the ExpirationDateTime of the Consent must be in the future.

Must be ≤ consent.ControlParameters.ConsentSchedule.MultiPayment.PeriodicSchedule.MaximumIndividualAmount.Amount.

Must exactly match consent.ControlParameters.ConsentSchedule.MultiPayment.PeriodicSchedule.MaximumIndividualAmount.Currency.

The payment must not cause the count of payments over the lifetime of the consent to exceed MaximumCumulativeNumberOfPayments.

If set on the consent, the payment must not cause the value of payments over the lifetime of the consent to exceed MaximumCumulativeValueOfPayments.Amount.

Can differ from consent.PaymentPurposeCode. If provided, must be a recognised AANI purpose code.

Only one payment is permitted per period. A second POST /payments within the same period will be rejected.

The request must conform exactly to the POST /payments OpenAPI schema. No additional or undocumented parameters are permitted.

The decrypted PII payload must conform exactly to the PII schema. No additional or undocumented parameters are permitted.

The Risk block must be fully populated — every field that is known or derivable from the TPP's system must be included. See Risk.

Initiation.Creditor[] had exactly 1 entry at consent time. The submitted creditor must exactly match that consent-time entry. See Creditor.

Should be included. Should be a valid UUID (RFC 4122). An invalid value will not cause a failure but tracing will not be possible.

Must be included. Must be a stable, unique value per payment attempt — the same key must be reused on retries of the same payment.

Must be sent when the customer is authenticated at the time of the call. Must be a valid HTTP-date (RFC 7231), e.g. Tue, 11 Sep 2012 19:43:31 UTC.

Must be sent when the customer is actively present at the time of the call. Must be a valid IPv4 or IPv6 address.

Should be sent when the customer is actively present. Should reflect the user-agent of the customer's browser or device.