Which role should be used in the QWAC PSD2 certificates?
The role is not relevant for the VOP scheme. The Responding PSPs should not check this information.
The OpenAPI specification defines the service URL as "/vop/v1/payee-verifications". Could the "Inter-PSP" VoP services be differentiated from internal (PSU->PSP) VoP services? For example, it would help to assume URL such as "/vop/fi2fi/v1/payee-verificat
The API “Verification of Payee” is only dedicated to the inter-PSP’s space.
The Open API specification prescribes the mandatory "code" attribute in VerificationOfPayeeError with a fixed set of codes (FORMAT_ERROR, CLIENT_INVALID, CLIENT_INCONSISTENT, TIMESTAMP_INVALID).
Note that the provided list of error codes does not cover other situations:
Could minLength=1 be used for all string attributes in the OpenAPI specs, except for the cases where it clearly makes sense to differentiate between "not provided" and "empty".
The string types (such as Max35Text, Max70Text etc.) in the OpenAPI specs differ from the ISO 20022 standard types of the same names, where min length is prescribed to be 1.
Is it correct to treat authorization issues with HTTP 401, while this should typically be done with HTTP 403?
The VOP API WB decided to not include the HTTP 403.
The VoP API specification (Chapter 4.4) prescribes the usage of RFC 7807 Problem Detail structure, but links it with Content-type "application/json".
The standard approach is to use content type of "application/problem+json", which allows the client to clearly inform that the problem detail structure is provided.
Verification Of Payee API Specifications lists some of the error cases identified and provides the corresponding error codes. However, there is not a message code in two cases (Certificate items and Internal Server Error).
We believe that this is a mandatory field consequently it should be added specific message code. Could you please clarify what code should be used in these cases?
In case of a misdirected request (the IBAN does not belong to the PSP that receives the request), should the PSP return the message ‘Verification Not Possible’?
If the validation of the requesting PSP (via the check BIC / NAN) is valid therefore the response should be HTTP 200 – “partyNameMatch”: “NOAP” (Verification Not Possible).
Is it possible to send examples of the response payload in case of error (http 400 and http 500)? For example, what value should be put in the attribute CODE in case of http 500?
The HTTP code is sufficient, the VOP API WB agreed to change the YAML to reflect this.
We would like to have more information about the usage of the party.identification.organisationId.others field. When should it be used and how will it work?
The “Generic Organisation Identification” element must be used when the party is identified using an identification other than the LEI or BIC, i.e. TXID, etc.