In align with the PSD2 regulation, there is a restricted quota enforced when the API is consumed by TPP without involving an active user. For example, this may be an automated process with TPP trying to call the API to analyze the transaction data.
In this scenario, we have restricted the API access in such way that TPP can invoke only four API calls in a 24 hour time period. This applies to production environment only.
But for Sandbox environment we have relaxed the rule in order for users to try the API more.
On the other hand, If there is an active user triggering API calls using TPP client, access is allowed upto the general quota rules we have placed in production environment. In general this is a high value which is more than enough for the end-user to access the data.
How should TPP let API know about an active user?
TPP must send a HTTP header named ‘x-fapi-customer-ip-address’ with end-user ip address if an active end-user is triggering the API call.
If this header is not present, API assumes the call is triggered by TPP client without an active user, hence enforcing the restricted quota.
This quota rules are applied to all AISP API’s except ‘Account Access’.