Smart Tokens

In Open Banking, tokens replace identifying information about the user and the user's bank account information or the user and a payment request with what appears to be a random string of characters and numbers. Nobody knows what the token actually means or the information it contains except the bank. Tokens are made even more inscrutable using encrypted communication between the TPP, Token and the bank.

Smart tokens are at the heart of Token.io's Open Banking solution. Each token comprises three major components: asset, rules, and state. The asset is what the token represents (i.e., what it is being exchanged for). The rules govern how it can be used, when it can be used, by whom and with whom. Its state reflects whether or not it is active/unused, canceled, or redeemed. What this all boils down to is that a token can be used only once and only by the party to whom it was originally issued and strictly for the purpose for which it was issued, providing inherent security in each request-reply exchange.

For PSD2, smart tokens come in two kinds: transfer tokens and access tokens. Transfer tokens authorize payment or the transfer of assets or funds from a payer to a designated payee. They function as programmable money. Access tokens authorize user-approved access to a member's bank account information. The type and level of access granted by the bank depends on the conditions set for the access token — “who,” “what,” “how,” and "when" that data can be accessed and "by whom".

A typical transfer token use case comes to bear when a business (the payee) requests a member (the payer) to authorize a smart token to pay for an online purchase: “Allow Business XYZ to initiate a payment from my bank account to pay €224 for order 79262212.“

A typical access token use case is when a member (the grantor) authorizes a service (the grantee) to access and aggregate their bank account information.

A token is created upon successful user authentication with the bank. It contains all the details specified in the request.

Tokens are redeemed to execute a payment (single, future-dated, bulk transfers) or a series of payments (recurring, based on a standing order), or to access account information. For transactions, you will receive a transfer ID in a callback from Token.io after successfully initiating a payment on your user's behalf. This means the transfer token has been redeemed and no further action is required. For account information, the access token ID you receive in response to an AIS request is redeemed in accordance with the consent granted by the user for account balance(s) and/or transaction history.

An unused token can be retrieved to check its status based on matching properties. Unredeemed tokens can be canceled at any time.