The new Wildcard API Key

Dada

Hey everyone!

I noticed recurring topics about how API keys with a static IP were limiting the possibility to start developing as well as the testing of applications.

So we decided to tackle this problem and come out with a solution for you! 💪 Today's update includes a new feature called Wildcard API Key that offers the possibility to get a special API key that accepts any IP. The new feature comes included with bunq Premium.

That being said, this post is not just about announcing the feature but rather also about our reasoning behind it and the attached risks.

APIs are the brick and mortar of today’s connected society, thanks to them tons of services can communicate and interact with each other. But as one of the first European banks with a public API we have a responsibility to make it safe, as well as easy to use.

That's why the other API keys are bound to a singular IP address: it gives it an extra layer of security. The Wildcard API Keys are less safe. If someone gets their hands on your key they will have full access to your account. Which is something we want to prevent at all costs.

We want to protect our users but at the same time give a better use of our API. It is for this reason the new Wildcard API Key comes with a clear warning.

I would be very happy to hear your feedback on this matter. Thank you all! 🌈

Davide

Rein

The bunq 4.0.2 (iPhone) is a small but excellent update. And as always: safety first!

Bastiaan

The API documentation is not updated?

https://doc.bunq.com/api/1/call/device-server/method/post

Dada

Yes Bastiaan, we're working very hard on revamp the whole documentation for our API. Do you have any other feedback on it?

Lars-Indigo-Unicorn

A legend for the special bunq API terms would be great, eg what is a Tab? How does it work?

Delano

Seems like bunq more users can request an API key again, yay! Is this the bound-to-one-ip key or will this also allow a wildcard?

If not, and I've used one IP, will I be able to change it? Currently messing around at home, but my IP might change from time to time.

Job-Grey-Hummingbird

Thumbs up, so very Bunq: really doing something with user feedback and suggestions!

Koen-Orange-Swan

Dada

Interesting! bunq dictionary, will keep it mind!

wesselt

This makes sense! The old method required a static IPv4 address, which is basically server only. My home connection changed IP now and then.

It's just an accident that I logged in to the forum with this post on top. Is there somewhere reliable where you can follow the latest API news?

Bastiaan

I'm missing a API release notes (technical) page on doc.bunq.com. And i think some new endpoints are not documented yet?

Dada

For now Together is going to be a place for announcements as we've been doing, also for API related features :)

What would you consider more useful?

Dada

Hi Délano! The wildcard feature is part of premium so as a bunq more user you can only have a single IP linked to the API key. Once assigned the IP cannot be changed.

wesselt

@Davide: Anything that let's you come back after say 5 months, and see what changed?

An RSS feed (my RSS reader will keep track of how far I read)An announcement mailing list (can read back in mail reader or a web archive)Even a static "list of changes by date" web page

For example, I'd like to answer the question of whether the API has changed to support read-only tokens.

Delano

Oh bummer. So there would be no other way to change the IP but to cancel this API key. Wait for one month and apply for a new key and then register the device server with the correct static IP?

Xan

Thanks!

To improve the reduced security of wildcards keys I posted a request to allow scopes in this other topic:

https://together.bunq.com/topic/api-key-with-scopes

Dada

Indeed you're right, we're working on it! 💪

Dada

Thanks Xander!

Dada

Thanks Rein! Indeed we really care about your security, especially when it involves something completely new as API for banking!

Dada

Hi Wessel, thanks for your feedbacks! Currently we do not support that functionality, but you could join us in the topic opened by Xander where we're discussing it :)