bunq API documentation
bunq API documentation
SDKs
Tinker
PSD2
Changelog
Introduction
Basics
OAuth
Authentication
Headers
Errors
API Conventions
Callbacks
Pagination
Sandbox
Moving to Production
API reference
Changelog
Quickstart
SDKs
Postman
Tinker
Opening a Session
Payment request
Tab payment
PSD2
Connect as a PSD2 service provider
Other
Status Page
Developer blog
Swagger file
Terms of use
Subscribe to our API updates
How should you get started with the bunq API?
FAQ
Apache 2.0 License
Powered by GitBook

Opening a Session

So, you want to start using the bunq API, awesome! To do this, you have to open a session in which you will be making those calls.

Getting an API key

The only way to get a production API key is to generate it from within the bunq app (Profile → Security & Settings → Developers → API keys). As for sandbox API keys, there are 4 ways you can create them.

  • Production API keys are only usable on the production and sandbox API keys are only usable on the sandbox.

  • Sandbox keys contain a sandbox_ prefix while production keys do not have any noticeable prefixes.

Call Sequence

Before you can start a session, you need to register your API key, device and IP address(es). You can do it following the sequence of calls described below.

1. POST /installation

Each call needs to be signed with your own private key. An Installation is used to tell the server about the public key of your key pair. The server uses this key to verify you are sending the subsequent calls.

Start by generating a 2048-bit RSA key pair. You can find examples in the source code of our SDKs.

Headers

On the headers page, you can find out about the mandatory headers. Make sure to set an Authorization header if you are working in the sandbox environment.

You do not need to use the X-Bunq-Client-Authentication or X-Bunq-Client-Signatureheaders in the POST /installationcall.

Body

POST your public key to the Installation endpoint. Use \n for newlines in your public key.

Response

Save the installation Token and server_public_key returned in the response. Use the Token in the Authentication header to register a DeviceServer and to start a SessionServer. Use server_public_key to verify the responses you will receive from the bunq API.

2. POST /device-server

All the following calls made to the server must be sent from a registered device. POST /device-serverregisters your current device and the IP address(es) it uses to connect to the bunq API.

Headers

Use the Token you received in the X-Bunq-Client-Authenticationheader of the response to POST /installation.

  • Make sure you sign your call, passing the call signature in theX-Bunq-Client-Signature header.

Body

Use your API key for the secret parameter. If you want to create and use another API key assign it to one or multiple IP addresses using POST /device-server within 4 hours before it becomes invalid. As soon as you start using your API key, it will remain valid until the next sandbox reset.

3. POST /session-server

To make any calls besides /installation and /device-server, you need to open a session.

Headers

Use the Token you received in the X-Bunq-Client-Authenticationheader of the response to POST /installation .

  • Make sure you sign your call, passing the call signature in X-Bunq-Client-Signatureheader.

Body

Use your API key for the secret parameter.

Response

Use the Token received in the response to POST /session-server to authenticate your calls in this session. Pass this session Token in the X-Bunq-Client-Authentication header with every call you make in this session.

Quickstart - Previous
Tinker
Next - Quickstart
Payment request
Last updated Wed May 22 2019 13:16:02 GMT+0000 (UTC)
Edit on GitHub
Contents
Getting an API key
Call Sequence
1. POST /installation
2. POST /device-server
3. POST /session-server