Skip to main content
  1. Data Holder - Guides/
  2. Data Holder - PNZ - Guides/

Data Holder - PNZ - Technical Guide

Wych Data Holder Platform: Payments New Zealand #

Welcome to the Wych Data Holder Platform. This guide outlines how to harness the platform’s features to ensure compliance with Payments NZ standards, streamline your account setup, and optimize data sharing. With its user-friendly interface and robust capabilities, the Wych Data Holder Platform ensures compliance with the Payments New Zealand version 2.3 standard while delivering seamless integration, operational efficiency, and enhanced data security.


Key Features #

  • Regulatory Compliance: Fully adheres to version 2.3 of the Payments New Zealand Banking Data standards, enabling secure, transparent, and efficient data sharing.
  • API-First Design: Integrates effortlessly into your existing infrastructure, saving time and resources.
  • Enterprise-Grade Security: Implements robust measures to safeguard sensitive customer data from breaches or unauthorized access.
  • Deployment Flexibility: Re-use your existing APIs and infrastructure to align with Payments New Zealand version 2.3+ standards, ensuring rapid and efficient integration, tailored to your organizational needs.
  • Advanced Monitoring Tools: Leverage real-time dashboards and alerts to manage and oversee data sharing activities effectively.

Getting Started #

1. Account Setup #

  1. Reach out to your Wych account manager to initiate the onboarding process.
  2. Submit the necessary business documentation for verification and approval.
  3. Receive your personalized login credentials and API keys to access the platform.

2. Platform Access #

Use the provided credentials to log in to the platform at nz.partner.wych.app.


Configuration Steps #

1. Connect to Your Systems #

  • Utilize the API documentation to integrate your internal data sources with the Wych Data Holder Platform.
  • Access your admin app console to retrieve your credentials, which include:
    • Partner ID: Identifies your business.
    • App ID: Identifies your app.
    • API Key: Used as the x-api-key header in API requests.
    • Client ID: Unique identifier for API client authentication.
    • Client Secret: secret key used for API client authentication.

consent panel

  • The API is available at nz.api.wych.io/.
  • To access the API, authenticate with your client ID and secret via the token endpoint found in the openid-configuration. The request is sent as a POST in x-www-form-urlencoded form containing:
    • client_Id & client_secret
    • grant_type of client_credentials

Consent journeys involve three parties:

  • Bank: The data holder.
  • Customer: The consenter.
  • TPP: The third-party participant, or the data recipient.

consent journey

The Wych platform facilitates the management of consent by the customer, the compliant sharing of customer data by the bank, and the retrieval of data by the TPP. The consent journey begins with the TPP initiating the process. The customer is directed to the Wych Consent service, which redirects them to the Data Holder’s customer authentication system using OpenID Connect (OIDC). Once the customer completes consent at the Data Holder, they return to the Wych Consent service to finalize the flow, choosing accounts to share or initiating payments.

For this flow to work, Wych requires two sets of information:

  1. for the Authentication to work we require connection details.
  2. If using client_assertion_jwt we also require client details.

Setup remote OIDC client #

When creating a client for the remote OIDC service in your IdP system, Wych requires our client to use client assertion jwt, verifed on the jwks url: https://{{auth_host}}/realms/{{appId}}/protocol/openid-connect/certs. Client assertions will be signed with the signing key contained in the dataholder specific certs.

example /protocol/openid-connect/certs response:
{
   "keys": [
       {
           "kid": "5f816dc1-31cb-4cae-8c97-aa5f788a276d",
           "kty": "RSA",
           "alg": "PS256",
           "use": "sig",
           "n": "80ad7b81-0270-4052-af8c-97ec82a5a658d0b23aba-12cc-489b-acc1-2838287bac6a...612056ed-9674-4bd0-9fa0-7b1b51c0857c",
           "e": "AQAB",
           "x5c": ["a6a0b133431140e6baf60904804795c0afa1d8e3e4ba49ba94a10aeffe643645832a420a9d494778944c584e92589720a2d41a11108946b9a4978b4b7e70d3e3=="],
           "x5t": "4ca4995995d24c87b34ec1e1c7153235",
           "x5t#S256": "2b789302a31545d094cd0472008b0eb5"
       }
   ]
}

The following Authorized redirect URI should be set: https://{{auth_host}}/realms/{{appId}}/broker/{{clientId}}/endpoint

Required Information for Connection #

  • Client ID: A unique identifier for the client application provided by the OIDC provider.
  • Client Secret: A secret key that authenticates your client, ideally client_assertion_jwt.
  • Redirect URI: The URI where the OIDC provider will send users after authorization (for flows requiring user interaction).
  • Scopes: Specify the required scopes, such as openid, profile, email, etc., that define the level of access the Wych application requires.
  • Response Type: Defines the type of response expected, such as code, id_token, or token.
  • Grant Type: Specifies the OIDC flow, such as authorization_code, client_credentials.

Required Information for Client #

  • Secret Resolution: Either the client secret or the JSON Web Key Set (JWKS) URL if using client assertion JWT
  • Valid Redirect URIs: URIs that are accepted in the initial auth request

Expected Responses #

Upon a successful connection, the following is typically returned:

  • ID Token: A JWT that includes claims about the authenticated user, like sub (subject identifier), name, email, etc.
  • Access Token: Used to access the resources associated with the user’s account. Its scope depends on the requested permissions.
  • Refresh Token (if applicable): Allows the client to obtain a new access token without re-authentication.
  • Discovery Document: If accessed directly, it provides OIDC server metadata such as authorization endpoint, token endpoint, and supported scopes, grants, and claims.

Log in to the Wych Data Holder Platform using your credentials.