Auth flows
An auth flow describes how a depository gets linked to a custodian. Different institutions expose different consent mechanisms — a PSD2-style OAuth handshake for a Nordic retail bank, an authenticated daily SFTP drop for an offshore private bank, a read-only API key paste for a broker. Each of these lives in the catalogue as a separate auth flow.
Data model
- Name
id- Type
- string
- Description
Stable identifier for the flow. Includes both the custodian and the flow variant (e.g.
nordea-20260630) so the flow's effective date is obvious from the slug.
- Name
custodian_id- Type
- string
- Description
The custodian this flow authorises against.
- Name
kind- Type
- enum
- Description
oauth,credentials,file_delivery,manual_upload. Tells the client app how to prompt the user.
- Name
requires_user_action- Type
- boolean
- Description
Whether the flow ends with an interactive step (OAuth consent screen, uploading a consent form). False for flows that Aleta can complete purely server-side once credentials are supplied.
- Name
retention_days- Type
- integer
- Description
How long a successful authorisation stays valid before it needs to be refreshed. Encodes the regulatory ceiling — PSD2 OAuth is typically 180 days, some private-bank file drops are indefinite until the user revokes.
List auth flows
Returns every auth flow in the catalogue. The response is compact and stable across releases — safe to cache for the duration of an onboarding session.
Request
curl https://api.aleta.io/v2/custodian-auth-flows \
-H "Authorization: Bearer {token}"
Retrieve an auth flow
Fetch a single flow when you already hold its slug (e.g. from a supported_auth_flows entry on a custodian record).
Request
curl https://api.aleta.io/v2/custodian-auth-flows/{id} \
-H "Authorization: Bearer {token}"
Related
- Custodians — the providers these flows authorise against.
- Authorities — the consent record you end up with.