Yodlee supports linking an account through APIs, which allows financial institutions (FIs) and Yodlee Interactive (YI) customers to link their consumer's accounts and Yodlee InstantAccountVerification (IAV) APIs that allow customers to verify or confirm their consumer's account ownership. These APIs accept sensitive information like credentials and are protected using the transport security SSL (secure sockets layer). The Public Key Infrastructure-based (PKI) encryption offers additional security – on top off SSL – to encrypt credentials. YI and API customers can choose for this feature.

PKI-based encryption is an optional feature and when enabled will allow customers to use the public key to pass encrypted credentials and answers to MFA (multifactor authentication) questions, to the link an  account APIs. For further processing, Yodlee will then decrypt the encrypted credentials and answers to MFA questions using the private key. By default this feature is disabled.

Note: PKI-based encryption is an optional feature. Please check with Yodlee team if this feature is enabled for environment provisioned.

Advantages of Yodlee PKI Feature

PKI-based encryption offers:

  • Additional security for credentials and answers to MFA questions over the existing transport security SSL.
  • A secure internal infrastructure for customers, by encrypting the credentials at their entry point using the Yodlee specific PKI-based keys.

List of Yodlee APIs using PKI Feature

  1. Add Account : POST /v1/providers/providerAccounts
  2. Update Account: PUT /v1/providers/providerAccounts

Integration Steps

Yodlee will generate a public and private key pair specific to the customer. To get access to this public key, the customers should call respective Yodlee APIs to get public key and use it to encrypt sensitive information before sending it to Yodlee APIs. 

PKI based integration for Yodlee APIs


Step 1

Retrieve the cobrand public key(GET method) -  This should be done once per cobrand session. Once retrieved, the public key should be cached on your server.

Sample Input

cobSession is passed as Authorization header.
cobrandName is passed as path parameter.

cobrandName = name of the cobrand

Sample Response

    "keyAsPemString":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOC\n-----END PUBLIC KEY-----\n"


Step 2

Before the add provider step, encrypt the user credentials on the user device -  Browser or mobile app.    
Fields to be encrypted 

  • Username/Userid
  • Password/Pin
  • Security answers
  • Security questions  - Shouldn’t be encrypted


Steps for encryption (using the obtained public key)

  • Convert the PEM string public_key to a key object -  The key is a RSA public key
  • Encrypt the data using RSA/ECB/PKCS1Padding
  • Hex Encode the encrypted String
  • Prepend the Hex encoded encrypted String with “keyAlias” + “:”

Java Sample (using BouncyCastle Library)

StringReader fileReader= new StringReader(keyAsPemString);
PEMReader pemReader= new PEMReader(fileReader);
PublicKey pk= (PublicKey)pemReader.readObject();
Cipher c = Cipher.getInstance ("RSA/ECB/PKCS1Padding");
c.init(Cipher.ENCRYPT_MODE, pk);
ciphertext = c.doFinal(cleartext.getBytes());
return keyAlias+”:”+HexEncode.encode(ciphertext);  

Step 3

In the add account step, send the encrypted user credentials to Yodlee. Other details are similar to non PKI based account addition

Error Response:

If the following response is received, the keys assigned to you have been changed, so you need to fetch and cache the keys again(Step 1)
The Http response status is 400 and the following error code/error message are received

{ “errorCode”: “Y400” “errorMessage”: “Decryption failure for FieldInfo:FieldInfoSingle: {FieldInfo: name= "LOGIN" displayName="null" editable=true optional=false helpText="nu ll" valuePattern="null" } defaultValue="null" value="" validValues= [null] displayValidValues=[null] valueIdentifier="null" valueMask=" null" fieldType="IF_LOGIN" validationRules=[null] size=null maxleng th=null userProfileMappingExpression=null fieldErrorCode=null field ErrorMessage=null” }