Getting started

This section describes the practical steps to get up and running in the SpareBank 1 sandbox environment.

Register your application

Registered applications are issued application credentials: An AppKey, a client ID, and a client secret.

Select a bank

SpareBank 1 is an alliance of banks. In order for the end-user to authenticate with any one of these, you need the bank's identifier.

Fetch the complete list of banks:

$ curl --header "AppKey:d29e819a-6373-4614-a155-9655020cfc7c"

where AppKey is the value issued to your application.

End-user authorization

The SpareBank 1 API uses the OAuth 2.0 protocol to authorize calls.

Authenticate and authorize the end-user

The end-user authenticates using BankID and the authorizes your application to access the SpareBank 1 API on its behalf.

Open in a browser:


  • finInst is your bank's identifier
  • client_id is the value issued to your application
  • state is any client-defined value
  • redirect_uri is where the client is redirected after authentication; Must match a pre-configured redirect URI for your application
  • response_type must be "code"

After successful authentication and authorization, the browser redirects to your site:

Extract the authentication code from the code parameter.

Issue an OAuth token

Pass your application's credentials, along with the end-user's authentication code, to SpareBank 1 to be issued a bearer token. A bearer token enables you to complete actions on behalf of, and with the approval of, the end-user.

Submit a POST request with a x-www-form-urlencoded body to

Sample request body parameters









Sample response


"access_token": "9VKwFeoS8QfeQEeFxD5MiOf6YlFQR0nOpLF1ZUrHRrWqp3rY7G13hy",  

"token_type": "Bearer",  

"expires_in": 15551999,  

"scope": "resource.WRITE resource.READ",  

"finInst": "fid-smn",  "state": "3138229"


Extract the access_token from the response.

This OAuth token authorizes the end-user's access to API endpoints, and is valid for six months.

Invoke an API

The SpareBank 1 APIs are HTTP-based RESTful APIs, using JSON-formatted requests and response bodies.

Use the OAuth token to access any SpareBank 1 API endpoint your application has access to on behalf of the end-user. E.g. the accounts API:

$ curl --header "Authorization:Bearer 9VKwFeoS8QfeQEeFxD5MiOf6YlFQR0nOpLF1ZUrHRrWqp3rY7G13hy"