Fintech applications need secure, compliant access to customer banking data. PSD2 (Payment Services Directive 2) in Europe mandated standardized banking APIs, but integrating with them requires navigating complex OAuth flows, sandbox testing, and compliance requirements. A fintech team needed a battle-tested integration that could handle both browser-based and headless authentication flows.
Problem
PSD2 APIs are powerful but complex. Different banks implement OAuth variations, rate limiting differs, and error handling requires careful state management. Testing in sandbox requires simulated BankID logins. Building a robust integration from scratch risks security gaps, compliance violations, and operational friction.
Solution architecture
Modular OAuth implementation
The platform implements two authentication flows: a standard redirect flow for browser-based apps (login → authorization → callback) and a decoupled headless flow for server-to-server use (auto-initiation → BankID simulation → token exchange). Both flow patterns share core token management and refresh logic.
Resilient API client with retry logic
All PSD2 API calls are wrapped with exponential backoff retry logic, rate-limit awareness, and request ID tracking. Transient failures (5xx, rate limits) trigger retries; permanent failures (4xx) fail fast with clear error messages.
Multi-account data retrieval
Once authenticated, the platform fetches accounts, balances, and transactions. Data is structured into Pydantic models with full type safety, then exported to Excel or cached for downstream use.
Authentication flows
2 (redirect + headless)
Rate limit handling
Automatic retry + backoff
Sandbox coverage
100% feature parity
Type safety
Pydantic validation on all responses
Environment-based configuration
API credentials, OAuth URLs, and sandbox/production endpoints are managed via environment variables and Pydantic settings, making it trivial to swap between sandbox and production without code changes.
Insight
PSD2 compliance built-in
The implementation includes request ID tracking, proper error handling, and audit logging to meet PSD2 compliance and regulatory audit requirements.
Outcome
The platform eliminates the need to reverse-engineer banking APIs or manage fragile auth flows. Teams can integrate with PSD2 banks in days, not months. The modular design supports multiple bank connections simultaneously, and the sandboxed testing environment means you can test thoroughly before going live.
