---
api: 'Open Banking API'
---

# Create an account access consent

Before you can access any data from a Revolut user, you must create an access consent to read data from the user's profile.

:::note
When you create an account access consent, you must include a specific permission that follows the rules in the table below; otherwise, you get a `400 Bad request` error.
:::

**Request Permissions**

| PERMISSIONS | DEPENDENCIES |
|--|--|
| ReadAccountsBasic | None |
| ReadAccountsDetail |None|
| ReadBalances |None|
| ReadBeneficiariesBasic |None|
| ReadBeneficiariesDetail |None|
| ReadDirectDebits |None|
| ReadScheduledPaymentsBasic |None|
| ReadScheduledPaymentsDetail |None|
| ReadStandingOrdersBasic |None|
| ReadStandingOrdersDetail |None|
| ReadTransactionsBasic |None|
| ReadTransactionsCredits |ReadTransactionsBasic OR ReadTransactionsDetail|
|ReadTransactionsDebits |ReadTransactionsBasic OR ReadTransactionsDetail|
| ReadTransactionsDetail | None |

See also [Tutorials: Get account and transaction information](/docs/guides/build-banking-apps/tutorials/get-account-and-transaction-information#2-create-an-account-access-consent).

## Endpoint

POST `/account-access-consents`

## Parameters

### header parameters

- `x-fapi-financial-id` (string, required)
  The unique ID of the [ASPSP](/docs/guides/build-banking-apps/glossary) that the request is issued to.
  The ID of Revolut is `001580000103UAvAAM`.

- `x-fapi-customer-last-logged-time` (string, optional)
  The date and time when the [PSU](/docs/guides/build-banking-apps/glossary) last logged in with the [TPP](/docs/guides/build-banking-apps/glossary).
  
  All dates in the HTTP headers are represented as [RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.1.1) Full Dates.
  For example: <nobr>`Sun, 10 Sep 2017 19:43:31 UTC`</nobr>.

- `x-fapi-customer-ip-address` (string, optional)
  The IP address of the [PSU](/docs/guides/build-banking-apps/glossary) if the PSU is logged in with the [TPP](/docs/guides/build-banking-apps/glossary).

- `x-fapi-interaction-id` (string, optional)
  An [RFC4122](https://datatracker.ietf.org/doc/html/rfc4122) UUID used as a correlation ID.

- `Authorization` (string, required)
  The access token that you've generated.
  For more information, see [Generate an access token](/docs/guides/build-banking-apps/get-started/get-access-token).

- `x-customer-user-agent` (string, optional)
  The user agent that the [PSU](/docs/guides/build-banking-apps/glossary) is using.

## Request body

### Attributes

- `Data` (object)
  - `Data.Permissions` (array of enum)
      Specifies the type of data access to the account.
      This is a list of the data clusters being consented by the [PSU](/docs/guides/build-banking-apps/glossary), and requested for authorisation with the [ASPSP](/docs/guides/build-banking-apps/glossary).
  - `Data.ExpirationDateTime` (string, optional)
      Specifies the date and time the permission expires.
      If this is not specified, the permission is open ended.
      
      All dates in the JSON payloads are represented in [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) date-time format.
      All date-time fields in responses must include the timezone.
      
      For example: `2017-04-05T10:43:07+00:00`.
  - `Data.TransactionFromDateTime` (string, optional)
      Specifies the start date and time for the transaction query period.
      If this is not specified, the start date is open ended, and data is returned from the earliest available transaction.
      
      All dates in the JSON payloads are represented in [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) date-time format.
      All date-time fields in responses must include the timezone.
      
      For example: `2017-04-05T10:43:07+00:00`.
  - `Data.TransactionToDateTime` (string, optional)
      Specifies the end date and time for the transaction query period.
      If this is not specified, the end date is open ended, and data is returned to the latest available transaction.
      
      All dates in the JSON payloads are represented in [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) date-time format.
      All date-time fields in responses must include the timezone.
      
      For example: `2017-04-05T10:43:07+00:00`.
- `Risk` (object)
    The Risk section contains the risk indicators that the initiating party sends to the [ASPSP](/docs/guides/build-banking-apps/glossary), which can be used to specify additional details for risk scoring for account information.

## Returns

### 201

Account Access Consents Created

#### Response attributes

- `Data` (object)
  - `Data.ConsentId` (string)
      The unique ID that is assigned to identify the account access consent resource.
  - `Data.CreationDateTime` (string)
      The date and time when the account access consent was created.
      
      All dates in the JSON payloads are represented in [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) date-time format.
      All date-time fields in responses must include the timezone.
      
      For example: `2017-04-05T10:43:07+00:00`.
  - `Data.Status` (enum)
      The status of the account access consent.
      Possible enum values:

      - `Authorised`
      - `AwaitingAuthorisation`
      - `Rejected`
      - `Revoked`
  - `Data.StatusUpdateDateTime` (string)
      The date and time when the account access consent was created.
      
      All dates in the JSON payloads are represented in [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) date-time format.
      All date-time fields in responses must include the timezone.
      
      For example: `2017-04-05T10:43:07+00:00`.
  - `Data.Permissions` (array of enum)
      The type of data access to the account.
  - `Data.ExpirationDateTime` (string, optional)
      The date and time when the permission expires.
      If this is not specified, the permission is open ended.
      
      All dates in the JSON payloads are represented in [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) date-time format.
      All date-time fields in responses must include the timezone.
      
      For example: `2017-04-05T10:43:07+00:00`.
  - `Data.TransactionFromDateTime` (string, optional)
      The start date and time for the transaction query period.
      If this is not specified, the start date is open ended, and data is returned from the earliest available transaction.
      
      All dates in the JSON payloads are represented in [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) date-time format.
      All date-time fields in responses must include the timezone.
      
      For example: `2017-04-05T10:43:07+00:00`.
  - `Data.TransactionToDateTime` (string, optional)
      The end date and time for the transaction query period.
      If this is not specified, the end date is open ended, and data is returned to the latest available transaction.
      
      All dates in the JSON payloads are represented in [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) date-time format.
      All date-time fields in responses must include the timezone.
      
      For example: `2017-04-05T10:43:07+00:00`.
- `Risk` (object)
    The Risk section contains the risk indicators that the initiating party sends to the [ASPSP](/docs/guides/build-banking-apps/glossary), which can be used to specify additional details for risk scoring for account information.
- `Links` (object)
    Links relevant to the payload.
  - `Links.Self` (string)
      The absolute URI to the resource.
  - `Links.Next` (string, optional)
      The absolute URI to the next pagination resource.
  - `Links.Prev` (string, optional)
      The absolute URI to the previous pagination resource.
- `Meta` (object)
    Meta data relevant to the payload.
  - `Meta.TotalPages` (integer, optional)
      Used for pagination. Indicates how many pages of results are available.

## Error responses

| HTTP status code | Description |
| --- | --- |
| 400 | Bad request |
| 401 | Unauthorized |
| 403 | Forbidden |
| 405 | Method Not Allowed |
| 406 | Not Acceptable |
| 415 | Unsupported Media Type |
| 429 | Too Many Requests |
| 500 | Internal Server Error |