Mock sample for your project: Xero Assets API

Integrate with "Xero Assets API" from xero.com in no time with Mockoon's ready to use mock sample

Xero Assets API

xero.com

Version: 2.9.4


Use this API in your project

Integrate third-party APIs faster by using "Xero Assets API" ready-to-use mock sample. Mocking this API will allow you to start working in no time. No more accounts to create, API keys to provision, accesses to configure, unplanned downtime, just work.
Improve your integration tests by mocking third-party APIs and cover more edge cases: slow response time, random failures, etc.

Description

The Assets API exposes fixed asset related functions of the Xero Accounting application and can be used for a variety of purposes such as creating assets, retrieving asset valuations etc.

Other APIs by xero.com

Accounting

Introduction
The Xero Accounting API is a RESTful web service and uses the OAuth (v1.0a) protocol to authenticate 3rd party applications. The Accounting API exposes accounting and related functions of the main Xero application and can be used for a variety of purposes such as creating transactions like invoices and credit notes, right through to extracting accounting data via our reports endpoint.

Xero Files API

These endpoints are specific to Xero Files API

Xero OAuth 2 Identity Service API

These endpoints are related to managing authentication tokens and identity for Xero API

Xero Bank Feeds API

The Bank Feeds API is a closed API that is only available to financial institutions that have an established financial services partnership with Xero. If you're an existing financial services partner that wants access, contact your local Partner Manager. If you're a financial institution who wants to provide bank feeds to your business customers, contact us to become a financial services partner.

Xero Payroll AU API

This is the Xero Payroll API for orgs in Australia region.

Xero Accounting API

Other APIs in the same category

SpectroCoin Merchant

spectrocoin.com
This is an API designed for merchants who are using SpectroCoin services and wishes to integrate them locally.

Account and Transaction API Specification - UK

Functionality at a glance
The NBG "UK OPB - Account and Transaction v3.1.5" API follows the [UK Open Banking Specification
v3.1.5](https://openbankinguk.github.io/read-write-api-site3/v3.1.5/profiles/account-and-transaction-api-profile.html)
This Account and Transaction API Specification describes the flows and payloads for retrieving a list of accounts and their transactions.
The API endpoints described here allow a AISP to:
Create the Consent with the appropriate permissions in order to be able to access the API Endpoints
Retrieve the list of accounts
Retrieve an account's details
Retrieve an account's balances
Retrieve an account's transactions
Retrieve an account's beneficiaries
Retrieve an account's standing orders
Retrieve an account's party
Retrieve an account's scheduled payments
Retrieve an account's statements
Quick Getting Started
Login/Register to the NBG Technology HUB
Go to "APPS"
Select your Organization and go to step 4. If you want to create a new Organization click \"CREATE AN ORGANIZATION\" and follow the steps below:
Enter the title of your Organization
Enter a short description of your Organization (optional)
Click "SUBMIT"
Select the Organization of choice and click "ADD AN APPLICATION"
Fill in the forms (title and short description)
Check \"Authorization Code\" and \"Client Credentials\"
Enter the OAuth Redirect and Post Logout URIs (these are the URIs that we will redirect the user upon logging in and logging out respectively)
You can use the following redirect URL to easily test the API through the portal: https://developer.nbg.gr/oauth2/redoc-callback
Click "SUBMIT"
Store the APPs "Client ID" and "Client Secret"
Go to "API PRODUCTS" and select the ACCOUNT INFORMATION - UK OPEN BANKING API
Click \"START USING THIS API\", choose your app and click
"SUBSCRIBE"
Get an Access Token using the Access Token Flow and the API scopes provided in the Authentication and Authorization (OAuth2) section below
Create a Sandbox
Play with the API
Sandbox Flow
The Sandbox Flow matches the Production Flow. The difference lies into the Data used. Instead of live
data, the Sandbox flow uses mocked data.
Production Flow
The Production Flow is described in the [UK Open Banking v3.1.5
Specification](https://openbankinguk.github.io/read-write-api-site3/v3.1.5/profiles/account-and-transaction-api-profile.html)
More details about the implementation specifics followed, please visit section **UK OPB Implementation
Specifics**
Authentication and Authorization (OAuth2)
This API version uses the OAuth2 protocol for authentication and authorization, which means that a
Bearer (access token) should be acquired. An access token can be retrieved using the client_id and
client_secret of the APP that you created and subscribed in this API, and your own credentials
(username, password) that you use to sign in the NBG Technology HUB. The scopes are defined below:
Authorization Endpoint:
https://my.nbg.gr/identity/connect/authorize
Token Endpoint:
https://my.nbg.gr/identity/connect/token
Authorization Code
Sandbox Scopes:
sandbox-uk-account-info-api-v1 offline_access
Production Scopes:
accounts offline_access
Client Credentials
Sandbox Scopes:
sandbox-uk-account-info-api-v1
Production Scopes:
accounts
See more here
QWAC Certificates
TPPs are required to present a QWAC certificate during API consumption. The API checks that this certificate has been provided and is valid. In sandbox mode the certificate validations are optional. To validate your certificate in sandbox implementation, please send us your QWAC certificate at [email protected] and set the HTTP Header \"x-sandbox-qwac-certificate-check\" with the value \"true\" in your requests.
SMS Challenge (One Time Password)
In order to successfully authorize an Accounts Access you will need to provide the SMS OTP (One Time Password) in the corresponding Accounts Consent UI Screen.
By default the SMS OTP will be sent to the mobile number declared upon singing up in the NBG Technology HUB.
Create your Sandbox
Create a new Sandbox application by invoking the POST /sandbox. This call will generate a new Sandbox
with a unique sandbox-id.
Important! Before proceeding save the sandbox id you just created.
When you create a sandbox, users and sandbox specific data are generated as sample data.
Start Testing
Once you have your sandbox-id, you can start invoking the rest of the operations by providing the
mandatory http header sandbox-id and the http headers described below.
Important notes
Request headers
The following HTTP header parameters are required for every call:
Authorization. The Auth2 Token
sandbox-id. Your Sandbox ID
Consent
In order to be able to effectively start using the Endpoints the appropriate Consent needs to be
created and set to the 'Authorised' status.
In order to create the Consent you need to at least set the required permissions and the Risk
sections.
Optionally you may set the
ExpirationDateTime. When the Consent expires
TransactionFromDateTime. Start Date to retrieve the transactions
TransactionToDateTime. End Date to retrieve the transactions
Not Implemented Endpoints
The following endpoints are not implemented in the API
GET /balances
GET /transactions
GET /beneficiaries
GET /accounts/\{AccountId\}/direct-debits
GET /direct-debits
GET /standing-orders
GET /accounts/\{AccountId\}/product
GET /products
GET /accounts/\{AccountId\}/offers
GET /offers
GET /scheduled-payments
GET /statements
Error Codes
The error codes and their description can be found
here
UK OPB Implementation Specifics
Below you may find more specific information & limitations regarding the implementation followed in the Production API.
Token Endpoint Client Authentication
At this point the supported Client Authentication method is "Client Secret Basic" - usage of "Client ID" & "Client Secret".
Consent Authorization
For a PSU to Authorize a Consent, they need to be redirected to the appropriate Consent UI.
For this redirection to take place the TPP needs to follow the Authorization Endpoint by amending the generated "Consent ID", like this: https://my.nbg.gr/identity/connect/authorize?consentid={{consentid}}&clientid={{clientid}}&scope={{scope}}&redirecturi={{redirecturi}}&response_type=code
Once the PSU is redirected to the Consent Authorization Screen, they need to enter their IBank (Production) or Developer Portal (Sandbox) Credentials and either Authorize or Reject the Consent.
At this point the Consent is binded with the PSU.
Debtor Account
Currently, only the "UK.OBIE.IBAN" scheme is supported.
Feedback and Questions
We would love to hear your feedback and answer your questions. Send us at
[email protected]
Check out our [Sandbox Postman
Collection](https://github.com/NBG-Developer-Portal/Account-Information-UK-Open-Banking)!
Created by NBG.
Entities
Below, the main entities are documented.
OBExternalPermissions1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| Specifies the Open Banking account access data types. This is a list of the data clusters being consented by the PSU, and requested for authorisation with the ASPSP.| ReadAccountsBasic ReadAccountsDetail ReadBalances ReadBeneficiariesBasic ReadBeneficiariesDetail ReadDirectDebits ReadOffers ReadPAN ReadParty ReadPartyPSU ReadProducts ReadScheduledPaymentsBasic ReadScheduledPaymentsDetail ReadStandingOrdersBasic ReadStandingOrdersDetail ReadStatementsBasic ReadStatementsDetail ReadTransactionsBasic ReadTransactionsCredits ReadTransactionsDebits ReadTransactionsDetail |
OBReadData1
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Permissions| Specifies the Open Banking account access data types. This is a list of the data clusters being consented by the PSU, and requested for authorisation with the ASPSP.| array[OBExternalPermissions1Code]|
| ExpirationDateTime| Specified date and time the permissions will expire. If this is not populated, the permissions will be open ended. All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below: 2017-04-05T10:43:07+00:00| string|
| TransactionFromDateTime| Specified start date and time for the transaction query period. If this is not populated, the start date will be open ended, and data will be returned from the earliest available transaction. All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below: 2017-04-05T10:43:07+00:00| string|
| TransactionToDateTime| Specified end date and time for the transaction query period. If this is not populated, the end date will be open ended, and data will be returned to the latest available transaction. All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below: 2017-04-05T10:43:07+00:00| string|
OBRisk2
The Risk section is sent by the initiating party to the ASPSP. It is used to specify additional details for risk scoring for Account Info.
Attributes
| Name| Description| Values|
| -----| -----| -----|
OBReadConsent1
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadData1 Permissions array[[OBExternalPermissions1Code]] ExpirationDateTime [string] TransactionFromDateTime [string] TransactionToDateTime [string] |
| Risk | Entity | OBRisk2 |
ErrorCode
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| This is Data Type gives a low level textual error code to help categorise an error response. The applicable HTTP response code is also given.| UK.OBIE.Field.Expected UK.OBIE.Field.Invalid UK.OBIE.Field.InvalidDate UK.OBIE.Field.Missing UK.OBIE.Field.Unexpected UK.OBIE.Header.Invalid UK.OBIE.Header.Missing UK.OBIE.Resource.ConsentMismatch UK.OBIE.Resource.InvalidConsentStatus UK.OBIE.Resource.InvalidFormat UK.OBIE.Resource.NotFound UK.OBIE.Rules.AfterCutOffDateTime UK.OBIE.Rules.DuplicateReference UK.OBIE.Signature.Invalid UK.OBIE.Signature.InvalidClaim UK.OBIE.Signature.MissingClaim UK.OBIE.Signature.Malformed UK.OBIE.Signature.Missing UK.OBIE.Signature.Unexpected UK.OBIE.Unsupported.AccountIdentifier UK.OBIE.Unsupported.AccountSecondaryIdentifier UK.OBIE.Unsupported.Currency UK.OBIE.Unsupported.EventType UK.OBIE.Unsupported.Frequency UK.OBIE.Unsupported.LocalInstrument UK.OBIE.Unsupported.Scheme UK.OBIE.Reauthenticate UK.OBIE.Rules.ResourceAlreadyExists UK.OBIE.UnexpectedError |
OBError1
Attributes
| Name| Description| Values|
| -----| -----| -----|
| ErrorCode | Entity | ErrorCode |
| Message| A description of the error that occurred. e.g., 'A mandatory field isn't supplied' or 'RequestedExecutionDateTime must be in future'OBIE doesn't standardise this field| string|
| Path| Recommended but optional reference to the JSON Path of the field with error, e.g., Data.Initiation.InstructedAmount.Currency| string|
OBErrorResponse1
An array of detail error codes, and messages, and URLs to documentation to help remediation.
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Code| High level textual error code, to help categorize the errors.| string|
| Id| A unique reference for the error instance, for audit purposes, in case of unknown/unclassified errors.| string|
| Message| Brief Error message, e.g., 'There is something wrong with the request parameters provided'| string|
| Errors| Gets or Sets Errors| array[OBError1]|
OBExternalRequestStatus1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| Specifies the status of consent resource in code form.| Authorised AwaitingAuthorisation Rejected Revoked |
OBReadDataConsentResponse1
Attributes
| Name| Description| Values|
| -----| -----| -----|
| ConsentId| Unique identification as assigned to identify the account access consent resource.| string|
| CreationDateTime| Date and time at which the resource was created. All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below: 2017-04-05T10:43:07+00:00| string|
| Status | Entity | OBExternalRequestStatus1Code |
| StatusUpdateDateTime| Date and time at which the resource status was updated. All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below: 2017-04-05T10:43:07+00:00| string|
| Permissions| Specifies the Open Banking account access data types. This is a list of the data clusters being consented by the PSU, and requested for authorisation with the ASPSP.| array[OBExternalPermissions1Code]|
| ExpirationDateTime| Specified date and time the permissions will expire. If this is not populated, the permissions will be open ended. All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below: 2017-04-05T10:43:07+00:00| string|
| TransactionFromDateTime| Specified start date and time for the transaction query period. If this is not populated, the start date will be open ended, and data will be returned from the earliest available transaction. All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below: 2017-04-05T10:43:07+00:00| string|
| TransactionToDateTime| Specified end date and time for the transaction query period. If this is not populated, the end date will be open ended, and data will be returned to the latest available transaction. All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below: 2017-04-05T10:43:07+00:00| string|
Links
Links relevant to the payload
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Self| -| string|
| First| -| string|
| Prev| -| string|
| Next| -| string|
| Last| -| string|
Meta
Meta Data relevant to the payload
Attributes
| Name| Description| Values|
| -----| -----| -----|
| TotalPages| -| integer|
| FirstAvailableDateTime| All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
| LastAvailableDateTime| All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
OBReadConsentResponse1
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadDataConsentResponse1 ConsentId string] CreationDateTime [string] Status [[OBExternalRequestStatus1Code] StatusUpdateDateTime string] Permissions [array[[OBExternalPermissions1Code]] ExpirationDateTime [string] TransactionFromDateTime [string] TransactionToDateTime [string] |
| Risk | Entity | OBRisk2 |
| Links | Entity | Links Self [string] First [string] Prev [string] Next [string] Last [string] |
| Meta | Entity | Meta TotalPages [integer] FirstAvailableDateTime [string] LastAvailableDateTime [string] |
OBExternalAccountType1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| -| Business Personal |
OBExternalAccountSubType1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| -| ChargeCard CreditCard CurrentAccount EMoney Loan Mortgage PrePaidCard Savings |
OBCashAccount5
Attributes
| Name| Description| Values|
| -----| -----| -----|
| SchemeName| Name of the identification scheme, in a coded form as published in an external list.| string|
| Identification| Identification assigned by an institution to identify an account. This identification is known by the account owner.| string|
| Name| The account name is the name or names of the account owner(s) represented at an account level, as displayed by the ASPSP's online channels. Note, the account name is not the product name or the nickname of the account.| string|
| SecondaryIdentification| This is secondary identification of the account, as assigned by the account servicing institution. This can be used by building societies to additionally identify accounts with a roll number(in addition to a sort code and account number combination).| string|
OBBranchAndFinancialInstitutionIdentification5
Attributes
| Name| Description| Values|
| -----| -----| -----|
| SchemeName| Name of the identification scheme, in a coded form as published in an external list.| string|
| Identification| Unique and unambiguous identification of the servicing institution.| string|
OBAccount6
Unambiguous identification of the account to which credit and debit entries are made.
Attributes
| Name| Description| Values|
| -----| -----| -----|
| AccountId| A unique and immutable identifier used to identify the account resource. This identifier has no meaning to the account owner.| string|
| Currency| Identification of the currency in which the account is held. Usage: Currency should only be used in case one and the same account number covers several currencies and the initiating party needs to identify which currency needs to be used for settlement on the account.| string|
| AccountType | Entity | OBExternalAccountType1Code |
| AccountSubType | Entity | OBExternalAccountSubType1Code |
| Description| Specifies the description of the account type.| string|
| Nickname| The nickname of the account, assigned by the account owner in order to provide an additional means of identification of the account.| string|
| OpeningDate| Date on which the account and related basic services are effectively operational for the account owner.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below: 2017-04-05T10:43:07+00:00| string|
| Account| Provides the details to identify an account.| array[OBCashAccount5]|
| Servicer | Entity | OBBranchAndFinancialInstitutionIdentification5 SchemeName [string] Identification [string] |
OBReadDataAccount5
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Account| Unambiguous identification of the account to which credit and debit entries are made.| array[OBAccount6]|
OBReadAccount5
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadDataAccount5 Account array[[OBAccount6]] |
| Links | Entity | Links Self [string] First [string] Prev [string] Next [string] Last [string] |
| Meta | Entity | Meta TotalPages [integer] FirstAvailableDateTime [string] LastAvailableDateTime [string] |
OBCreditDebitCode
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| -| Credit Debit |
OBBalanceType1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| -| ClosingAvailable ClosingBooked ClosingCleared Expected ForwardAvailable Information InterimAvailable InterimBooked InterimCleared OpeningAvailable OpeningBooked OpeningCleared PreviouslyClosedBooked |
OBActiveOrHistoricCurrencyAndAmount
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Amount| A number of monetary units specified in an active currency where the unit of currency is explicit and compliant with ISO 4217.| string|
| Currency| A code allocated to a currency by a Maintenance Agency under an international identification scheme, as described in the latest edition of the international standard ISO 4217 "Codes for the representation of currencies and funds".| string|
OBExternalLimitType1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| -| Available Credit Emergency Pre-Agreed Temporary |
OBCreditLine1
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Included| Indicates whether or not the credit line is included in the balance of the account. Usage: If not present, credit line is not included in the balance amount of the account.| boolean|
| Type | Entity | OBExternalLimitType1Code |
| Amount | Entity | OBActiveOrHistoricCurrencyAndAmount Amount [string] Currency [string] |
OBCashBalance1
Set of elements used to define the balance details.
Attributes
| Name| Description| Values|
| -----| -----| -----|
| AccountId| A unique and immutable identifier used to identify the account resource. This identifier has no meaning to the account owner.| string|
| CreditDebitIndicator | Entity | OBCreditDebitCode |
| Type | Entity | OBBalanceType1Code |
| DateTime| Indicates the date (and time) of the balance.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone. An example is below: 2017-04-05T10:43:07+00:00| string|
| Amount | Entity | OBActiveOrHistoricCurrencyAndAmount Amount [string] Currency [string] |
| CreditLine| Set of elements used to provide details on the credit line.| array[OBCreditLine1]|
OBReadDataBalance1
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Balance| Set of elements used to define the balance details.| array[OBCashBalance1]|
OBReadBalance1
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadDataBalance1 Balance array[[OBCashBalance1]] |
| Links | Entity | Links Self [string] First [string] Prev [string] Next [string] Last [string] |
| Meta | Entity | Meta TotalPages [integer] FirstAvailableDateTime [string] LastAvailableDateTime [string] |
OBBeneficiaryType1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| Specifies the Beneficiary Type.| Trusted Ordinary |
OBBeneficiary5
Attributes
| Name| Description| Values|
| -----| -----| -----|
| AccountId| A unique and immutable identifier used to identify the account resource. This identifier has no meaning to the account owner.| string|
| BeneficiaryType | Entity | OBBeneficiaryType1Code |
| CreditorAccount | Entity | OBCashAccount5 SchemeName [string] Identification [string] Name [string] SecondaryIdentification [string] |
OBReadDataBeneficiary5
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Beneficiary| -| array[OBBeneficiary5]|
OBReadBeneficiary5
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadDataBeneficiary5 Beneficiary array[[OBBeneficiary5]] |
| Links | Entity | Links Self [string] First [string] Prev [string] Next [string] Last [string] |
| Meta | Entity | Meta TotalPages [integer] FirstAvailableDateTime [string] LastAvailableDateTime [string] |
OBParty2
Attributes
| Name| Description| Values|
| -----| -----| -----|
| PartyId| A unique and immutable identifier used to identify the customer resource. This identifier has no meaning to the account owner.| string|
| Name| Name by which a party is known and which is usually used to identify that party.| string|
OBReadDataParty2
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Party | Entity | OBParty2 PartyId [string] Name [string] |
OBReadParty2
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadDataParty2 Party [OBParty2] PartyId [string] Name [string] |
| Links | Entity | Links Self [string] First [string] Prev [string] Next [string] Last [string] |
| Meta | Entity | Meta TotalPages [integer] FirstAvailableDateTime [string] LastAvailableDateTime [string] |
OBReadDataParty3
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Party| -| array[OBParty2]|
OBReadParty3
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadDataParty3 Party array[[OBParty2]] |
| Links | Entity | Links Self [string] First [string] Prev [string] Next [string] Last [string] |
| Meta | Entity | Meta TotalPages [integer] FirstAvailableDateTime [string] LastAvailableDateTime [string] |
SandboxRequest
Request to create a new sandbox
Attributes
| Name| Description| Values|
| -----| -----| -----|
| sandboxId| Sandbox Id| string|
ErrorResponse
Attributes
| Name| Description| Values|
| -----| -----| -----|
| errorMessage| -| string|
SandboxRetryCacheEntry
Keeps the number of calls without x-fapi-customer-ip-address header present
Attributes
| Name| Description| Values|
| -----| -----| -----|
| cacheKey| Cache key| string|
| count| Number of retries ( up to 4 )| integer|
| expirationTimestamp| Expiration timestamp of the entry| string|
SandboxBankAccountInfo
General account information
Attributes
| Name| Description| Values|
| -----| -----| -----|
| currency| Currency (EUR, USD ...)| string|
| iban| Account's IBAN| string|
| accountType| Account's type (Business, Personal)| string|
| accountSubType| Account's sub-type (ChargeCard, CreditCard, CurrentAccount ...)| string|
| description| Account's description| string|
| alias| Account's alias| string|
| openingDate| Account's opening date| string|
| availableBalance| Account's available balance| number|
| ledgerBalance| Account's ledger balance| number|
| overdraftLimit| Account's overdraft limit| number|
SandboxParty
Connected party information
Attributes
| Name| Description| Values|
| -----| -----| -----|
| id| Party id| string|
| name| Name| string|
SandboxBeneficiary
Beneficiary information
Attributes
| Name| Description| Values|
| -----| -----| -----|
| name| Beneficiary name| string|
SandboxStandingOrder
Standing order information
Attributes
| Name| Description| Values|
| -----| -----| -----|
| description| Standing order short description| string|
| frequency| Standing order frequency| string|
| firstPaymentDate| Standing order first collection date| string|
| nextPaymentDate| Standing order next collection date| string|
| finalPaymentDate| Standing order final collection date| string|
| lastPaymentDate| Standing order last executed payment date| string|
| status| Standing order status (Active, Inactive)| string|
| amount| Standing order amount| number|
SandboxScheduledPayment
Scheduled payment information
Attributes
| Name| Description| Values|
| -----| -----| -----|
| description| Scheduled payment's short description| string|
| executionDate| Scheduled payment's execution date| string|
| amount| Amount| number|
| senderReference| Debtor / Sender reference| string|
SandboxStatement
Statement information
Attributes
| Name| Description| Values|
| -----| -----| -----|
| number| Statement number| string|
| year| Statement year| integer|
| month| Statement month| integer|
SandboxTransaction
Transaction information
Attributes
| Name| Description| Values|
| -----| -----| -----|
| reference| Transaction reference| string|
| amount| Amount| number|
| currency| Currency (EUR, USD ...)| string|
| creditDebit| Credit / Debit indicator| string|
| valueDateTime| Valeur| string|
| bookingDateTime| Booking date time| string|
| description| Description| string|
| accountingBalance| Balance| number|
| relatedAccount| Related account| string|
| relatedName| Related account| string|
| transactionCode| Transaction code| string|
SandboxBankAccount
Sandbox bank account
Attributes
| Name| Description| Values|
| -----| -----| -----|
| info | Entity | SandboxBankAccountInfo currency [string] iban [string] accountType [string] accountSubType [string] description [string] alias [string] openingDate [string] availableBalance [number] ledgerBalance [number] overdraftLimit [number] |
| party | Entity | SandboxParty id [string] name [string] |
| beneficiaries| List of account's beneficiaries| array[SandboxBeneficiary]|
| standingOrders| List of account's standing orders| array[SandboxStandingOrder]|
| scheduledPayments| List of account's scheduled payments| array[SandboxScheduledPayment]|
| statements| List of account's statements| array[SandboxStatement]|
| transactions| List of account's transactions| array[SandboxTransaction]|
SandboxCardInfo
Sandbox card information
Attributes
| Name| Description| Values|
| -----| -----| -----|
| number| Card number| string|
| description| Description| string|
| holderName| Holder name| string|
| expiration| Expiration date (05/2022)| string|
| type| Type| string|
| subType| Sub type| string|
| availableBalance| Available balance| number|
| ledgerBalance| Ledger balance| number|
| creditLimit| Credit limit ( applicable to credit cards )| number|
SandboxCard
Sandbox card
Attributes
| Name| Description| Values|
| -----| -----| -----|
| info | Entity | SandboxCardInfo number [string] description [string] holderName [string] expiration [string] type [string] subType [string] availableBalance [number] ledgerBalance [number] creditLimit [number] |
| party | Entity | SandboxParty id [string] name [string] |
| statements| Card statements| array[SandboxStatement]|
| transactions| Card transactions| array[SandboxTransaction]|
SandboxUser
User data
Attributes
| Name| Description| Values|
| -----| -----| -----|
| userId| Connected user id| string|
| retryCacheEntries| Retry cache entries| array[SandboxRetryCacheEntry]|
| accounts| List of accounts| array[SandboxBankAccount]|
| cards| List of cards| array[SandboxCard]|
Sandbox
Sandbox model
Attributes
| Name| Description| Values|
| -----| -----| -----|
| sandboxId| Sandbox id| string|
| users| List of users| array[SandboxUser]|
OBExternalScheduleType1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| -| Arrival Execution |
OBScheduledPayment3
Attributes
| Name| Description| Values|
| -----| -----| -----|
| AccountId| A unique and immutable identifier used to identify the account resource. This identifier has no meaning to the account owner.| string|
| ScheduledPaymentId| A unique and immutable identifier used to identify the scheduled payment resource. This identifier has no meaning to the account owner.| string|
| ScheduledPaymentDateTime| The date on which the scheduled payment will be made.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
| ScheduledType | Entity | OBExternalScheduleType1Code |
| Reference| Unique reference, as assigned by the creditor, to unambiguously refer to the payment transaction. Usage: If available, the initiating party should provide this reference in the structured remittance information, to enable reconciliation by the creditor upon receipt of the amount of money. If the business context requires the use of a creditor reference or a payment remit identification, and only one identifier can be passed through the end-to-end chain, the creditor's reference or payment remittance identification should be quoted in the end-to-end transaction identification.| string|
| DebtorReference| A reference value provided by the PSU to the PISP while setting up the scheduled payment.| string|
| InstructedAmount | Entity | OBActiveOrHistoricCurrencyAndAmount Amount [string] Currency [string] |
| CreditorAccount | Entity | OBCashAccount5 SchemeName [string] Identification [string] Name [string] SecondaryIdentification [string] |
OBReadDataScheduledPayment3
Attributes
| Name| Description| Values|
| -----| -----| -----|
| ScheduledPayment| -| array[OBScheduledPayment3]|
OBReadScheduledPayment3
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadDataScheduledPayment3 ScheduledPayment array[[OBScheduledPayment3]] |
| Links | Entity | Links Self [string] First [string] Prev [string] Next [string] Last [string] |
| Meta | Entity | Meta TotalPages [integer] FirstAvailableDateTime [string] LastAvailableDateTime [string] |
OBExternalStandingOrderStatus1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| -| Active Inactive |
OBStandingOrder5
Attributes
| Name| Description| Values|
| -----| -----| -----|
| AccountId| A unique and immutable identifier used to identify the account resource. This identifier has no meaning to the account owner.| string|
| StandingOrderId| A unique and immutable identifier used to identify the standing order resource. This identifier has no meaning to the account owner.| string|
| Frequency| Individual Definitions: IntrvlMnthDay - An interval specified in months(between 01, 02, 03, 04, 06, 12, 24), specifying the day within the month(01 to 31) Full Regular Expression: ^(IntrvlMnthDay:(0[1,2,3,4,6]|12|24):(0[1-9]|[12] [0-9]|3[01]))$| string|
| Reference| Unique reference, as assigned by the creditor, to unambiguously refer to the payment transaction. Usage: If available, the initiating party should provide this reference in the structured remittance information, to enable reconciliation by the creditor upon receipt of the amount of money. If the business context requires the use of a creditor reference or a payment remit identification, and only one identifier can be passed through the end-to-end chain, the creditor's reference or payment remittance identification should be quoted in the end-to-end transaction identification.| string|
| FirstPaymentDateTime| The date on which the first payment for a Standing Order schedule will be made.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
| NextPaymentDateTime| The date on which the next payment for a Standing Order schedule will be made.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
| LastPaymentDateTime| The date on which the last (most recent) payment for a Standing Order schedule was made.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
| FinalPaymentDateTime| The date on which the final payment for a Standing Order schedule will be made.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
| StandingOrderStatusCode | Entity | OBExternalStandingOrderStatus1Code |
| FirstPaymentAmount | Entity | OBActiveOrHistoricCurrencyAndAmount Amount [string] Currency [string] |
| NextPaymentAmount | Entity | OBActiveOrHistoricCurrencyAndAmount Amount [string] Currency [string] |
| LastPaymentAmount | Entity | OBActiveOrHistoricCurrencyAndAmount Amount [string] Currency [string] |
| FinalPaymentAmount | Entity | OBActiveOrHistoricCurrencyAndAmount Amount [string] Currency [string] |
| CreditorAccount | Entity | OBCashAccount5 SchemeName [string] Identification [string] Name [string] SecondaryIdentification [string] |
OBReadDataStandingOrder5
Attributes
| Name| Description| Values|
| -----| -----| -----|
| StandingOrder| -| array[OBStandingOrder5]|
OBReadStandingOrder6
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadDataStandingOrder5 StandingOrder array[[OBStandingOrder5]] |
| Links | Entity | Links Self [string] First [string] Prev [string] Next [string] Last [string] |
| Meta | Entity | Meta TotalPages [integer] FirstAvailableDateTime [string] LastAvailableDateTime [string] |
OBExternalStatementType1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| -| AccountClosure AccountOpening Annual Interim RegularPeriodic |
OBStatement2
Provides further details on a statement resource.
Attributes
| Name| Description| Values|
| -----| -----| -----|
| AccountId| A unique and immutable identifier used to identify the account resource. This identifier has no meaning to the account owner.| string|
| StatementId| Unique identifier for the statement resource within an servicing institution. This identifier is both unique and immutable.| string|
| StatementReference| Unique reference for the statement. This reference may be optionally populated if available.| string|
| Type | Entity | OBExternalStatementType1Code |
| StartDateTime| Date and time at which the statement period starts.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
| EndDateTime| Date and time at which the statement period starts.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
| CreationDateTime| Date and time at which the statement period starts.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
OBReadDataStatement2
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Statement| Provides further details on a statement resource.| array[OBStatement2]|
OBReadStatement2
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadDataStatement2 Statement array[[OBStatement2]] |
| Links | Entity | Links Self [string] First [string] Prev [string] Next [string] Last [string] |
| Meta | Entity | Meta TotalPages [integer] FirstAvailableDateTime [string] LastAvailableDateTime [string] |
OBEntryStatus1Code
Attributes
| Type| Description| Example| Values|
| -----| -----| -----| -----|
| enum| -| Booked Pending |
ProprietaryBankTransactionCodeStructure1
Set of elements to fully identify a proprietary bank transaction code.
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Code| Proprietary bank transaction code to identify the underlying transaction.| string|
| Issuer| Identification of the issuer of the proprietary bank transaction code.| string|
OBTransactionCashBalance
Set of elements used to define the balance as a numerical representation of the net increases and decreases in an account after a transaction entry is applied to the account.
Attributes
| Name| Description| Values|
| -----| -----| -----|
| CreditDebitIndicator | Entity | OBCreditDebitCode |
| Type | Entity | OBBalanceType1Code |
| Amount | Entity | OBActiveOrHistoricCurrencyAndAmount Amount [string] Currency [string] |
OBCashAccount6
Unambiguous identification of the account of the creditor, in the case of a debit transaction.
Attributes
| Name| Description| Values|
| -----| -----| -----|
| SchemeName| Name of the identification scheme, in a coded form as published in an external list.| string|
| Identification| Identification assigned by an institution to identify an account. This identification is known by the account owner.| string|
| Name| The account name is the name or names of the account owner(s) represented at an account level, as displayed by the ASPSP's online channels. Note, the account name is not the product name or the nickname of the account.| string|
OBTransaction6
Provides further details on an entry in the report.
Attributes
| Name| Description| Values|
| -----| -----| -----|
| AccountId| A unique and immutable identifier used to identify the account resource. This identifier has no meaning to the account owner.| string|
| TransactionReference| Unique reference for the transaction. This reference is optionally populated, and may as an example be the FPID in the Faster Payments context.| string|
| CreditDebitIndicator | Entity | OBCreditDebitCode |
| Status | Entity | OBEntryStatus1Code |
| BookingDateTime| Date and time when a transaction entry is posted to an account on the account servicer's books. Usage: Booking date is the expected booking date, unless the status is booked, in which case it is the actual booking date.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
| ValueDateTime| Date and time at which assets become available to the account owner in case of a credit entry, or cease to be available to the account owner in case of a debit transaction entry. Usage: If transaction entry status is pending and value date is present, then the value date refers to an expected/requested value date. For transaction entries subject to availability/float and for which availability information is provided, the value date must not be used.In this case the availability component identifies the number of availability days.All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in responses must include the timezone.An example is below: 2017-04-05T10:43:07+00:00| string|
| TransactionInformation| Further details of the transaction. This is the transaction narrative, which is unstructured text.| string|
| Amount | Entity | OBActiveOrHistoricCurrencyAndAmount Amount [string] Currency [string] |
| ProprietaryBankTransactionCode | Entity | ProprietaryBankTransactionCodeStructure1 Code [string] Issuer [string] |
| Balance | Entity | OBTransactionCashBalance CreditDebitIndicator [OBCreditDebitCode] Type [OBBalanceType1Code] Amount [OBActiveOrHistoricCurrencyAndAmount] Amount [string] Currency [string] |
| CreditorAccount | Entity | OBCashAccount6 SchemeName [string] Identification [string] Name [string] |
| DebtorAccount | Entity | OBCashAccount6 SchemeName [string] Identification [string] Name [string] |
OBReadDataTransaction6
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Transaction| Provides further details on an entry in the report.| array[OBTransaction6]|
OBReadTransaction6
Attributes
| Name| Description| Values|
| -----| -----| -----|
| Data | Entity | OBReadDataTransaction6 Transaction array[[OBTransaction6]] |
| Links | Entity | Links Self [string] First [string] Prev [string] Next [string] Last [string] |
| Meta | Entity | Meta TotalPages [integer] FirstAvailableDateTime [string] LastAvailableDateTime [string] |
Authentication

Paylocity API

paylocity.com
For general questions and support of the API, contact: [email protected]
Overview
Paylocity Web Services API is an externally facing RESTful Internet protocol. The Paylocity API uses HTTP verbs and a RESTful endpoint structure. OAuth 2.0 is used as the API Authorization framework. Request and response payloads are formatted as JSON.
Paylocity supports v1 and v2 versions of its API endpoints. v1, while supported, won't be enhanced with additional functionality. For direct link to v1 documentation, please click here. For additional resources regarding v1/v2 differences and conversion path, please contact [email protected].
Setup
Paylocity will provide the secure client credentials and set up the scope (type of requests and allowed company numbers). You will receive the unique client id, secret, and Paylocity public key for the data encryption. The secret will expire in 365 days.
Paylocity will send you an e-mail 10 days prior to the expiration date for the current secret. If not renewed, the second e-mail notification will be sent 5 days prior to secret's expiration. Each email will contain the code necessary to renew the client secret.
You can obtain the new secret by calling API endpoint using your current not yet expired credentials and the code that was sent with the notification email. For details on API endpoint, please see Client Credentials section.
Both the current secret value and the new secret value will be recognized during the transition period. After the current secret expires, you must use the new secret.
If you were unable to renew the secret via API endpoint, you can still contact Service and they will email you new secret via secure email.
When validating the request, Paylocity API will honor the defaults and required fields set up for the company default New Hire Template as defined in Web Pay.
Authorization
Paylocity Web Services API uses OAuth2.0 Authentication with JSON Message Format.
All requests of the Paylocity Web Services API require a bearer token which can be obtained by authenticating the client with the Paylocity Web Services API via OAuth 2.0.
The client must request a bearer token from the authorization endpoint:
auth-server for production: https://api.paylocity.com/IdentityServer/connect/token
auth-server for testing: https://apisandbox.paylocity.com/IdentityServer/connect/token
Paylocity reserves the right to impose rate limits on the number of calls made to our APIs. Changes to API features/functionality may be made at anytime with or without prior notice.
Authorization Header
The request is expected to be in the form of a basic authentication request, with the "Authorization" header containing the client-id and client-secret. This means the standard base-64 encoded user:password, prefixed with "Basic" as the value for the Authorization header, where user is the client-id and password is the client-secret.
Content-Type Header
The "Content-Type" header is required to be "application/x-www-form-urlencoded".
Additional Values
The request must post the following form encoded values within the request body:
granttype = clientcredentials
scope = WebLinkAPI
Responses
Success will return HTTP 200 OK with JSON content:
{
"access_token": "xxx",
"expires_in": 3600,
"token_type": "Bearer"
}
Encryption
Paylocity uses a combination of RSA and AES cryptography. As part of the setup, each client is issued a public RSA key.
Paylocity recommends the encryption of the incoming requests as additional protection of the sensitive data. Clients can opt-out of the encryption during the initial setup process. Opt-out will allow Paylocity to process unencrypted requests.
The Paylocity Public Key has the following properties:
2048 bit key size
PKCS1 key format
PEM encoding
Properties
key (base 64 encoded): The AES symmetric key encrypted with the Paylocity Public Key. It is the key used to encrypt the content. Paylocity will decrypt the AES key using RSA decryption and use it to decrypt the content.
iv (base 64 encoded): The AES IV (Initialization Vector) used when encrypting the content.
content (base 64 encoded): The AES encrypted request. The key and iv provided in the secureContent request are used by Paylocity for decryption of the content.
We suggest using the following for the AES:
CBC cipher mode
PKCS7 padding
128 bit block size
256 bit key size
Encryption Flow
Generate the unencrypted JSON payload to POST/PUT
Encrypt this JSON payload using your own key and IV (NOT with the Paylocity public key)
RSA encrypt the key you used in step 2 with the Paylocity Public Key, then, base64 encode the result
Base64 encode the IV used to encrypt the JSON payload in step 2
Put together a "securecontent" JSON object:
{
'secureContent' : {
'key' : -- RSA-encrypted & base64 encoded key from step 3,
'iv' : -- base64 encoded iv from step 4
'content' -- content encrypted with your own key from step 2, base64 encoded
}
}
Sample Example
{
"secureContent": {
"key": "eS3aw6H/qzHMJ00gSi6gQ3xa08DPMazk8BFY96Pd99ODA==",
"iv": "NLyXMGq9svw0XO5aI9BzWw==",
"content": "gAEOiQltO1w+LzGUoIK8FiYbU42hug94EasSl7N+Q1w="
}
}
Sample C# Code
using Newtonsoft.Json;
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
public class SecuredContent
{
[JsonProperty("key")]
public string Key { get; set; }
[JsonProperty("iv")]
public string Iv { get; set; }
[JsonProperty("content")]
public string Content { get; set; }
}
public class EndUserSecureRequestExample
{
public string CreateSecuredRequest(FileInfo paylocityPublicKey, string unsecuredJsonRequest)
{
string publicKeyXml = File.ReadAllText(paylocityPublicKey.FullName, Encoding.UTF8);
SecuredContent secureContent = this.CreateSecuredContent(publicKeyXml, unsecuredJsonRequest);
string secureRequest = JsonConvert.SerializeObject(new { secureContent });
return secureRequest;
}
private SecuredContent CreateSecuredContent(string publicKeyXml, string request)
{
using (AesCryptoServiceProvider aesCsp = new AesCryptoServiceProvider())
{
aesCsp.Mode = CipherMode.CBC;
aesCsp.Padding = PaddingMode.PKCS7;
aesCsp.BlockSize = 128;
aesCsp.KeySize = 256;
using (ICryptoTransform crt = aesCsp.CreateEncryptor(aesCsp.Key, aesCsp.IV))
{
using (MemoryStream outputStream = new MemoryStream())
{
using (CryptoStream encryptStream = new CryptoStream(outputStream, crt, CryptoStreamMode.Write))
{
byte[] encodedRequest = Encoding.UTF8.GetBytes(request);
encryptStream.Write(encodedRequest, 0, encodedRequest.Length);
encryptStream.FlushFinalBlock();
byte[] encryptedRequest = outputStream.ToArray();
using (RSACryptoServiceProvider crp = new RSACryptoServiceProvider())
{
crp.FromXmlstring(publicKeyXml);
byte[] encryptedKey = crp.Encrypt(aesCsp.Key, false);
return new SecuredContent()
{
Key = Convert.ToBase64string(encryptedKey),
Iv = Convert.ToBase64string(aesCsp.IV),
Content = Convert.ToBase64string(encryptedRequest)
};
}
}
}
}
}
}
}
Support
Questions about using the Paylocity API? Please contact [email protected].
Deductions (v1)
Deductions API provides endpoints to retrieve, add, update and delete deductions for a company's employees. For schema details, click here.
OnBoarding (v1)
Onboarding API sends employee data into Paylocity Onboarding to help ensure an easy and accurate hiring process for subsequent completion into Web Pay. For schema details, click here.

Account and Transaction API Specification

openbanking.org.uk
Swagger for Account and Transaction API Specification

GOV.UK Pay API

payments.service.gov.uk
GOV.UK Pay API (This version is no longer maintained. See openapi/publicapi_spec.json for latest API specification)

API v1.0.0

envoice.in
Run in Postman
or
View Postman docs
Quickstart
Visit github to view the quickstart tutorial.
Tutorial for running the API in postman
Click on ""Run in Postman"" button
postman - tutorial - 1
---
A new page will open.
Click the ""Postman for windows"" to run postman as a desktop app.
Make sure you have already installed Postman.
postman - tutorial - 2
---
In chrome an alert might show up to set a default app for opening postman links. Click on ""Open Postman"".
postman - tutorial - 3
---
The OpenAPI specification will be imported in Postman as a new collection named ""Envoice api""
postman - tutorial - 4
---
When testing be sure to check and modify the environment variables to suit your api key and secret. The domain is set to envoice's endpoint so you don't really need to change that.
\*Eye button in top right corner
postman - tutorial - 5
postman - tutorial - 6
---
You don't need to change the values of the header parameters, because they will be replaced automatically when you send a request with real values from the environment configured in the previous step.
postman - tutorial - 7
---
Modify the example data to suit your needs and send a request.
postman - tutorial - 8
Webhooks
Webhooks allow you to build or set up Envoice Apps which subscribe to invoice activities.
When one of those events is triggered, we'll send a HTTP POST payload to the webhook's configured URL.
Webhooks can be used to update an external invoice data storage.
In order to use webhooks visit this link and add upto 10 webhook urls that will return status 200 in order to signal that the webhook is working.
All nonworking webhooks will be ignored after a certain period of time and several retry attempts.
If after several attempts the webhook starts to work, we will send you all activities, both past and present, in chronological order.
The payload of the webhook is in format:

bunq API

UPDATE: We have released a beta version of the new bunq API documentation.
NOTICE: We have updated the sandbox base url to https://public-api.sandbox.bunq.com/v1/. Please update your applications accordingly. Check here: for more info.
PSD2 NOTICE: The second Payment Services Directive (PSD2) may affect your current or planned usage of our public API, as some of the API services are now subject to a permit. Please be aware that using our public API without the required PSD2 permit is at your own risk and take notice of our updated API Terms and Conditions on for more information.
Introduction
Welcome to bunq!
The bunq API is organised around REST. JSON will be returned in almost all responses from the API, including errors but excluding binary (image) files.
Please configure your implementation to send its API requests to https://public-api.sandbox.bunq.com/v1/
There is a version of the Android app that connects to the bunq Sandbox environment. To create accounts for the Sandbox app, please follow the steps in the Android Emulator section.
Getting started
Before you start sending API requests, you need to get an API key and activate it. API activation happens when you install the API key and link your IP address and device to it (create an API context). The steps below will guide you through what you need to do to start sending custom API requests.
Here is an overview of what you can use to get started with the bunq API:
Create an API key. You can do it either in our developer portal or in the bunq app (Profile → Security & Settings → Developers → API keys). If you want to test our sandbox first, our bunq Developer is the best place to start.
Register a device. A device can be a phone (private), computer or a server (public). You can register a new device by using the POST /installation and POST /device-server calls. This will activate your API key. You only need to do this once.
Open a session. Sessions are temporary and expire after the auto-logout time set for the user account. It can be changed by the account owner in the bunq app.
Make your first call!
bunqAPIcontext
Versioning
Developments in the financial sector, changing regulatory regimes and new feature requests require us to be flexible. This means we can iterate quickly to improve the API and related tooling. Therefore, we have chosen not to attach any version numbers to the changes just yet.
We will inform you in a timely manner of any important changes we make before they are deployed on together.bunq.com. You can also subscribe to our API newsletter to make sure you don't miss any important updates.
OAuth
What is OAuth?
OAuth 2.0 is a protocol that will let your app connect to bunq users in a safe and easy way. Please be aware that if you will gain access to the account information of other bunq users or initiate a payment for them, you may require a PSD2 permit.
Get started with OAuth for bunq
To initiate authorization into the bunq user accounts, you need to create an OAuth Client and register at least 1 redirect URL for it.
You can have 1 OAuth Client at a time. Reuse your OAuth credentials for every authorization request.
The list of steps below will help you to get started:
Register an OAuth Client by creating an app in bunq Developer.
Add one or more Redirect URLs.
Get your client_id and secret from your app information tab in bunq Developer.
Redirect your users to the OAuth authorization request URL.
If the user accepts the authorization request, they will be redirected to the previously specified redirect_uri with an authorization code parameter.
Use the token endpoint to exchange the authorization code for an access_token.
Use the access_token as a normal API Key. Open a session or use our SDKs to get started.
You can set up an OAuth Client and add redirect URLs to it using the dedicated endpoints too. Follow the flow below to do it programmatically.
ℹ️ As a PSD2 user, you cannot log in to the bunq app. You need to follow the flow below to register an OAuth Client for your application.
bunqOAuthcredentials
What can my apps do with OAuth?
We decided to launch OAuth with a default permission that allows you to perform the following actions:
read and create Monetary Accounts;
read Payments & Transactions;
create Payments between Monetary Accounts of the same user;
create Draft-Payments (the user will need to approve the payment using the bunq app);
assign a Monetary account to a Card;
read, create and manage Cards;
read and create Request-Inquiries
read Request-Responses.
As a PSD2-licensed developer, you are limited to the permission scopes of your role.
Authorization request
Your web or mobile app should redirect users to the following URL:
https://oauth.bunq.com/auth
The following parameters should be passed:
response_type - bunq supports the authorization code grant, provide code as parameter (required)
client_id - your Client ID, get it from the bunq app (required)
redirect_uri - the URL you wish the user to be redirected after the authorization, make sure you register the Redirect URL in the bunq app (required)
state - a unique string to be passed back upon completion (optional)
Use https://oauth.sandbox.bunq.com/auth in the sandbox environment.
Authorization request example:
Android Emulator
In case you do not own an Android device on which you can run our Sandbox app for end-to-end testing, you can set up an emulator to run the bunq Sandbox app for Android.
Things you will need
The bunq Sandbox App APK that's optimised for emulating;
Android Studio.
Starting the Android Virtual Device (AVD) Manager
Open Android Studio.
From the top menu, select “Tools” > "Android" > "AVD Manager".
Setting up a new virtual device
Start the wizard by clicking on "+ Create Virtual Device".
Select a device (recommendation: "Pixel 5.0" or "Nexus 6") and press "Next".
Select an x86 system image (recommendation: Nougat, API Level 25, Android 7.1.1 with Google APIs) and press "Next". The image needs to have Google Play Services 10.0.1 or higher.
In the bottom left corner, select "Show Advanced Settings".
Scroll to "Memory and Storage".
Change "Internal Storage" to "2048 MB".
Change "SD card" to "200 MB".
Press "Finish".
Starting the virtual device
On the right side under "Actions", select the green "Play" button.
Wait for the device to boot, this may take a few minutes.
Installing the bunq Sandbox App APK
Open the command line.
Navigate to your Android SDK platform tools directory (e.g. cd ~/Library/Android/sdk/platform-tools on macOS).
Make sure that the virtual device is started and has fully booted.
Run ./adb install ~/Downloads/bunq-android-sandboxEmulator-public-api.apk, this may take a few minutes, and should finish with "Success".
Creating an account or logging in
Create a sandbox account in the developer portal.
Log in to the sandbox app using the sandbox user credentials.
ℹ️ You will be asked to verify your phone number when you open the app for the first time. Sandbox does not send actual SMS messages. Enter any valid phone number and use the default verification code 992266.
If you couldn't generate a sandbox account in the developer portal, use Tinker:
Install Tinker.
Run tinker/user-overview to create a sandbox account. The output of the command will include the login credentials for the sandbox account.
⚠️ NOTE: It is not possible to create accounts using the regular signup in the app, bunq is not reviewing Sandbox applications.
Moving to Production
Have you tested your bunq integration to the fullest and are you now ready to introduce it to the world? Then the time has come to move it to a production environment!
To get started you'll need some fresh API keys for the production environment, which you can create via your bunq app. You can create these under "Profile" by tapping the "Security" menu. We do, however, highly recommend using a standard API Key instead of a Wildcard API Key. The former is significantly safer and it protects you from intrusions and possible attacks.
There's only a few things to do before your beautiful bunq creation can be moved to production. You're going to have to change your API Key and redo the sequence of calls to open a session.
The bunq Public API production environment is hosted at https://api.bunq.com.
Do you have any questions or remarks about the process, or do you simply want to show off with your awesome creations? Don't hesitate to drop us a line on together.bunq.com.
Please be aware that if you will gain access to account information of other bunq users or initiate a payment for them, you maybrequire a PSD2 permit.
Quickstart: Opening a Session
Goal
So, you want to start using the bunq API, awesome! To do this, you have to open a session in which you will be making those calls.
Getting an API key
To connect to the API, you have to make sure you have received an API key.
For production:
create an app in the developer portal, or
generate it in the bunq app (Profile → Security & Settings → Developers → API keys).
For sandbox
You can use one of the following ways:
create a sandbox user in the developer portal;
generate an API key in the sandbox app (Profile → Security & Settings → Developers → API keys);
get an API key from Tinker;
run a cURL request: curl https://public-api.sandbox.bunq.com/v1/sandbox-user-person -X POST --header "Content-Type: application/json" --header "Cache-Control: none" --header "User-Agent: curl-request" --header "X-Bunq-Client-Request-Id: $(date)randomId" --header "X-Bunq-Language: nlNL" --header "X-Bunq-Region: nlNL" --header "X-Bunq-Geolocation: 0 0 0 0 000". Use sandbox-user-company to generate a business user.
Note that production API key is only usable on production and sandbox key is only usable on sandbox. Sandbox key has a sandbox_ prefix while production key does not have any noticeable prefixes.
Call sequence
The calls you need to perform to set up a session from scratch are the following:
1. POST installation
Each call needs to be signed with your own private key. An Installation is used to tell the server about the public key of your key pair. The server uses this key to verify your subsequent calls.
Start by generating a 2048-bit RSA key pair. You can find examples by looking at the source code of the sdk's located at github.
Headers
On the headers page you can find out about the mandatory headers. Take care that if you are in the sandbox environment, you set an Authorization header. Specific to the POST /installation call, you shouldn't use the X-Bunq-Client-Authentication or the X-Bunq-Client-Signature headers.
Body
Post your public key to the Installation endpoint (use \n for newlines in your public key).
Response
Save the Installation token and the bunq API's public key from the response. This token is used in the Authentication header to register a DeviceServer and to start a SessionServer. The bunq API's public key should be used to verify future responses received from the bunq API.
2. POST device-server
Further calls made to the server need to come from a registered device. POST /device-server registers your current device and the IP address(es) it uses to connect to the bunq API.
Headers
Use the token you received from POST /installation in the X-Bunq-Client-Authentication header. Make sure you sign your call, passing the call signature in X-Bunq-Client-Signature header.
Body
For the secret, use the API key you received. If you want to create another API key, you can do so in the bunq sandbox app (or production app for the production environment). Login, go to Profile > Security and tap 'API keys'. The freshly created API key can be assigned to one or multiple IP addresses using POST device-server within 4 hours before becoming invalid. As soon as you start using your API key, it will remain valid until the next sandbox reset. For the secret, use the API key you received.
3. POST session-server
To make any calls besides installation and device-server, you need to open a session.
Headers
Use the token you received from POST /installation in the X-Bunq-Client-Authentication header. Make sure you sign your call, passing the call signature in X-Bunq-Client-Signature header.
Body
For the secret, use the API key you received.
Response
The token received in the response to POST /session-server should be used to authenticate your calls in this session. Pass this session's token in the X-Bunq-Client-Authentication header on every call you make in this session.
Quickstart: Payment Request
Goal
You want to offer bunq payments on a website or in an application.
Scenario
In this use case the consumer and the merchant both have a bunq account. The consumer wants to pay with bunq and enters their alias in the bunq payment field at checkout. The merchant sends the request for payment to the consumer when the consumer presses enter. The consumer agrees to the request in the bunq mobile app and the merchant has immediate confirmation of the payment. Please be aware that if you will gain access to account information of other bunq users or initiate a payment for them, you require a PSD2 permit.
Before you start
Make sure that you have opened a session and that for any call you make after that, you pass the session’s token in the X-Bunq-Client-Authentication header.
Call Sequence
The consumer is at checkout and selects the bunq payment method. This would be a logical time to open a session on the bunq server.
1. LIST monetary-account
When a request for payment is accepted, the money will be deposited on the bank account the request for payment is connected to. Let’s start by finding all your available bank accounts. Pick one of them to make the request for payment with and save its id.
2. POST monetary-account attachment (optional)
Optionally, you can attach an image to the request for payment.
Headers
Make sure you set the Content-Type header to match the MIME type of the image. It’s also required you pass a description of the image via the X-Bunq-Attachment-Description header.
Body
The payload of this request is the binary representation of the image file. Do not use any JSON formatting.
Response
Save the id of the posted attachment. You’ll need it to attach it to the request for payment.
3. POST request-inquiry
Next, create a request inquiry. A request inquiry is the request for payment that your customer can respond to by accepting or rejecting it.
Body
Pass the customer’s email address, phone number or IBAN in the counterpartyalias. Make sure you set the correct type for the alias, depending on what you pass. When providing an IBAN, a name of the counterpartyalias is required. You can provide the id of the created attachment.
Response
You will receive the id of the created request inquiry in the response. Save this id. You will need it to check if the customer has responded to the request yet.
4. GET request-inquiry
After you’ve sent the request for payment, its status can be checked.
Response
When the status is ACCEPTED, the customer has accepted and paid the request, and you will have received the money on the connected monetary account. If the status is REJECTED, the customer did not accept the request.
Quickstart: Create a Tab payment
Goal
You will create a tab that can be paid once by a single user, a so called TagUsageSingle, and explore three different ways to make the Tab visible to your customers:
QR code from the CashRegister
QR code from the Tab.
Before you start
Make sure that you have opened a session and that for any call you make after that, you pass the session’s token in the X-Bunq-Client-Authentication header.
Call sequence
1. POST attachment-public
Start by creating an attachment that will be used for the avatar for the cash register.
Header
Make sure you set the Content-Type header to match the MIME type of the image. It is also required you pass a description of the image via the X-Bunq-Attachment-Description header.
Body
The payload of this request is the binary representation of the image file. Do not use any JSON formatting.
Response
Save the uuid of the posted attachment. You'll need it to create the avatar in the next step.
2. POST avatar
Make an avatar using the public attachment you've just created.
Body
The payload of this request is the uuid of the attachment public.
Response
In response, you’ll receive the UUID of the avatar created using the attachment. Save this UUID. You’ll use it as the avatar for the cash register you're about to create.
3. LIST monetary-account
Get a listing of all available monetary accounts. Choose one, and save the id of the monetary account you want your cash register to be connected to. Each paid tab for the cash register will transfer the money to this account.
4a. POST cash-register
Create a cash register. Use the id of the monetary account you want to connect the cash register to in the URL of the request.
Body
In the body provide the uuid of the avatar you created for this cash register. Also make sure to provide a unique name for your cash register. Set the status to PENDING_APPROVAL.
Response
The response contains the id of the cash register you created. Save this id. You will need it to create subsequent tabs and tab items.
4b. Wait for approval
On the production environment, a bunq admin will review and approve your cash register. In the sandbox environment, your cash register will be automatically approved.
5. POST tab-usage-single
Create a new tab that is connected to your cash register. Use the id of the cash register you want to connect this tab to in the URL of your request.
Body
Give the tab a name in merchant_reference. Create the tab with status OPEN, and give the tab a starting amount. You can update this amount later.
Response
The response contains the uuid of the tab you created.
6. POST tab-item (optional)
You can add items to a tab. For instance, if a customer will be paying for multiple products via this tab, you can decide to add an item for each of these. Adding items to a tab is optional, and adding them will not change the total amount of the tab itself. However, if you've added any tab items the sum of the amounts of these items must be equal to the totalamount of the tab when you change its status to WAITINGFOR_PAYMENT.
7. PUT tab-usage-single
Update the status of the tab to WAITINGFORPAYMENT if you want the costumer to pay the tab, and you're done adding any tab items. You can use this request to make the tab visible for your costumers.
Visibility
To decide how you are going to make your tab visible, pass a visibility object in the payload.
Setting cashregisterqr_code to true will connect this tab to the QR code from the cash register. If this cash register does not have a QR code yet, one will be created. Only one Tab can be connected to the cash register’s QR code at any given time.
Setting tabqrcode to true will create a QR code specifically for this tab. This QR code can not be linked to anything else.
Quickstart: Create a TransferWise payment
Goal
You want to send a payment in currency other than euro outside the SEPA zone.
Before you start
Make sure that you have opened a session and that for any call you make after that, you pass the session’s token in the X-Bunq-Client-Authentication header.
ℹ️ bunq relies on TransferWise for international, so you need to create a TransferWise account linked to a bunq account to be able to create international transfers. You can do it either from the bunq app or using our API as described below.
Get the up-to-date exchange rate (optional)
You might want to check the latest currency exchange rate before making a transfer. Here’s how you can do it using the bunq API:
Check the list of supported currencies via GET /user/{userID}/transferwise-currency. Copy the needed currency code.
Create a temporary quote for the currency of your choice via POST /user/{userID}/transferwise-quote-temporary.
ℹ️ A quote is the exchange rate at the exact timestamp. Temporary quotes carry solely informative value and cannot be used for creating a transfer.
Read the temporary quote via GET /user/{userID}/transferwise-quote-temporary/{transferwise-quote-temporaryID}.
Create a TransferWise account
You need a TransferWise account linked to your bunq account to make TransferWise payments via the bunq API. Create one via POST /user/{userID}/transferwise-user, and save its ID.
ℹ️ You cannot use an existing TransferWise account.
Create a quote
Create a quote via POST /user/{userID}/transferwise-quote and save its ID.
ℹ️ Use amounttarget to indicate the sum the recipient must get. Amountsource, on the other hand, will indicate the sum you want to send, but it will not necessarily be the final sum the recipient gets.
ℹ️ Quotes are valid for 30 minutes so if you do not manage to create a transfer within this time, you will need to create another quote.
Get the exchange rate by reading the quote via GET /user/{userID}/transferwise-quote/(transferwise-quoteID).
Create a recipient
If you have sent money via the TransferWise account linked to your bunq account, you can reuse the recipients. You can list their IDs via GET /user/{userID}/transferwise-quote/{transferwise-quoteID}/transferwise-recipient.
To create a new, previously unused recipient, follow these steps:
Retrieve the fields required for creating the recipient as the requirements vary for the type of recipient in each country. Iterate sending the following request pair till there are no more required fields:
GET /user/{userID}/transferwise-quote/{transferwise-quoteID}/transferwise-recipient-requirement
POST /user/{userID}/transferwise-quote/{transferwise-quoteID}/transferwise-recipient-requirement
Create a recipient account using the final request body from the previous step with POST /user/{userID}/transferwise-quote/{transferwise-quoteID}/transferwise-recipient-requirement
Create a transfer
Finally, having both the quote ID and the recipient ID, you can create a transfer. 🎉
Check if there are any additional transfer requirements via POST /user/{userID}/transferwise-quote/{transferwise-quoteID}/transferwise-transfer-requirement.
Create a transfer via POST /user/{userID}/transferwise-quote/{transferwise-quoteID}/transferwise-transfer. You need to specify the ID of the monetary account from which you want the payment to be made.
Quickstart: Downloading attachments
Goal
Export receipts and invoices attached to payments to your application.
The scenario you want to achieve
The bunq user has accepted the authorization request and your application can read the bunq user’s account information.
Your application imports all the transactions and attachments.
The bunq user sees the transactions matched with the receipts and invoices in your application.
Before you start
Make sure that you have opened a session
Make sure you pass the session Token in the X-Bunq-Client-Authentication header in all the following requests of the session.
Call sequence
List the payments of the user via GET /user/{userID}/monetary-account/{monetary-accountID}/payment.
Check if the payments have attachments via GET /user/{userID}/monetary-account/{monetary-accountID}/payment/{paymentID}/note-attachment. Save the attachment IDs.
Export the raw content of the attachments via GET /user/{userID}/attachment/{attachmentID}/content.
HINT: You can use callbacks to make sure you don’t miss anything happening on the bunq account.

Cnab Online

cnab-online.herokuapp.com
Processe arquivos de retorno CNAB

IBKR 3rd Party Web API

interactivebrokers.com
Interactive Brokers Web API for 3rd Party Companies

Product Finder API

hsbc.com

Up API

The Up API gives you programmatic access to your balances and
transaction data. You can request past transactions or set up
webhooks to receive real-time events when new transactions hit your
account. It’s new, it’s exciting and it’s just the beginning.

NaviPlan API

naviplancentral.com
An API for accessing NaviPlan plan data for a client.