Support        API Reference        Launchpad        Dashboard

User consent collection

This page describes the design requirements for the consent collection screen, which customers using the API-only flow with Token’s license must adhere to.

PIS consent collection

For customers using Token.io's payment service with Token's license, the PIS consent collection screen for users should contain:

  • the payment amount

  • the currency

  • the beneficiary account name

  • the payment reference

  • wording indicating a 'secure' transaction or transfer

  • consent text including the Terms

PIS consent

You can use Token's payment service to make a secure payment directly from your bank account to the benefit of the [TPP name].

The terms governing your use of Token's service can be found at Terms & Conditions.

PIS with returnRefundAccount consent

You can use Token's payment service to make a secure payment directly from your bank account to the benefit of the [TPP name]. We will ask your bank to share your account details. We will only use these details when necessary such as processing a refund request.

The terms governing your use of Token's service can be found at Terms & Conditions.

Legal requirements for returningRefundAccount in PIS

Customers sending PIS requests with the returnRefundAccount=true attribute must comply with specific legal requirements:

  • GDPR and PSD2 consent are two separate items and need to be treated separately.

  • For GDPR, Token is not the data controller, only a data processor. The TPP is the data controller.

  • For PSD2 consent, the consent language will be amended slightly to accommodate for multiple use cases opposed to calling out refunds only.

  • The data controller controls what the data can be used for.

AIS consent collection

For customers using Token.io's payment service with Token's license, the AIS consent collection screen for users should contain:

  • access permissions

    • transactions

    • account data

    • balance

    • standing orders

  • wording mentioning consent

  • mention of the regulated party

  • mention of the client's name

  • the date up until when the data will be accessible

  • consent text including the Terms

AIS consent

Token will access the above information from your selected accounts until [date] and will provide this information to you and [TPP name] who will use the same in fulfilment of its services to you. The terms governing your use of Token’s service can be found at Terms & Conditions.

Which Terms & Conditions to use?

The Terms & Conditions to be used will depend on whether you have an outsourcing agreement in place or you are registered as an agent of Token.

Token’s license …

Consent

Terms and conditions

… + Hosted Pages

Token’s consent (Hosted Pages)

Token’s Terms & Conditions (Hosted Pages)

… + Client UX with consent outsourcing

Token’s consent

Token’s Terms & Conditions

… + client registered as an agent of Token

Client’s consent referencing Token

Client’s Terms & Conditions, but these must align with Token’s and must include details of how to contact Token as the principal regulated party.

Alternatively, Token’s Terms & Conditions can be used (not mandatory).

Terms & Conditions

Token's Terms & Conditions can be found on the Token.io website.

Agents of Token are TPPs using Token's license with Partner Permissions.

Consent language

Clients need to mention they are an Agent of Token, who are regulated by the FCA registration no: 795904. They must show unambiguous Consent text with a link to the Terms & Conditions, and present these to the user.

Terms & Conditions

The client’s own Terms & Conditions must align with Token’s and must include details of how to contact Token as the principal regulated party.

Alternatively, Token’s Terms & Conditions can be used (this is not mandatory).

User consent collection

This page describes the design requirements for the consent collection screen, which customers using the API-only flow with Token’s license must adhere to.

PIS consent collection

For customers using Token.io's payment service with Token's license, the PIS consent collection screen for users should contain:

  • the payment amount

  • the currency

  • the beneficiary account name

  • the payment reference

  • wording indicating a 'secure' transaction or transfer

  • consent text including the Terms

PIS consent

You can use Token's payment service to make a secure payment directly from your bank account to the benefit of the [TPP name].

The terms governing your use of Token's service can be found at Terms & Conditions.

PIS with returnRefundAccount consent

You can use Token's payment service to make a secure payment directly from your bank account to the benefit of the [TPP name]. We will ask your bank to share your account details. We will only use these details when necessary such as processing a refund request.

The terms governing your use of Token's service can be found at Terms & Conditions.

Legal requirements for returningRefundAccount in PIS

Customers sending PIS requests with the returnRefundAccount=true attribute must comply with specific legal requirements:

  • GDPR and PSD2 consent are two separate items and need to be treated separately.

  • For GDPR, Token is not the data controller, only a data processor. The TPP is the data controller.

  • For PSD2 consent, the consent language will be amended slightly to accommodate for multiple use cases opposed to calling out refunds only.

  • The data controller controls what the data can be used for.

AIS consent collection

For customers using Token.io's payment service with Token's license, the AIS consent collection screen for users should contain:

  • access permissions

    • transactions

    • account data

    • balance

    • standing orders

  • wording mentioning consent

  • mention of the regulated party

  • mention of the client's name

  • the date up until when the data will be accessible

  • consent text including the Terms

AIS consent

Token will access the above information from your selected accounts until [date] and will provide this information to you and [TPP name] who will use the same in fulfilment of its services to you. The terms governing your use of Token’s service can be found at Terms & Conditions.

Which Terms & Conditions to use?

The Terms & Conditions to be used will depend on whether you have an outsourcing agreement in place or you are registered as an agent of Token.

Token’s license …

Consent

Terms and conditions

… + Hosted Pages

Token’s consent (Hosted Pages)

Token’s Terms & Conditions (Hosted Pages)

… + Client UX with consent outsourcing

Token’s consent

Token’s Terms & Conditions

… + client registered as an agent of Token

Client’s consent referencing Token

Client’s Terms & Conditions, but these must align with Token’s and must include details of how to contact Token as the principal regulated party.

Alternatively, Token’s Terms & Conditions can be used (not mandatory).

Terms & Conditions

Token's Terms & Conditions can be found on the Token.io website.

Agents of Token are TPPs using Token's license with Partner Permissions.

Consent language

Clients need to mention they are an Agent of Token, who are regulated by the FCA registration no: 795904. They must show unambiguous Consent text with a link to the Terms & Conditions, and present these to the user.

Terms & Conditions

The client’s own Terms & Conditions must align with Token’s and must include details of how to contact Token as the principal regulated party.

Alternatively, Token’s Terms & Conditions can be used (this is not mandatory).

User consent collection

This page describes the design requirements for the consent collection screen, which customers using the API-only flow with Token’s license must adhere to.

PIS consent collection

For customers using Token.io's payment service with Token's license, the PIS consent collection screen for users should contain:

  • the payment amount

  • the currency

  • the beneficiary account name

  • the payment reference

  • wording indicating a 'secure' transaction or transfer

  • consent text including the Terms

PIS consent

You can use Token's payment service to make a secure payment directly from your bank account to the benefit of the [TPP name].

The terms governing your use of Token's service can be found at Terms & Conditions.

PIS with returnRefundAccount consent

You can use Token's payment service to make a secure payment directly from your bank account to the benefit of the [TPP name]. We will ask your bank to share your account details. We will only use these details when necessary such as processing a refund request.

The terms governing your use of Token's service can be found at Terms & Conditions.

Legal requirements for returningRefundAccount in PIS

Customers sending PIS requests with the returnRefundAccount=true attribute must comply with specific legal requirements:

  • GDPR and PSD2 consent are two separate items and need to be treated separately.

  • For GDPR, Token is not the data controller, only a data processor. The TPP is the data controller.

  • For PSD2 consent, the consent language will be amended slightly to accommodate for multiple use cases opposed to calling out refunds only.

  • The data controller controls what the data can be used for.

AIS consent collection

For customers using Token.io's payment service with Token's license, the AIS consent collection screen for users should contain:

  • access permissions

    • transactions

    • account data

    • balance

    • standing orders

  • wording mentioning consent

  • mention of the regulated party

  • mention of the client's name

  • the date up until when the data will be accessible

  • consent text including the Terms

AIS consent

Token will access the above information from your selected accounts until [date] and will provide this information to you and [TPP name] who will use the same in fulfilment of its services to you. The terms governing your use of Token’s service can be found at Terms & Conditions.

Which Terms & Conditions to use?

The Terms & Conditions to be used will depend on whether you have an outsourcing agreement in place or you are registered as an agent of Token.

Token’s license …

Consent

Terms and conditions

… + Hosted Pages

Token’s consent (Hosted Pages)

Token’s Terms & Conditions (Hosted Pages)

… + Client UX with consent outsourcing

Token’s consent

Token’s Terms & Conditions

… + client registered as an agent of Token

Client’s consent referencing Token

Client’s Terms & Conditions, but these must align with Token’s and must include details of how to contact Token as the principal regulated party.

Alternatively, Token’s Terms & Conditions can be used (not mandatory).

Terms & Conditions

Token's Terms & Conditions can be found on the Token.io website.

Agents of Token are TPPs using Token's license with Partner Permissions.

Consent language

Clients need to mention they are an Agent of Token, who are regulated by the FCA registration no: 795904. They must show unambiguous Consent text with a link to the Terms & Conditions, and present these to the user.

Terms & Conditions

The client’s own Terms & Conditions must align with Token’s and must include details of how to contact Token as the principal regulated party.

Alternatively, Token’s Terms & Conditions can be used (this is not mandatory).

 

If you have any feedback about the developer documentation, please contact devdocs@token.io

  COMPANY RESOURCES SOLUTIONS PRODUCTS  
 

About

Careers

Press

Contact

Impressum

Connected Countries

Downloads

Blog

FAQ

PSPs

Merchants

Banks

Payments

Data

Compliance

 
  © 2025 TOKEN, INC.    ALL RIGHTS RESERVED. POLICIES          MOBILE APP TERMS OF SERVICE     
  COMPANY RESOURCES SOLUTIONS PRODUCTS  
 

About

Careers

Press

Contact

Impressum

Connected Countries

Downloads

Blog

FAQ

PSPs

Merchants

Banks

Payments

Data

Compliance

 
  © 2025 TOKEN, INC.    ALL RIGHTS RESERVED. POLICIES          MOBILE APP TERMS OF SERVICE     

© 2025 TOKEN, INC.     ALL RIGHTS RESERVED.