wesselt They want to put their transactions into spreadsheets
wesselt they want to connect to their accountancy software
Many accountancy software packages already managed to integrate with the bunq API. 😁👍
wesselt they want to automate things with IFTTT
+1, although I would argue that people would like it in the bunq app itself, but enfin, that's a different discussion. These are definitely valid use-cases, and with the right knowledge also possible in most cases.
An SDK literally is just a wrapper around the REST endpoints, such that you don't have to do all the boilerplate stuff yourself. The "custom" cryptography stuff is just there as bunq is no toy, but a real bank. They need to ensure that only authorised people can make transfers. An API key can easily leak. By exchanging certificates and signing requests bunq is able to identify who's sending the requests, pretty crucial for a bank that needs to check whether someone is allowed to make a transfer. As far as I know it's still bunq who's liable in case they allow a transaction to take place because their security was not up to par. Alternatively they implemented OAuth, which is a very common standard, but in the end, bunq needs to uphold a certain level of security. The way they do it is pretty common practice; exchange keys, and then start logging in/setting up a session. Then with that session and a secured connection you can do whatever you want. Now this is also where the SDKs come into play, as they take care of all that for you. The X-Bunq-Request-Id (or whatever the name was) is there to protect you as well; it prevents replay attacks as bunq will see that the RequestId has already been used, and changing the ID is not possible as that would require a different signature, which can only be generated when you have access to the private key belonging to the exchanged public key. (long sentence, sorry)
wesselt The first sign of a good API is a curl example on the first page.
This I reaaaaally disagree with. But, I we seem to have a different mindset on this topic anyway, so let's agree to disagree on that one. 😉 In case you consider a cURL command on the first page of the docs a measure of API quality (we were talking about the SDK though..) but nonetheless, if that's a measure for you on API quality then check out https://github.com/bunq/postman, when you load the (basic) API specification in Postman you can hit a small "Code" button, which will generate the code you need to make that particular request. From there you can also select cURL to have some cURL examples on using the API. 🙂 (it's not on the front-page, but at least you have the cURL examples) 😁