Technical Open Banking Glossary of Terms

Here you can consult the most used words and concepts in the field of open banking and the APIs of BBVA API_Market.



Account Information Service Providers, better known by the acronym AISP provide aggregated information about the payment accounts that the customer holds at one or more providers.

The EU Payment Services Directive (PSD2) regulates the activity of these operators who, with the users' consent, allow them to consult their financial information in several banks through a single interface or platform, without having to log on to each account separately.

For users, being able to access all their information in an aggregated and conveniently ordered way makes it easier for them to control their income and expenses. For AISPs, access to customers' bank statements allows them to study their activity, create profiles, and anticipate their needs to offer certain products


An Account Manager Payment Service Provider, better known by the acronym ASPSP, offers a payer one or more payment accounts and is responsible for maintaining them, as detailed in the EU Payment Services Directive (PSD2).

That is, these are the financial institutions, mainly banks, that hold the funds and maintain the checking accounts and cards of the user who wants to make a payment, and such institutions must have a banking card.

The entry into force of PSD2 has compelled banks to provide information on the accounts of customers who authorize new operators, which will provide new services such as initiating payments on behalf of the customer or adding all their financial information in a single interface.


The API key is code identifying the user of an API.

An API is a protocol that allows you to exchange information between different applications. The API key is used to identify the user who is making the request for information, or API. call. On the one hand, it allows you to authenticate the identity of the call each time you make a call and, on the other hand, track the usage that is made of the API.


EThis standard is laid down by the Spanish Banking Association (AEB) to regulate passing on current account statements and credit policies, and thus facilitate bank reconciliation and accounting operations in companies.

The banking association has defined a set of rules and protocols, also called rulebooks, which serve as a standard for all Spanish financial institutions.

In this case, the so-called AEB rulebook or standard 43 defines what the file used to share information about one or more accounts should look like. In addition to the characteristics of the file itself, it stipulates how the data of the account or accounts from which information is given should be detailed, as well as the activity or notes recorded in them and the relevant references in this regard.

This standardization makes it easier to automate accounting and cash flow processes, as well as exchange information, allowing companies to optimize managing them.


BBVA Net Cash

BBVA Net Cash is BBVA's online banking solution for businesses. Its app allows entrepreneurs and freelancers to save time managing their business.

Through this app, the small businessman can not only view his position with BBVA from his cell phone, but all his national and international collections and payments from the simplest, such as transfers and debits, to more complex ones, which may be the payment of his imports or reverse factoring.

With BBVA Net Cash it is also possible to manage your cards or find out the billing made through your POS, among other services. In addition, the app enables you to receive personalized notifications about to-do tasks and aspects related to managing your day-to-day business and is consequently an essential tool for the company's financial management.


The term branch is used in Git version-controlled code repositories. They are used to define separate environments used by developers to work on the same project in an organized manner but autonomously.

The software project will have a main or master branch, from which branches stem. This enables each programmer to work independently and it is then merged again with the main branch or other branches of the project.

In its version control system, Git stores a point-in-time copy of the entire file that each developer is working on at the time the developer commits changes, as well as metadata with the author and the explanatory message of the work they have done or changes made to the main project.

Branches are especially useful in projects involving multiple programmers because, as each branch is autonomous, each can modify their files, according to their needs or preferences, in a separate environment. This will not affect the file of the other members involved in the same project.



Cache is the temporary fast-access memory that stores data recently processed by a computer or IT system.

When the user first accesses information, the system makes a copy of the most relevant data in this buffer or cache. So, the next time you want to review that information, that data will be available without having to make a request to the original source again, which saves time and makes things more efficient.

There are several types of cache: disk cache (portion of RAM associated with a particular disk), trace cache (similar to RAM), and web cache (which stores data from websites visited). If necessary, cache can be cleared manually to free up space and speed up processing new information or to facilitate reloading data that has subsequently been modified in the source.

CCA: Common Cryptographic Architecture

Common Cryptographic Architecture (CCA) is a computer structure that simplifies the use of cryptographic services as well as compliance with national and international standards. Designed and developed by IBM, it uses a combination of a public key and secret key or symmetric cryptography for key distribution.

The so-called CCA security API enables applications to obtain services and manage the operation of a cryptographic system that meets the specifications of this Common Cryptographic Architecture.


When it comes to APIs, the client is a set of protocols and computing tools that allow a user application to perform various operations. In a REST architecture, the most efficient and common standard in creating APIs for Internet services, there is an exchange of information between the client and server in which requests are handled with HTTP.

The API client makes it easy for the user to manage API requests and responses.


CRUD is an acronym formed with the initials of the terms create, read, update and delete. These are the four essential operations that can be performed on a system or database: create records, read records, update records, and delete records. In the API environment, these operations correspond respectively to the verbs post, get, put and delete.

Depending on the type of operation intended to be performed, one verb or another can be used on the same endpoint generating a different response.

- GET request

For example, if we want to get a certain type of data, we will make a GET request (read).

GET /foo

This will usually return a JSON-type object accompanied by code indicating how the process went.

key: value

- POST request

If you want to create new data in the API, you will have to make the call using the POST verb (create). In this case, we must accompany the call of the data that we want to send.

POST {key:value} /foo

- PUT or DELETE request

To PUT (modify) or DELETE we will need to specify on the endpoint which element we want to operate. It is usually done through an identifier.

PUT {key:value} /foo/:identifier

DELETE {key:value} /foo/:identifier

In all cases the API will return a status code to us.

The most common codes provided by a REST API call are as follows:

Everything has gone as expected
Unauthorized user
Service does not exist
Service temporarily unavailable



When it comes to APIs, an endpoint is the point of contact between an API and a server. It typically corresponds to a server URL that gives access to a particular object or collection of objects. Although it is an English term, it is also commonly used in Spanish.

It is one of the pieces of essential data in an API's documentation because it is the parameter that programmers will use to implement their requests and access server resources.


The European Banking Authority is an independent authority that oversees the banking sector to ensure it functions correctly and that there is financial stability in the European Union.

Known by its acronym, the EBA (European Banking Authority) was created in January 2011, in the midst of the international financial crisis generated by junk or subprime mortgages. The London-based entity assumed the powers and responsibilities of the former Committee of European Banking Supervisors (CEBS).

The EBA's duties include performing stress testing on European banks to assess their possible capital weaknesses and ensuring the conditions for greater bank transparency and innovation. The European Commission has delegated to the European Banking Authority the development of certain policy sections, albeit Brussels gives the final approval.

Having the EBA's head office in the UK after Brexit is a complex, somewhat anomalous situation which the European bureaucracy may have to resolve over time.



HATEOAS is an acronym for Hypermedia As The Engine Of Application State. The term hypermedia refers to content containing links to images, multimedia information and text.

In an API Rest, architecture, HATEOAS is what ensures that each time a request is made to the server and it returns a response, part of the information it contains will be the browsing hyperlinks associated with other client resources. This makes it possible for developers to build apps that are easier to maintain and therefore more reliable for the client.

- How does HATEOAS work?

In a standard Rest API architecture, cross-object references are made through a unique identifier that allows us to get the data from it. In the case of HATEOAS, it tries to simplify this reference by directly facilitating the endpoint of the object in question so it is not essential to have a thorough knowledge of the API that is currently being integrated in a similar way to how the Atom standard does.

GET /foo
id: 1,

references: {

id: 2,
id: 3

In the example shown above we have a data model that refers to two other objects. In this case, the API returns the identifiers so we will need to know the endpoint required to get the data from each of those IDs through a new call.

GET /foo
id: 1
references: {

This is simplified through HATEOAS since you do not need to have prior knowledge of the endpoint to make the call to since the call is returned by the actual API.

Spring, one of the most widely used frameworks for java language application development, provides developers with several libraries that make it easy to create such APIs in both Spring and Spring MVC.


LAMP Stack

This is a set of open source software that is used to develop new custom, high-performance web applications. It also allows you to launch and maintain web servers.

The name LAMP comes from the programs that are used to perform that task: Linux (sistema operativo), (operating system), Apache (web server), MySQL (database administrator), and PHP, Perl or Python programming languages. LAMP has a classic layered architecture, with Linux at the lowest level; followed by Apache, MySQL, and later PHP.

LAMP Stack was one of the first open source stacks for the web and has generated a rich ecosystem around it, allowing you to build on what other people have programmed before to create your own development.



MuleSoft Anypoint Platform is an integration platform for SOA (Service Oriented Architecture), SaaS (Software as a Service) and API (Application Programming Interface) acquired by Salesforce in 2018. It enables enterprises to connect apps, data, and devices in both local servers and in the cloud through APIs.

This open source platform allows you to connect mainframes, ERP (Enterprise Resource Planning) systems and SaaS applications, building a network of secure and reusable integrations and APIs.

MuleSoft emphasizes that its platform allows companies to redesign their SOA infrastructure from legacy systems, proprietary platforms, and custom integration code. It also facilitates migrating technology infrastructure to the cloud and adopting SaaS applications.



Perforce is an American software company for application development with products devoted to version control, online repository management, collaborative software development, application lifecycle management (ALM), and Agile planning.


PII is an acronym for Personally Identifiable Information and serves to encompass all relevant data that by themselves or combined with others serve to distinguish or track the identity of a particular individual.

This terminology is especially used in the U.S., where it is included in various laws, while in Europe the use of the expression ‘personal data’ is more common. Its use is regulated by the General Data Protection Regulation (GDPR).

Both PII and personal data are two concepts commonly mentioned in matters related to online privacy, but they are not strictly legally comparable.
The National Institute of Standards and Technology (NIST), under the U.S. Department of Commerce states that “organizations must minimize the use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission.”
It also describes Personally Identifiable Information as any information about an individual that is maintained by an agency, including (1) information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

The U.S. institute details that to distinguish an individual is to identify an individual.It also clarifies that to “trace” an individual is to process sufficient information to make a determination about a specific aspect of an individual‘s activities or status.
In addition, it makes a distinction between linked information (information about or related to an individual that is logically associated with other information about the individual) and linkable (information about or related to an individual for which there is a possibility of logical association with other information about the individual).
Here are some examples of what may be considered Personally Identifiable Information (PII)
- Full name or alias
-Personal identification numbers, such as social security number, passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number.
-Address information, such as street address or email address.
-Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people.
-Telephone numbers, including mobile, business, and personal numbers.
-Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry).
-Information identifying personally owned property, such as vehicle registration number and related information.
-Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).


PISP is the acronym for Payment Initiation Service Providers.

As the EU Payment Services Directive (PSD2), which regulates its activity, explains, in online commerce “those services establish a software bridge between the website of the merchant and the online banking platform of the payer’s account servicing payment service provider” in order to initiate internet payments on the basis of a credit transfer.

It usually does not refer to banks (although they may also initiate payments) but to third party operators initiating a payment order, at the user's request, for an account in their name opened at a bank or financial institution.


PSD2 is the European regulations governing payment services. This is an acronym of Second Payment Services Directive.

As the name suggests, this regulation, which came into force in Spain in 2018, includes the various payment services within the European Union as well as the requirements to carry out its activity, in an effort to respond to the needs of the new digital ecosystem and online commerce.

This regulation has opened the door to third party providers in the payment ecosystem, as well as compelling banks and financial institutions to share account information with them. With PSD2, European authorities seek to activate the transformation of the banking industry, strengthening security and fostering competition and innovation, thus promoting the development of better services and protecting the user.



QuerySelector() is a method implemented by the Javascript programming language that allows you to select elements of the Document Object Model (DOM) or website so that you can operate them.

The DOM consists of elements created in HTML, such as one that can contain paragraphs (<p>), lists (<ul>) or other elements that are interpreted by the web browser and make it possible to render websites as we know them.

When programming websites, it is common to need to identify a specific element for a variety of reasons. It can be from a simple color change to something more complex like validating a field within a web form before it is stored. In these cases, programmers can modify the default behavior that elements have through the QuerySelector() method.

Following the example we mentioned earlier, if we wanted to use the QuerySelector() method to validate that the first field of a contact form is actually a phone number, we could do it as follows:

var field1 = document.body.querySelector("form input").val;
var tel = /^\+?([0-9]{2})\)?[-. ]?([0-9]{4})[-. ]?([0-9]{4})$/;
if((field1.value.match(tel)) { return true; }

One of the limitations of this method is that it only returns the first element that matches the selection. Therefore, if we have other similar elements we will have to make use of alternative methods such as querySelectorAll() that returns all the elements that match the selection made in array format.



An acronym for RESTful API Modeling Language, RAML is a modeling language that allows APIs to be described in a way that is readable to both humans and computers.

It focuses on cleanly describing resources, methods, parameters, responses, media types, and other HTTP constructs that form the basis of modern APIs that obey most, but not all as admitted by their creators, RESTful specifications. It uses JSON to specify structures and is BASED on YAML.

RAML lets you see what your API looks like as you design it, using easy-to-read plain text. Without having to write code, you can refine your API design and create a functional drill.

301 redirect

The 301 redirect is a command to permanently redirect a page by pointing to a new address or URL.

Used, for example, to fix a 404 error (page not found) and send the user to an operational page. It is also used when you need to perform a domain migration, modify URL structures, or troubleshoot duplicate content, for example, by permanently replacing the destination address.

The 301 redirect is performed on the server configuration file or the .htaccess, a configuration file used on web servers. With this command, the web server returns an HTTP 301 code to the client, telling it that the URL has been permanently moved to a new address.



Smartbear is a company that offers tools for application performance monitoring (APM), software development and testing, API testing and management, code collaboration and optimization, and two open source tools: SoapUI and SwaggerHug.


Sphinx is a free tool for documenting software projects that was originally created to generate documentation about Python.

It is used to automatically generate documentation from source code, write mathematical notation, or enhance code. Sphinx uses reStructuredText (RST, reST, or ReST) as the markup language. As output format, HTML delivery, pdf, Texinfo, ePub, plain text, etc.

Before installing Sphinx (on Windows or Linux) you must have Python installed in either of its two develop branches (2.x o 3.x).



VCS stands for Version Control System. It is a category of software that allows you to manage source code changes in a development project.

VCSs track each modification of the code hosted in the repository, that is, it tracks every change made by members of the development team. Therefore, if any mistakes are made, developers can go back, compare previous versions, and troubleshoot while minimizing disruption for other team members.

One of the most popular VCSs today is Git.


Versioning is the process of assigning an orderly and progressive nomenclature to successive versions or upgrades of a development, in a way that makes it possible to identify its progress.

The term particularly applies to operating systems and software. In the latter case, versioning consists of enumerating or granting numeric identifiers (two to three numbers separated by dots) to launches of the same program/product.

This practice helps developers know what the latest versions are and the updates or changes the programs have had from their previous version.



Webhooks are created through the need to interface systems effectively. They work as real-time notifications and allow communication between two applications. These are HTTP callbacks triggered by a specific event that alter how a website or app works. These callbacks can be managed by third party users and developers who do not manage the original app.

In a traditional system, when a third party wants to know if the information they want to access has been updated, they need to make a callback to the source server, get that data, and check the modification date periodically.

This results in excessive consumption of resources both by the querying system and the one being queried since this period of querying the updates, which may be greater or lesser depending on the need, must be done knowing that no new information will be obtained on many occasions.

With the use of webhooks, this task is performed proactively by the system in which the changes are originated. Through REST APIs it is possible to trigger a call to a third party system at the time of that event. This reduces resource consumption a great deal.

Typically, a system B is identified either by authentication protocols or by using API Keys with a system A and it is this system A that sends the events to the previously specified endpoint of System B through the HTTP protocol.

CWhen the event data arrives at System B, it will have all the necessary information that has been modified in System A without having to make a request. In this way system B will always have up-to-date and reliable information on system A.

Webhooks not only allow operation notification, they are also used to generate reports, process data and synchronize systems in real time and can be integrated into web services without adding other infrastructures.



YAML, an acronym for Yet Another Markup Language – Ain't Markup Language, is a programming language that is characterized by its user-friendly, easy-to-understand and useful format for mapping data structures. Used to configure files and applications that transmit or store data.

Unlike JSON, YAML has built-in benefits such as self-referential, feedback, and support for complex data.