Appearance

v2.0

BANKSapi API Reference

Download OpenAPI Document

Servers

https://banksapi.io

Get Users

GET
/auth/mgmt/v1/tenants/{tenant-name}/users

Get all activated users. Requires an admin client - contact BANKSapi for access.

Authorizations

httpBearer
Type
HTTP (bearer)

Parameters

Path Parameters

tenant-name*

Tenant name plays a role in using the API. The tenant name is a URL component in the management API.

Type
string
Required
Example"demo"

Query Parameters

includeInactive

Whether or not to also include inactive users

Type
boolean
Exampletrue
Default
false

Responses

Returns an array of User

application/json
JSON
[
{
"userReference": "1c5b33f6-9c4d-11e6-ba80-480fcfb9550f",
"username": "demo-user"
}
]

Playground

Authorization
Variables
Key
Value

Samples

Encrypt

Operations

PUT/encrypt

Encrypt plaintexts

PUT
/encrypt

Encrypt a given plaintext for the tenant identified by the given bearer token.

Authorizations

httpBearer
Type
HTTP (bearer)

Request Body

application/octet-stream+base64
JSON
"aGCZBgX ... 8Fi7xMQ="

Responses

Ciphertext (encrypted plaintext) encoded in Base64

application/octet-stream+base64
JSON
"aGCZBgX ... 8Fi7xMQ="

Playground

Authorization
Body

Samples

Get Providers

GET
/providers/v2

Retrieve a list of and information for all providers.

Authorizations

httpBearer
Type
HTTP (bearer)

Responses

Returns an array of providers.

application/json
JSON
[
{
"id": "00000000-0000-0000-0000-000000000000",
"name": "Demo Provider",
"consumerRelevant": true,
"group": "demo",
"blz": "12345678",
"bic": "DEMO1234",
"relations": [
{
"rel": "self",
"href": "https://banksapi.io/providers/v2/00000000-0000-0000-0000-000000000000"
},
{
"rel": "logo",
"href": "https://banksapi.io/providers/v2/demo.svg"
}
],
"capabilities": [
"KONTEN",
"KARTEN",
"DEPOTS"
],
"channels": [
[
"GIROKONTO"
],
[
"KREDITKARTE",
"TAGESGELDKONTO"
]
],
"authenticationInfo": {
"loginHint": "Der Demo Provider bietet den Zugang demo/demo",
"fields": [
{
"fieldkey": "userid",
"label": "Demo-User",
"secret": false,
"hint": "demo",
"format": "^.{1,50}$"
},
{
"fieldkey": "pin",
"label": "Demo-Passwort",
"secret": true,
"hint": "demo",
"format": "^.{1,50}$"
}
]
}
}
]

Playground

Authorization

Samples

Customer

Operations

GET/customer/v2DELETE/customer/v2

Get Customer

GET
/customer/v2

Retrieves the customer object for the authenticated user. It is also the entry point to the deeper functions of the interface.

Authorizations

httpBearer
Type
HTTP (bearer)

Responses

Returns customer object of the user.

application/json
JSON
{
"bankzugaenge": {
"4000fda7-18af-463f-b694-bbafe5d23a48": {
"messages": [
{
"level": "INFO",
"code": "BA3010",
"message": "SCA benötigt",
"details": "Bitte wählen Sie eine SCA-Methode aus"
}
],
"sicherheitsverfahren": [
{
"kodierung": 980,
"name": "mTAN",
"hinweis": "mTAN"
},
{
"name": "SMS_OTP",
"kodierung": "942",
"hinweis": "SMS OTP"
}
],
"relations": [
{
"rel": "startSCA",
"href": "https://banksapi.io/v2/customer/consent/1345340218050910215PSDDE-BAFIN-152070CO4960JJ"
}
]
}
},
"relations": [
{
"rel": "self",
"href": "https://banksapi.io/customer/v2"
},
{
"rel": "get_bankzugaenge",
"href": "https://banksapi.io/customer/v2/bankzugaenge"
},
{
"rel": "add_bankzugaenge",
"href": "https://banksapi.io/customer/v2/bankzugaenge"
},
{
"rel": "delete_bankzugaenge",
"href": "https://banksapi.io/customer/v2/bankzugaenge"
}
]
}

Playground

Authorization

Samples

Get Bank Accesses

GET
/customer/v2/bankzugaenge

Retrieves all bank accesses for this user.

Authorizations

httpBearer
Type
HTTP (bearer)

Responses

The success response contains an collection of bank accesses.

application/json
JSON
{
"0b7f4783-4c93-4820-8e73-354a0f1c469e": {
"id": "0b7f4783-4c93-4820-8e73-354a0f1c469e",
"providerId": "00000000-0000-0000-0000-000000000000",
"aktualisierungszeitpunkt": "2025-10-15 09:13:44",
"tanMedien": [
{
"name": "Mobil",
"medienklasse": "MOBIL",
"gueltigVon": "2025-10-15 09:13:44",
"gueltigBis": "2025-10-15 09:13:44"
}
],
"sicherheitsverfahren": [
{
"kodierung": 1,
"name": "mockTAN",
"hinweis": "Gib eine durch 2 teilbare Zahl ein"
},
{
"kodierung": 999,
"name": "iTAN",
"hinweis": "Gib die TAN "12" an."
}
],
"aktivesSicherheitsverfahren": {
"kodierung": 999,
"name": "iTAN",
"hinweis": "Gib die TAN "12" an."
},
"relations": [
{
"rel": "self",
"href": "https://banksapi.io/customer/v2/bankzugaenge/0b7f4783-4c93-4820-8e73-354a0f1c469e"
},
{
"rel": "delete_bankzugang",
"href": "https://banksapi.io/customer/v2/bankzugaenge/0b7f4783-4c93-4820-8e73-354a0f1c469e"
}
],
"status": "VOLLSTAENDIG",
"bankprodukte": [
{
"id": "DE00123456789012345679",
"status": "VOLLSTAENDIG",
"bezeichnung": "Tagesgeldkonto",
"kategorie": "TAGESGELDKONTO",
"saldo": 27365.56,
"aktualisierungszeitpunkt": "2025-10-15 09:13:44",
"saldoDatum": "2025-10-15 00:00:00",
"waehrung": "EUR",
"kontonummer": "9012345679",
"iban": "DE00123456789012345679",
"bic": "XXX12345678",
"blz": "12345678",
"kreditinstitut": "Demo Provider",
"inhaber": "Fritz Testmüller",
"transferSupport": true,
"relations": [
{
"rel": "get_kontoumsaetze",
"href": "https://banksapi.io/customer/v2/bankzugaenge/0b7f4783-4c93-4820-8e73-354a0f1c469e/DE00123456789012345679/kontoumsaetze"
},
{
"rel": "initiate_single_transfer",
"href": "https://banksapi.io/customer/v2/payment/single-transfer"
},
{
"rel": "initiate_bulk_transfer",
"href": "https://banksapi.io/customer/v2/payment/bulk-transfer"
}
],
"messages": [
],
"verfuegungsrahmen": 27365.56,
"verfuegterBetrag": 0
}
],
"sync": true
},
"4000fda7-18af-463f-b694-bbafe5d23a48": {
"status": "VOLLSTAENDIG",
"tanMedien": [
{
"gueltigVon": "2025-06-03 17:17:41",
"gueltigBis": "2025-06-03 17:17:41",
"name": "Mobil",
"medienklasse": "MOBIL"
}
],
"sicherheitsverfahren": [
{
"kodierung": 2,
"name": "mTAN",
"hinweis": "mTAN"
},
{
"kodierung": 1,
"name": "Mock-TAN",
"hinweis": "Mock-TAN"
}
],
"aktivesSicherheitsverfahren": {
"kodierung": 1,
"name": "Mock-TAN",
"hinweis": "Mock-TAN"
},
"aktualisierungszeitpunkt": "2025-06-10 17:17:40",
"timeout": "2025-12-24 13:37:42",
"messages": [
],
"bankprodukte": [
],
"relations": [
],
"sync": false
}
}

Playground

Authorization

Samples

Push transactions for the given product

POST
/customer/v2/bankzugaenge/{access-id}/{product-id}/kontoumsaetze

Pushes transactions for the given product identified by an access and a product ID

Authorizations

httpBearer
Type
HTTP (bearer)

Parameters

Path Parameters

access-id*

ID of the bank access

Type
string
Required
Example"d23710a9-8e4b-4595-b01c-dad9499c9fdb"
Format
"uuid"
product-id*

ID of a banking product

Type
string
Required
Example"DE00123456789012345678"

Request Body

application/json
JSON
[
{
"betrag": -70,
"verwendungszweck": "EC 68096654 140215204106OC3 Ref. 5CC15048A1824480/89280",
"buchungsdatum": "2025-11-17 00:00:00",
"wertstellungsdatum": "2025-11-15 00:00:00",
"gegenkontoInhaber": "La Sopia GmbH München",
"gegenkontoIban": "DE00123456789012345679",
"gegenkontoBic": "XXX12345678",
"primanotaNummer": "421337",
"identifier": {
"batchId": "eeToqu2V"
}
},
{
"betrag": -42.23,
"verwendungszweck": "My in-app purchase",
"buchungsdatum": "2025-11-17 00:00:00",
"wertstellungsdatum": "2025-11-17 00:00:00",
"gegenkontoInhaber": "Gaming Now",
"gegenkontoIban": "DE80123456789012345777",
"gegenkontoBic": "XXX12345678",
"identifier": {
"batchId": "eeToqu2V"
}
}
]

Responses

Created

Playground

Authorization
Variables
Key
Value
Body

Samples

Start SCA

POST
/customer/v2/bankzugaenge/{access-id}/consent

Starts the SCA renewal process

Authorizations

httpBearer
Type
HTTP (bearer)

Parameters

Header Parameters

Customer-IP-Address*

The IP address of the customer. Must be a public IP address. We recommend using IPv4, as some banks do not support IPv6.

Type
string
Required
Example"154.25.45.133"

Path Parameters

access-id*

ID of the bank access

Type
string
Required
Example"d23710a9-8e4b-4595-b01c-dad9499c9fdb"
Format
"uuid"

Query Parameters

callbackUrl

URL the end user's browser is redirected to after the out-of-band user interaction finishes. Its purpose and whether it is required depend on whether you are a regulated or a non-regulated tenant (see the Quick Start for the distinction):

  • Regulated tenants (handle credentials directly and go through Redirect SCA themselves): required. The URL is the return target of the Redirect SCA flow. After the user authenticates at the bank, the bank redirects the browser here so your application can resume.

  • Non-regulated tenants (redirect the user to the REG/Protect webform to add a bank access, renew consent, or trigger a payment): optional on this call, because there are two supported ways to supply it, and only one of them is required:

    1. As this query parameter on the API call. The value is stored in the REG/Protect session and used as a fallback.
    2. Appended (URL-encoded) as a callbackUrl query parameter on the Location URL before redirecting the user to the REG/Protect webform. This is the mechanism documented in the Quick Start and the Customer guide.

    If both are supplied, the value appended to the Location URL takes precedence. If neither is supplied, REG/Protect aborts the flow with baReentry=NO_CALLBACK_URL.

If an allow-list of permitted callback URL bases has been configured for your tenant, the value is checked against that list on every call regardless of tenant type. A mismatch on this query parameter returns HTTP 400. For non-regulated tenants, the Location-appended value is additionally re-checked by the REG/Protect frontend; a mismatch there aborts the flow with baReentry=INVALID_CALLBACK_URL.

Type
string
Example"https://demo-tenant.com/callback?state=123"
Format
"url"
queryTanSettings

Flag to ignore saved TAN-settings and query them.

Type
boolean
Example"true"
maxTransactions

Indicator if transactions older than 90 days should be fetched. Best used when first creating the bank access to avoid unnecessary SCAs during refresh operations.

Type
string
Valid values
"none""all""paymentAccounts"

Request Body

application/json
JSON
{
"815251d6-c062-4f61-bec0-182bc14a48fb": {
"providerId": "00000000-0000-0000-0000-000000000000",
"credentials": {
"userid": "mOd2uKYr+2 ... TWOPCAt5zP",
"pin": "Hhnc+aW/eM ... 7F+XRSHasW"
},
"sync": true,
"selectedBankProducts": [
"DE00123456789012345679"
]
}
}

Responses

HTTP status 201 (Created) is returned together with the HTTP header Location. Under the URL specified in the header, the added bank accesses can be queried analogously by means of an HTTP GET call.

Playground

Authorization
Headers
Variables
Key
Value
Body

Samples

Initiate a single transfer

POST
/customer/v2/bankzugaenge/{access-id}/{product-id}/payment/single-transfer

Initiates a payment for the given bank access, without providing access credentials

Authorizations

httpBearer
Type
HTTP (bearer)

Parameters

Header Parameters

Customer-IP-Address*

The IP address of the customer. Must be a public IP address. We recommend using IPv4, as some banks do not support IPv6.

Type
string
Required
Example"154.25.45.133"
Rejection-NoFunds-Preferred

If set to "true", the bank should reject the payment if there are insufficient funds. If set to "false", the bank may wait for a certain period for funds to arrive. This parameter may be ignored by the bank.

Type
boolean
Example"true"

Path Parameters

access-id*

ID of the bank access

Type
string
Required
Example"d23710a9-8e4b-4595-b01c-dad9499c9fdb"
Format
"uuid"
product-id*

ID of a banking product

Type
string
Required
Example"DE00123456789012345678"

Query Parameters

callbackUrl

URL the end user's browser is redirected to after the out-of-band user interaction finishes. Its purpose and whether it is required depend on whether you are a regulated or a non-regulated tenant (see the Quick Start for the distinction):

  • Regulated tenants (handle credentials directly and go through Redirect SCA themselves): required. The URL is the return target of the Redirect SCA flow. After the user authenticates at the bank, the bank redirects the browser here so your application can resume.

  • Non-regulated tenants (redirect the user to the REG/Protect webform to add a bank access, renew consent, or trigger a payment): optional on this call, because there are two supported ways to supply it, and only one of them is required:

    1. As this query parameter on the API call. The value is stored in the REG/Protect session and used as a fallback.
    2. Appended (URL-encoded) as a callbackUrl query parameter on the Location URL before redirecting the user to the REG/Protect webform. This is the mechanism documented in the Quick Start and the Customer guide.

    If both are supplied, the value appended to the Location URL takes precedence. If neither is supplied, REG/Protect aborts the flow with baReentry=NO_CALLBACK_URL.

If an allow-list of permitted callback URL bases has been configured for your tenant, the value is checked against that list on every call regardless of tenant type. A mismatch on this query parameter returns HTTP 400. For non-regulated tenants, the Location-appended value is additionally re-checked by the REG/Protect frontend; a mismatch there aborts the flow with baReentry=INVALID_CALLBACK_URL.

Type
string
Example"https://demo-tenant.com/callback?state=123"
Format
"url"
queryTanSettings

Flag to ignore saved TAN-settings and query them.

Type
boolean
Example"true"
editableDetails

Flag for REG/Protect to control whether fields on the frontend are editable

Type
boolean
Example"false"
autoConfirm

Flag for REG/Protect to control whether transfers can be entered without interaction. Currently only supported for EBICS.

Type
boolean
Example"false"
paymentId

Unique UUID for the payment. Required for non-REG/Protect tenants. When provided, the same ID must be used for related VOP (Verification of Payee) requests.

Type
string
Example"d308a7ae-b762-4a20-8996-7fa22aed6b73"
Format
"uuid"

Request Body

application/json
JSON
{
"instant": true,
"requestedExecutionDate": "string",
"vopId": "4f89e03f-8773-45d0-b6d5-9a047af3ada2",
"transferDetails": {
"recipient": "string",
"purpose": "string",
"iban": "string",
"bic": "string",
"currency": "string",
"amount": 0,
"endToEndId": "string",
"purposeCode": "SALA, DIVD, PENS, LOAN, ...",
"ultimateDebtor": "string",
"ultimateCreditor": "string"
}
}

Responses

Returns object with the transfer status

application/json
JSON
{
"messages": [
{
"level": "INFO",
"code": "BA3010",
"message": "SCA Methode auswählen",
"details": "Bitte wählen Sie eine SCA-Methode aus"
}
],
"scaMethods": [
{
"code": 2,
"name": "mTAN",
"hint": "mTAN"
},
{
"code": 1,
"name": "Mock-TAN",
"hint": "Mock-TAN"
}
],
"relations": [
{
"rel": "self",
"href": "https://banksapi.io/customer/v2/payment/single-transfer/3e97fa51-ce7b-42a0-9101-50fd67dbc3e7"
},
{
"rel": "set_method",
"href": "https://banksapi.io/customer/v2/consent/3e97fa51-ce7b-42a0-9101-50fd67dbc3e7"
}
],
"transfer": {
"provider": "ca650b48-3edc-45f4-938d-d21df8cba761",
"product": "DE89370400440532013000",
"paymentId": "5208b5cb-2f88-4bba-87a5-c5e0356c460c",
"ebics": false,
"instant": false,
"requestedExecutionDate": "2024-09-19",
"transferDetails": {
"recipient": "netzpolitik.org e. V.",
"purpose": "Spende netzpolitik.de",
"iban": "DE62430609671149278400",
"bic": "GENODEM1GLS",
"currency": "EUR",
"amount": 1337.42,
"endToEndId": "be7649876d5f439886fa816993ac9f9f"
}
}
}

Playground

Authorization
Headers
Variables
Key
Value
Body

Samples

Initiate Single Transfer

POST
/customer/v2/payment/single-transfer

Initiates a single transfer (e.g. a SEPA transfer).

Authorizations

httpBearer
Type
HTTP (bearer)

Parameters

Header Parameters

Customer-IP-Address*

The IP address of the customer. Must be a public IP address. We recommend using IPv4, as some banks do not support IPv6.

Type
string
Required
Example"154.25.45.133"
Rejection-NoFunds-Preferred

If set to "true", the bank should reject the payment if there are insufficient funds. If set to "false", the bank may wait for a certain period for funds to arrive. This parameter may be ignored by the bank.

Type
boolean
Example"true"

Query Parameters

callbackUrl

URL the end user's browser is redirected to after the out-of-band user interaction finishes. Its purpose and whether it is required depend on whether you are a regulated or a non-regulated tenant (see the Quick Start for the distinction):

  • Regulated tenants (handle credentials directly and go through Redirect SCA themselves): required. The URL is the return target of the Redirect SCA flow. After the user authenticates at the bank, the bank redirects the browser here so your application can resume.

  • Non-regulated tenants (redirect the user to the REG/Protect webform to add a bank access, renew consent, or trigger a payment): optional on this call, because there are two supported ways to supply it, and only one of them is required:

    1. As this query parameter on the API call. The value is stored in the REG/Protect session and used as a fallback.
    2. Appended (URL-encoded) as a callbackUrl query parameter on the Location URL before redirecting the user to the REG/Protect webform. This is the mechanism documented in the Quick Start and the Customer guide.

    If both are supplied, the value appended to the Location URL takes precedence. If neither is supplied, REG/Protect aborts the flow with baReentry=NO_CALLBACK_URL.

If an allow-list of permitted callback URL bases has been configured for your tenant, the value is checked against that list on every call regardless of tenant type. A mismatch on this query parameter returns HTTP 400. For non-regulated tenants, the Location-appended value is additionally re-checked by the REG/Protect frontend; a mismatch there aborts the flow with baReentry=INVALID_CALLBACK_URL.

Type
string
Example"https://demo-tenant.com/callback?state=123"
Format
"url"
queryTanSettings

Flag to ignore saved TAN-settings and query them.

Type
boolean
Example"true"
editableDetails

Flag for REG/Protect to control whether fields on the frontend are editable

Type
boolean
Example"false"
paymentId

Unique UUID for the payment. Required for non-REG/Protect tenants. When provided, the same ID must be used for related VOP (Verification of Payee) requests.

Type
string
Example"d308a7ae-b762-4a20-8996-7fa22aed6b73"
Format
"uuid"

Request Body

application/json
JSON
{
"provider": "ca650b48-3edc-45f4-938d-d21df8cba761",
"credentials": {
"userid": "mXlkGe+ukAEs+2iH ... D/MOfGsd8HY=",
"pin": "XO2jgZ ... 5GfhKpZmw="
},
"product": "DE89370400440532013000",
"instant": false,
"requestedExecutionDate": "2024-09-19",
"transferDetails": {
"recipient": "netzpolitik.org e. V.",
"purpose": "Spende netzpolitik.de",
"iban": "DE62430609671149278400",
"bic": "GENODEM1GLS",
"currency": "EUR",
"amount": 1337.42,
"endToEndId": "be7649876d5f439886fa816993ac9f9f"
}
}

Responses

Returns object with the transfer status

application/json
JSON
{
"messages": [
{
"level": "INFO",
"code": "BA3010",
"message": "SCA Methode auswählen",
"details": "Bitte wählen Sie eine SCA-Methode aus"
}
],
"scaMethods": [
{
"code": 2,
"name": "mTAN",
"hint": "mTAN"
},
{
"code": 1,
"name": "Mock-TAN",
"hint": "Mock-TAN"
}
],
"relations": [
{
"rel": "self",
"href": "https://banksapi.io/customer/v2/payment/single-transfer/3e97fa51-ce7b-42a0-9101-50fd67dbc3e7"
},
{
"rel": "set_method",
"href": "https://banksapi.io/customer/v2/consent/3e97fa51-ce7b-42a0-9101-50fd67dbc3e7"
}
],
"transfer": {
"provider": "ca650b48-3edc-45f4-938d-d21df8cba761",
"product": "DE89370400440532013000",
"paymentId": "5208b5cb-2f88-4bba-87a5-c5e0356c460c",
"ebics": false,
"instant": false,
"requestedExecutionDate": "2024-09-19",
"transferDetails": {
"recipient": "netzpolitik.org e. V.",
"purpose": "Spende netzpolitik.de",
"iban": "DE62430609671149278400",
"bic": "GENODEM1GLS",
"currency": "EUR",
"amount": 1337.42,
"endToEndId": "be7649876d5f439886fa816993ac9f9f"
}
}
}

Playground

Authorization
Headers
Variables
Key
Value
Body

Samples

Get Consent

GET
/customer/v2/consent/{consent-id}

Get the current status of the consent, without polling the provider

Authorizations

httpBearer
Type
HTTP (bearer)

Parameters

Path Parameters

consent-id*

ID of the consent

Type
string
Required
Example"3e97fa51-ce7b-42a0-9101-50fd67dbc3e7"
Format
"uuid"

Responses

Returns the current status of the consent.

application/json
JSON
{
"messages": [
{
"level": "INFO",
"code": "BA3020",
"message": "SCA Medium auswählen",
"details": "Bitte wählen Sie ein SCA-Medium aus"
}
],
"scaMediums": [
{
"name": "Handy Eins",
"mediaClass": "MOBILE"
}
],
"relations": [
{
"rel": "self",
"href": "https://banksapi.io/customer/v2/consent/3e97fa51-ce7b-42a0-9101-50fd67dbc3e7"
},
{
"rel": "set_medium",
"href": "https://banksapi.io/customer/v2/consent/3e97fa51-ce7b-42a0-9101-50fd67dbc3e7"
}
]
}

Playground

Authorization
Variables
Key
Value

Samples

Delete all REG/Protect sessions

DELETE
/customer/v2/regprotect/sessions

Invalidates all REG/Protect sessions of the authenticated user.

Authorizations

httpBearer
Type
HTTP (bearer)

Responses

The HTTP status 200 returns without any further response body.

Playground

Authorization

Samples

Powered by VitePress OpenAPI