FAQ
What is a tab?
A tab is a page that allows a bunq user to pay for a product or service using a QR code or app redirect. You have seen tabs when paying online or making a POS purchase via bunq.
A tab has nothing to do with a browser tab. It is a bill in a restaurant or in a store.
What is a Wildcard API key?
A Wildcard API key allows you to make API calls from any IP address after registering a device via POST v1/device-server
.
You can switch to using a Wildcard API Key in 2 ways:
Manually by tapping on “Allow All IP Addresses” in the settings of your API key in the bunq app.
Programmatically by passing your current IP and a
*
(asterisk) in the permitted_ips field of thePOST v1/device-server
call (e.g:["1.2.3.4", "*"]
).
I'm setting up the OAuth flow. How do I overcome German households not having a static IP address?
You can use Wildcard IP on the device-server
step when using the token you get after going through the OAuth flow. So it will look like this:
You establish a connection with the account via OAuth.
You get an authorization token.
You use the token as an API key to start a session (at this step, you register the token as an API key):
You create an API context. On the
device-server
step, you switch to using the wildcard option.
How do I display the OAuth QR code in my application?
Open an in-app browser.
Do you have any examples of signing requests?
Use our SDKs. They will handle signing for you.
Can I access my account via API as a Travel user?
You need to have a Premium (SuperGreen) or Business (SuperGreen) account to use the bunq API.
PSD2
What PSD2 certificate types does bunq accept?
We accept QSEAL certificates.
How do I get an API key as a PSD2 user?
You’ll receive a token in return to passing your QSEAL certificate. You’ll then be able to use it as an API key.
What do I need to register my QSEAL certificate?
You need to send a POST /payment-service-provider-credential
request passing your QSEAL certificate, QSEAL certificate chain, and a signature of the device registration key with the QSEAL private key. Check the full authentication flow here.
How does the PSD2 API request signing work?
The request signature requirement is the same for all types of API users. You can read more about it here.
How do I get an OAuth client as a PSD2 user?
You can create an OAuth Client using POST /user/userId/oauth-client
and read it using its id (GET /user/userId/oauth-client/oauth-clientId
). Once you have it, you can add a redirect url using POST /user/{userID}/oauth-client/{oauth-clientID}/callback-url
. From there, you can move to creating an authorization request and token exchange.
Where do I find the AISP, PISP and CBPIII API reference?
bunq offers one API to both our users and companies with PSD2 permit. As a PSD2 party, you can only access the endpoints that correspond with your permit level.
Are the AISP, PISP and CBPIII APIs the same API as I use as a bunq user?
Yes, the only thing that differs is the authentication flow. Everything else is the same.
Do you have any examples of how to register a PSD2 certificate correctly?
Our SDKs contain examples and tests that will help you register as a service provider.
C# examples
PHP examples
Java examples
Python examples
Do we always need an AISP or PISP license to access/use the bunq API?
No, there are two ways to get access to the API:
as a AISP/PISP license holder, by means of a PSD2 certificate; or
as a bunq customer, by means of an API-key issued via the bunq app.
Is there a difference between the bunq Public API and the bunq PSD2 API?
The bunq Public API and the bunq PSD2 API are essentially the same API, however, there are different ways to access the API and there are differences in accessible endpoints depending on how you access the API. See the above mentioned answer for more information on how you can get access to the API.
As a general rule, when you access the API by means of a PSD2 certificate, you will only have access to the endpoints required for your respective PSD2 role (PISP and/or AISP). In other words, as a PISP you will solely have access to the endpoints for initiating a payment and as a AISP you will solely have access to the endpoints for account information.
When you are considering to use our API, please consider which API endpoints you would like to use, because certain endpoints are only accessible for bunq customers.
Do we need a license if we use the bunq API solely for internal use?
No, you can use the bunq API to manage your own accounts without a license. A license is only needed in case you use the API to provide services to one or more third parties.
Can we use the bunq API to offer services to third parties?
Yes, but in this case you might need a license and it is your own responsibility to ensure that you comply with any and all license requirements. We strongly advice you to get an expert legal opinion in case you are considering to use our API to offer services to third parties.
Is it possible to provide services to third parties by means of the bunq API without a license?
Whether or not you need a license depends on the activities you (intend to) perform by means of the bunq API.
According to the Dutch Central Bank a PISP/AISP license is not always required when using a banking API to provide services to third parties (see: https://www.toezicht.dnb.nl/en/3/50-237764.jsp).
Based on the aforementioned webpage from DNB we believe a license might not be required in case:
you sign-up for a bunq account;
accept the bunq API terms and conditions;
get an API-Key via the bunq app;
use your API-Key to access the bunq API;
use OAuth to get access to the accounts of one or more third parties; and
use the OAuth access to provide services to the third parties.
However, we do not guarantee in any way that you do not need a license in case you follow the above mentioned process. Every situation is different and it is your own responsibility to assess whether or not your situation requires you to get a license.
What happens in case we perform licensed activities without a license?
Performing activities subject licensing without the respective license(s) is illegal and can have very serious consequences. For example, you might be fined by the regulators, and we could decide to block or close your account.
Last updated