First off, i greatly appreciate the effort to make an API available for Bunq. For me it can really add to the value of being a BUNQ customer.
Now, in my opinion authorization scoping is a must have for an API with banking powers. I just connected a simple balance reader component to the API. I was absolutely shocked to learn that the API key was pre-authorized to do absolutely anything it wants with any of my accounts.
BUNQ API documentation has plenty of mentions of the hoops that they/consumers have to go through because of legal obligations. Now please implement the laws of common sense as well. Thanks!
Obviously i'm ending my API experiment right now as these shortcomings put my accounts at grave unnecessary risk.
PS: it looks like my use case, which is displaying the balance of a joint groceries account, isn't supported anyway. Only personal accounts seem to be listed.