implement a PSD2/Berlin Group open-banking consent flow with SCA and 90-day reauth

Verified steps

1. Register your application with each ASPSP (bank) or connect via an AISP/PISP aggregation hub that handles bank registration; obtain your eIDAS-qualified certificate (QWAC and QSEAL) required for direct PSD2 API connections in the EU.
2. Initiate a consent by POSTing to the bank's consent endpoint (Berlin Group NextGenPSD2: POST /v1/consents) specifying the requested access permissions (balances, transactions, accounts) and the validUntil date (maximum 90 days).
3. Redirect the PSU (Payment Service User) to the SCA (Strong Customer Authentication) authorisation URL returned in the consent response; the user authenticates with their bank using at least two factors.
4. After SCA completion, the bank redirects the user back to your redirect_uri with a code or confirmation; retrieve the consent status via GET /v1/consents/{consentId} to confirm it is valid.
5. Use the confirmed consent to call account data endpoints (GET /v1/accounts, GET /v1/accounts/{accountId}/transactions/{transactionId}) attaching the Consent-ID header on each request.
6. Track consent expiry dates and proactively prompt the user to re-authorise before the 90-day window expires; implement a re-consent flow that creates a new consent object and goes through SCA again.