Overview & Scope

Consent Flow 3.0 upgrades bLink's consent model to a FAPI 2.0-aligned approach. The goal is to improve security, reduce integration friction, and enable cleaner lifecycle management of consents across the ecosystem.

What is changing?

Consent Flow 3.0 introduces mandatory PKCE and mandatory Pushed Authorization Requests (PAR), replaces PermissionIds with token-based access, and removes legacy username validation. Additional capabilities such as minimal Grant Management and notifications are currently under evaluation.

Who is affected?

Service Users: Must switch from PermissionIds to token-based access, implement PKCE, use PAR, and handle the refresh flow.
Service Providers: Must validate PKCE, implement PAR, and support the required token-based flow changes.
bLink Platform: Provides the migration path, specifications, and testing environments.

Scope

In scope

Mandatory PKCE.
Mandatory Pushed Authorization Requests (PAR).
Migration from PermissionIds to token-based access.
Removal of username validation.

Planned / under evaluation

info

These items are currently under evaluation and are not yet confirmed as part of the initial release scope.

Minimal Support for Grant Management.
Notifications concerning consent changes.

Out of scope (initial release)

Full Grant Management API (listing, querying, deleting grants via dedicated endpoints).
Mandatory concurrent consents (multi-consent is optional and may be advertised by Service Providers via metadata).

Compatibility & Transition

A transition window allows Consent 2.0 and 3.0 in parallel
Consent 2.0 will be gradually phased out.

What is changing?​

Who is affected?​

Scope​

In scope​

Planned / under evaluation​

Out of scope (initial release)​

Compatibility & Transition​