Basic Info

1. Register your TPP application

Log in on this developer porta and click the “Apps” section in menu.

Add

Click the »Create new App« button.

New

 

Enter the »Title« of your application and optional »Description and »OAuth Redirect URI«. Click on »Submit« button to complete the registration of your application. 

 

Register

 

Now that you've registered your application, you can browse the APIs and subscribe on them. Client ID and Client Secred Id are generate automatically.

 

Added

 

2. Test cases 

In Bankart API portal mandatory PSD2 APIs are available. 

API specification is available as a Swagger file, under »Explore our API« button.

All APIs follow Berlin standard, JSON format is supported.

APIs published on the portal are sandbox versions.

APIs published on the portal return static answers.

All data in the tables below is intended for testing and has no relation to real data.

Data in tables can change at any time without prior notice.

Payment Instrument Issuing

API IBAN CURRENCY AMOUNT
post /funds-confirmations SI56051001001033999 EUR 20,00
  SI56051001001011977 EUR 360,01

Account Information Service

API IBAN CURRENCY AMOUNT Account-id TransactionId
get /accounts SI56051001001033999 EUR 128,00    
  SI56031201000132558 EUR 49,61    
get /accounts/{account-id} SI56051001001033999 EUR 128,00    
  SI56610000018109471 EUR 128,10 25MM  
get /accounts/{account-id}/transactions SI56051001001033999 EUR   8735076338630656  
  SI56031301000465651 EUR   8735076338630650  
get /accounts/{account-id}/transactions/{resourceId} SI56051001001033999 EUR 29,00   222
  SI56610000011042245 EUR 251,69   TRANID333
get /accounts/{account-id}/balances SI56051001001033999 USD 128,00 8735076338630656  
  SI56031101000397567 EUR 55,31 8735076338630655  

Payment Initiation Service API

 
payment-service
payment-product
paymentId
POST /{payment-service}/{payment-product}
payments
sepa-credit-transfers
GET /{payment-service}/{payment-product}/{paymentId}
payments
sepa-credit-transfers 73bafcc1-ddc1-4c58-abcc-3b4de6e5e482
GET /{payment-service}/{paymentId}/status
payments
  73bafcc1-ddc1-4c58-abcc-3b4de6e5e482
 
payments
  73bafcc1-ddc1-4c58-abcc-3b4de6e5e222
DELETE /{payment-service}/{payment-product}/{paymentId}
payments
sepa-credit-transfers 73bafcc1-ddc1-4c58-abcc-3b4de6e5e482
 
payments
sepa-credit-transfers 73bafcc1-ddc1-4c58-abcc-3b4de6e5e222
 
payments
sepa-credit-transfers 73bafcc1-ddc1-4c58-abcc-3b4de6e5e333

Consents Service API

  consentId
POST /consents
GET /consents/{consentId}/status 1234-wertiq-983
GET /consents/{consentId} 1234-wertiq-983
DELETE /consents/{consentId} 1234-wertiq-983

 

3. Instructions for testing APIs with enabled advanced security features (OAuth2, SCA) 

By definition certain crucial PSD2 APIs require OAuth2. These are marked accordingly in our API documentation and swagger definitions. Here are some examples:

- consent APIs (all within PSD2 Account Information product)

- payment APIs (e.g. payment initiation request) 

On top of that, these APIs in principle (when there is no exemption defined by business rules) also require an SCA (strong customer authentication) post step. 

3.1 OAuth2

We are using the authorization code flow. As a first step you need to open the GET /oauth2/authorize link in a browser with the URL parameters response_type, client_id, redirect_uri and scope. Example

.../oauth2/authorize?response_type=code&client_id=db...&redirect_uri=https://www.xyztpp.si&scope=consent 

Of course you need to use your own i.e. you subscribed applications client_id and redirect URI. You can also achieve this redirect by selecting the "Authorize" button in the documentation of the protected API. As the authorization page opens, enter any username and password combination and select "Allow Access" on the second page. This will send you to the redirect URI with a newly generated access code as an URL parameter. You need to extract this code from this URL to get the token. To exchange the access code for the token you need some tool that can do a simple POST request, for example curl. You need to pass grant_type, client_id and code as x-www-form-urlencoded data. Here is an example:

curl -d "grant_type=authorization_code&client_id=dbe...&code=AAL7lhdq6k..." -H "Content-Type: application/x-www-form-urlencoded" -H "accept:application/json" -X POST https://api-test.bankart.si/psd2/sb/oauth2/token

This will return a JSON object with the token, which you can then use to call the OAuth2 protected APIs (insert the token value prefixed with "Bearer " in the "authorization" header field) or simply paste it in the "Acces token" field in the developer portal and call the API this way. For details (URLs , parameters etc.) please also see the published swagger documents. 

3.2 SCA (Strong Customer Authentication)

According to PSD2 Berlin Group standard a SCA step is required after certain crucial i.e. sensitive API calls. We are using an implicit flow with a simple redirect (not OAuth2) for this purpose. Please check the API response header for ASPSP/PISP-SCA-Approach value and when present send i.e. redirect the end user to the URL provided in the _links/scaRedirect response element. There is no direct return of information from this redirect to your app, but certain crucial calls are made in the background to complete the authorization and process the payment or create a consent object. In our sandbox environment you can even omit this step, but for production APIs it is critical for the client to be redirected to the SCA link (when provided) if you wish the entire API flow to complete as intended. You are able to check the outcome of SCA with corresponding .../status API calls (for their details please see the API documentation i.e. swagger definition) from your application.