This section describes the practical steps to get up and running in the SpareBank 1 sandbox environment.
Register your application
Registered applications are issued application credentials: An AppKey, a client ID, and a client secret.
Select a bank
SpareBank 1 is an alliance of banks. In order for the end-user to authenticate with any one of these, you need the bank's identifier.
Fetch the complete list of banks:
|$ curl https://api.test.sparebank1.no/common/financial-institutions/banks --header "AppKey:d29e819a-6373-4614-a155-9655020cfc7c"|
where AppKey is the value issued to your application.
The SpareBank 1 API uses the OAuth 2.0 protocol to authorize calls.
Authenticate and authorize the end-user
The end-user authenticates using BankID and the authorizes your application to access the SpareBank 1 API on its behalf.
Open in a browser: https://api.test.sparebank1.no/oauth/authorize?finInst=fid-smn&client_id=0f603d09-636f-4b3e-96fd-d56dc7d1a1a3&state=3138229&redirect_uri=https%3A%2F%2Fthisisyou.com&response_type=code
- finInst is your bank's identifier
- client_id is the value issued to your application
- state is any client-defined value
- redirect_uri is where the client is redirected after authentication; Must match a pre-configured redirect URI for your application
- response_type must be "code"
After successful authentication and authorization, the browser redirects to your site: https://thisisyou.com?code=zNuDsEr5EE8Tsshdy1Sjr1qv7eU13j&state=3138229
Extract the authentication code from the code parameter.
Issue an OAuth token
Pass your application's credentials, along with the end-user's authentication code, to SpareBank 1 to be issued a bearer token.Â A bearer token enables you to complete actions on behalf of, and with the approval of, the end-user.
Submit a POST request with a x-www-form-urlencoded body to https://api.sparebank1.no/oauth/token
Sample request body parameters
"scope": "resource.WRITE resource.READ",
"finInst": "fid-smn", "state": "3138229"
Extract the access_token from the response.
This OAuth token authorizes the end-user's access to API endpoints, and is valid for six months.
Invoke an API
The SpareBank 1 APIs are HTTP-based RESTful APIs, using JSON-formatted requests and response bodies.
Use the OAuth token to access any SpareBank 1 API endpoint your application has access to on behalf of the end-user. E.g. the accounts API:
$ curl https://api.test.sparebank1.no/personal/banking/accounts/all --header "Authorization:Bearer 9VKwFeoS8QfeQEeFxD5MiOf6YlFQR0nOpLF1ZUrHRrWqp3rY7G13hy"