FAQ
A tab is a page that allows a bunq user to pay for a product or service using a QR code or app redirect. You have seen tabs when paying online or making a POS purchase via bunq.
A tab has nothing to do with a browser tab. It is a bill in a restaurant or in a store.
A Wildcard API key allows you to make API calls from any IP address after registering a device via POST v1/device-server.
You can switch to using a Wildcard API Key in 2 ways:
Manually by tapping on “Allow All IP Addresses” in the settings of your API key in the bunq app.
Programmatically by passing your current IP and a
*(asterisk) in the permitted_ips field of thePOST v1/device-servercall (e.g:["1.2.3.4", "*"]).
You can use Wildcard IP on the device-server step when using the token you get after going through the OAuth flow. So it will look like this:
You establish a connection with the account via OAuth.
You get an authorization token.
You use the token as an API key to start a session (at this step, you register the token as an API key):
You create an API context. On the
device-serverstep, you switch to using the wildcard option.
Open an in-app browser.
Use our SDKs. They will handle signing for you.
You need to have a Premium (SuperGreen) or Business (SuperGreen) account to use the bunq API.
We accept QSEAL certificates.
You’ll receive a token in return to passing your QSEAL certificate. You’ll then be able to use it as an API key.
You need to send a POST /payment-service-provider-credential request passing your QSEAL certificate, QSEAL certificate chain, and a signature of the device registration key with the QSEAL private key. Check the full authentication flow here.
The request signature requirement is the same for all types of API users. You can read more about it here.
You can create an OAuth Client using POST /user/userId/oauth-client and read it using its id (GET /user/userId/oauth-client/oauth-clientId). Once you have it, you can add a redirect url using POST /user/{userID}/oauth-client/{oauth-clientID}/callback-url. From there, you can move to creating an authorization request and token exchange.
bunq offers one API to both our users and companies with PSD2 permit. As a PSD2 party, you can only access the endpoints that correspond with your permit level.
Yes, the only thing that differs is the authentication flow. Everything else is the same.
Our SDKs contain examples and tests that will help you register as a service provider.
No, there are two ways to get access to the API:
as a AISP/PISP license holder, by means of a PSD2 certificate; or
as a bunq customer, by means of an API-key issued via the bunq app.
The bunq Public API and the bunq PSD2 API are essentially the same API, however, there are different ways to access the API and there are differences in accessible endpoints depending on how you access the API. See the above mentioned answer for more information on how you can get access to the API.
As a general rule, when you access the API by means of a PSD2 certificate, you will only have access to the endpoints required for your respective PSD2 role (PISP and/or AISP). In other words, as a PISP you will solely have access to the endpoints for initiating a payment and as a AISP you will solely have access to the endpoints for account information.
When you are considering to use our API, please consider which API endpoints you would like to use, because certain endpoints are only accessible for bunq customers.
No, you can use the bunq API to manage your own accounts without a license. A license is only needed in case you use the API to provide services to one or more third parties.
Yes, but in this case you might need a license and it is your own responsibility to ensure that you comply with any and all license requirements. We strongly advice you to get an expert legal opinion in case you are considering to use our API to offer services to third parties.
Whether or not you need a license depends on the activities you (intend to) perform by means of the bunq API.
According to the Dutch Central Bank a PISP/AISP license is not always required when using a banking API to provide services to third parties (see: https://www.toezicht.dnb.nl/en/3/50-237764.jsp).
Based on the aforementioned webpage from DNB we believe a license might not be required in case:
you sign-up for a bunq account;
accept the bunq API terms and conditions;
get an API-Key via the bunq app;
use your API-Key to access the bunq API;
use OAuth to get access to the accounts of one or more third parties; and
use the OAuth access to provide services to the third parties.
However, we do not guarantee in any way that you do not need a license in case you follow the above mentioned process. Every situation is different and it is your own responsibility to assess whether or not your situation requires you to get a license.
Performing activities subject licensing without the respective license(s) is illegal and can have very serious consequences. For example, you might be fined by the regulators, and we could decide to block or close your account.
