¬†  

Read-only API key

David shared this idea 9 months ago
Wish

Currently I'm developing a budgeting app with Node.js backend and a web client (which can be wrapped with PhoneGap as a "native" app). For this app I really only require read-only access to the users Bunq account and I would feel safer if I could provide the app with just a read-only permissions to the API.


I would like an option to generate an API key with either full-access or read-only permissions. It would be even better if I could generate multiple keys for different apps or services, so I can always revoke one if I stop using an app or don't trust it.

Comments (18)

photo
24

I totally overlooked the fact that I can generate more than one key, but the other stuff is still a valid feature request ;)

photo
26

Where can we see what you are making?

photo
25

It's currently not in a public git repo, but I will upload a screenshot as soon as I find out how.

photo
29

Lacking an upload feature, this is a link to the screenshot: https://photos.app.goo.gl/bPaJuYKYwCTl4QXG2

photo
photo
28

Hey David,


At the moment we do not have read-only api keys. If you want read only access to someone else's account, you could do this via our connect feature. Yo can read more about content here: https://together.bunq.com/topic/what-is-connect-and-why-should-i-use-it


One of the endpoint you could use to achieve this is: https://doc.bunq.com/api/1/call/draft-share-invite-bank/method/post


Let me know if this is something you can use 😄

photo
24

If I were to expose this service to other users, I think this setup would be too cumbersome. With a read-only key a new user could sign in with just that key (after which a JWT token is used) and use the service directly, knowing that it could never do any payments. It's a combination of ease-of-use and safety.

photo
28

Do you mind telling me why you think this setup would be too cumbersome ?


You provide the user with a connect link/qr code the user presses this link/scans the qr code and gives you read only acces to one of his/hers accounts via the prompt in the bunq app. 🤔


This way only 1 api key is needed which is only yours.


Im just curios here and would like more details on your point of view.😄👍

photo
24

But connect means the bank account will be added to your account as well, right? I wouldn't want to have access to all the bank account of the users, imagine 1000 accounts will be in your list...

photo
29

Like casdr says, I don't want to Connect to possibly thousands of accounts. I could solve this by creating a (free) Bunq account just for this purpose, but it still feels like a workaround.


Let's compare this with other connected services like torrent clients: those provide you with both a read-only and a full-access key, exactly for this purpose.

photo
23

Kevin, David is right. If you want to offer a service you really don’t want to have the user accept a connect to my personal account. I don’t want that either! The user should be able to provide a read only api (which of course should be free for premium users) that allow services to read payments and just that. Better yet a read only api key per service so you can “kill” a service at any time.

photo
photo
32

Same here, waiting for read only keys before I can use the api. It’s not reasonable to have an api key that can plunder your bank account on a computer, laptop or server.

photo
26

I would love to read only api keys too. Because its just more secure to have a read only key for your desktop banking app. Would be great if you could implement this :)

photo
29

Would really like to use the BunqDesktop app, but the thought of giving it full access to all my funds scares me a bit.

photo
22

yes, let's put this on the wish list, as i'm a bunq more user, I can not currently use and test the bunq community bunq desktop app that's on github as it needs an API key to work, which is only available to premium and bussiness, so wouldn't it be better that every bunq account gets at least one API key specifically for this purpose which is read-only?

photo
photo
35

Would love that too. Although I create Bunq connect invites with just reading access, I feel like the option for (draft) payments, should be completely excluded by using read only API keys.

photo
22

I am a bit scared to try the apps of other developers now, because, if they want to steal my money, they can do so easily. So it would be smart to be able create an API key that is read-only, or an API key with custom permissions, or even an API key that cannot transfer more then specified in the bunq app (per IBAN or per API key).

photo
13

+1 I would very much like to request this feature. Also @David, looks like a great project! How far along are you? :D

photo
16

Again, I believe these are all valid arguments to make the (to me logical) switch to oauth2: https://together.bunq.com/topic/api-why-not-oauth2