We're looking into bunq for doing payouts - payments from our account. This seems to work well with the regular API key, but this key gives access to all accounts in our membership, including those used for holding funds and paying wages. This is a bit risky.

We have considered creating a separate membership for this purpose, but that seems to be impossible because of the "complex corporate structure" (i.e. not a single natural shareholder)

An alternative is to use OAuth. This feels like a bit of overkill for accessing just our personal accounts (it's not meant for 3rd parties), but fine. But from the documentation https://beta.doc.bunq.com/basics/oauth

create Draft-Payments (the user will need to approve the payment using the bunq app);

I understand that the payouts still have to be acknowledged in the app, which will be too labour intensive at some point and defeats the purpose of automating this.

Am I correct that when using OAuth you can only do draft payments and that they need explicit, manual approval in the mobile app? (and there's no way around this without Token based auth?)