bunq Together

API key with scopes

Magnificent-Peter

Just want to throw in my two cents as well. The GitHub API has a very nice overview of the permissions you can give an API token/key. I added a screenshot of it to this post. Having a settings page like this would be great for the bunq API. This way you can really fine tune what you are and are not allowed to do with an API key.

But again: A significant first step would be to have read-only API keys.

Bastiaan

Yeah, nice! This is a must have! 👍

Freek

As an inspiration, I really like the Bittrex api: https://support.bittrex.com/hc/en-us/articles/115003723911-Developer-s-Guide-API

It has 3 levels, public (no authentication, public data), then a level that is basically read only. Then 1 that can change stuff within an account. And finally a very high risk key that can transfer money away from your account. I never created that key so I m pretty safe.

Bitqist-B-V-Violet-Leopard

API key permissions is a must have. It would be nice to be able to specify permissions per bank account.

Nevil-Turquoise-Leopard

Requested almost 2 years ago and still nothing, is this going to be implemented Bunq?

I have my administrative staff paying our bills with full access of my bank account, but I want to limit it. And the newest 'limited connect' feature you released a few weeks ago doesn't work for our purpose, since they cannot pay iDeal payments when using limited connect. They can only do manual transfers.

So I really hope this will be implemented, because with PSD2 coming up I will probably will have to head back over to a bigger bank with my business, if it's not implemented on the side of Bunq.

jvdz

Any update?

Sander

Joris no updates here Joris. bunq never discloses what they are working on. Unfortunately we just have to wait and see whether this is build or not. When it's here bunq will announce is of course. 🙂👍

J-Blue-Swan-230993014

First off, i greatly appreciate the effort to make an API available for Bunq. For me it can really add to the value of being a BUNQ customer.

Now, in my opinion authorization scoping is a must have for an API with banking powers. I just connected a simple balance reader component to the API. I was absolutely shocked to learn that the API key was pre-authorized to do absolutely anything it wants with any of my accounts.

BUNQ API documentation has plenty of mentions of the hoops that they/consumers have to go through because of legal obligations. Now please implement the laws of common sense as well. Thanks!

Obviously i'm ending my API experiment right now as these shortcomings put my accounts at grave unnecessary risk.

PS: it looks like my use case, which is displaying the balance of a joint groceries account, isn't supported anyway. Only personal accounts seem to be listed.

New-Mango-Armadillo-1615839181

I've just began a 30 day Bunq trial, because of the API feature. I want to create a budgeting app to get insights in my spendings (yes, I know, Bunq provides this feature, but I have my own opinions and ideas about it). Bunq seemed to be the way to go if you don't want to rely on 3rd party PSD2 providers like Nodigen. But man, the implementation is shocking. No scoping on a banking API?! No way of limiting which accounts are exposed? No, thank you! I want my app to only be able to list transactions from a specific account, not perform payments or whatever else the API is capable of. It's hard enough to keep servers secure these days. I'm not going to have a file sit on the filesystem that allows anyone who gains access to it to drain my bank account. An IP whitelist does offer some protection, but by far not enough.

No Bunq account for me. I will be deleting my account before the end of the trial.

Jakob-Y

While the original request here is something definitely still needed in my opinion for certain apps, for anyone stumbling upon this thread after 6 years now please make sure you take a look at the OAuth implementation that has been added in the meantime. It offers read-only access that is restricted to only sub-accounts of your choice. This earlier request by Leon for example has been more or less possible since 2018 by just using OAuth:

I want my app to only be able to list transactions from a specific account, not perform payments or whatever else the API is capable of. It's hard enough to keep servers secure these days. I'm not going to have a file sit on the filesystem that allows anyone who gains access to it to drain my bank account.

That being said, if you want read/write-access, as in sending payments without the user having to manually accept them, or if you want to order new card automatically etc., then there's no alternative to the API key. And there it would be very nice to be able to set some additional limits like max. transfer amount per day or max. card orders per month etc.

arner

+1, we need this

New-Raspberry-Ewe-798223292

Jakob Kan je de OAuth flow ook gebruiken voor persoonlijk gebruik en zonder psd2 licentie?

Gaston-Yellow-Turtle

Need to be able to limit API access to specific sub accounts. The current God mode is nice for developers, but a potential drama in serious production applications.

thijsoost

Marnix Je kunt voor vragen over de API het beste contact opnemen met apipartner@bunq.com!