As part of Akahu's dedication to privacy and the security of personal data, we use a permissions system to provide only the data an app requires to function (i.e. Principle of Least Privilege).
As an app developer, you will need to specify and give reasons for which permissions your app requires when you sign up to create an app. These permissions are enforced at the data access level, so your app will never be able to access data for which it doesn't have permission, nor ask users to grant access to data the app is not allowed to view.
For example: If your app provides account summaries to a dashboard, it has no reason to access payment or transfer permissions. If the app tried to access the
/payments endpoint it would be denied.
Personal apps are granted permission to access all data permissions, and also:
Personal apps are designed as sandboxes for developers to explore Akahu functionality. Because they are granted such extensive permissions, and due to the security and privacy risk if your access token is stolen, we recommend that you revoke access once you have finished using a personal app.
Data Access Permissions¶
Akahu provides the following data-access permissions.
Gives access to the user's basic identity information (name and primary email). This permission is given to all apps by default.
Gives access to all of the identity information pertaining to the user (IDENTITY_BASIC + other emails, phones, addresses and tax_numbers).
Gives access to the user's connected accounts. You will only be able to view the accounts shared with you by the user. The account data visible to your app is also limited, depending on whether your app needs access to balances, metadata, or account holder details.
Gives access to the user's transactions. You will only be able to view transactions from accounts shared with you by the user. Further restrictions may be applied including limiting the date window viewable for your app or limiting the categories of transactions visible to your app.
Gives access to the user's standing orders (also known as automatic payments). You will only be able to view standing orders that leave from accounts shared with you by the user.
In addition to the data permissions above, you app can apply for the following.
Gives access to our transfer API, allowing your app to move money between a user's accounts you have been granted access to.
Gives access to our payments API, allowing your app to send money to any account number from accounts you have been granted access to.
Gives your app permission to request access to multiple accounts belonging to the user.
Gives your app ongoing permission to access the user's accounts. One-off consent expires after 24 hours. Enduring consent is approved when appropriate for the use case, and can be approved for up to 365 days.
Gives your app permission to request access to bank account statements. See the Statements Guide for more details.