As a service provider, either an Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP), you have obtained or are planning to obtain a license from your local supervisor. You will need your unique eIDAS certificate number to start using the PSD2-compliant bunq API on production.

We accept pseudo certificates in the sandbox environment so you could test the flow. You can generate a test certificate using the command below.

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=My App PISP AISP/C=NL'

Register as a service provider

Before you can read the information on bunq users or initiate payments, you need to register a PSD2 account and receive credentials that will enable you to access the bunq user accounts.

1. Execute POST v1/installation and get your installation Token with a unique random key pair.

2. Use the installation Token and your unique PSD2 certificate to call POST v1/payment-service-provider-credential. This will register your software.

3. Receive your API key in return. It will identify you as a PSD2 bunq API user. You will use it to start an OAuth flow. The session will last 90 days. After it closes, start a new session using the same API key.

4. Register a device by using POST v1/device-server using the API key for the secret and passing the installation Token in the X-Bunq-Client-Authentication header.

5. Create your first session by executing POST v1/session-server. Provide the installation Token in the X-Bunq-Client-Authentication header. You will receive a session Token. Use it in any following request in the X-Bunq-Client-Authentication header.

Register your OAuth application

Before you can start authenticating on behalf of a bunq user, you need to get a Client ID and a Secret, which will identify you in authorization requests to the user accounts.

1. Call POST /v1/user/{userID}/oauth-client to create an OAuth Client.

2. Add a redirect URL to the OAuth Client via POST /user/{userID}/oauth-client/{oauth-clientID}/callback-url.

3. Call GET /v1/user/{userID}/oauth-client/{oauth-clientID}. We will return your Client ID and Client Secret.

4. You are ready to initiate authorization requests.

The flow below will guide you through the full OAuth connection process. Note that you only need to create OAuth credentials once.