Some API calls such as POST /user/{userID}/card-debit and POST /user/{userID}/card-credit require additional encryption to protect the sensitive data that they pass.

Here is how to encrypt a request:

  1. Generate a random Initialization Vector (IV) of 16 bytes.

  2. Generate a random Advanced Encryption Standard (AES) key of 32 bytes.

  3. Encrypt the AES key with the public key of your installation.

  4. Encrypt the request body using the AES-256-CBC mode (apply the PKCS1 padding).

  5. Determine the HMAC hash of the body prefixed with the IV using the SHA-1 algorithm and the AES key.

  6. Send the request using the encrypted body and the following headers:

    • X-Bunq-Client-Encryption-Hmac set to the base64-encoded HMAC hash;

    • X-Bunq-Client-Encryption-Iv set to the base64-encoded IV; and

    • X-Bunq-Client-Encryption-Key set to the base64-encoded (!!!) ENCRYPTED AES key.

VoilĂ ! Enjoy your encrypted API request work!