Open APIs

Getting started

This section describes the practical steps to get up and running in the SpareBank 1 sandbox environment.

Register your application

Registered applications are issued application credentials: An AppKey, a client ID, and a client secret.

Select a bank

SpareBank 1 is an alliance of banks. In order for the end-user to authenticate with any one of these, you need the bank's identifier.

Fetch the complete list of banks:

$ curl https://api.test.sparebank1.no/common/financial-institutions/banks --header "AppKey:d29e819a-6373-4614-a155-9655020cfc7c"

where AppKey is the value issued to your application.

End-user authorization

The SpareBank 1 API uses the OAuth 2.0 protocol to authorize calls.

Authenticate and authorize the end-user

The end-user authenticates using BankID and the authorizes your application to access the SpareBank 1 API on its behalf.

Open in a browser: https://api.test.sparebank1.no/oauth/authorize?finInst=fid-smn&client_id=0f603d09-636f-4b3e-96fd-d56dc7d1a1a3&state=3138229&redirect_uri=https%3A%2F%2Fthisisyou.com&response_type=code

where

  • finInst is your bank's identifier
  • client_id is the value issued to your application
  • state is any client-defined value
  • redirect_uri is where the client is redirected after authentication; Must match a pre-configured redirect URI for your application
  • response_type must be "code"

After successful authentication and authorization, the browser redirects to your site: https://thisisyou.com?code=zNuDsEr5EE8Tsshdy1Sjr1qv7eU13j&state=3138229

Extract the authentication code from the code parameter.

Issue an OAuth token

Pass your application's credentials, along with the end-user's authentication code, to SpareBank 1 to be issued a bearer token. A bearer token enables you to complete actions on behalf of, and with the approval of, the end-user.

Submit a POST request with a x-www-form-urlencoded body to  https://api.sparebank1.no/oauth/token

Sample request body parameters

 

client_id:0f603d09-636f-4b3e-96fd-d56dc7d1a1a3

client_secret:89d46274-7ce2-4e0b-9048-3eded7d5c115

redirect_uri:http://thisisyou.com

grant_type:authorization_code

code:zNuDsEr5EE8Tsshdy1Sjr1qv7eU13j

state:3138229

 

Sample response

{  

"access_token": "9VKwFeoS8QfeQEeFxD5MiOf6YlFQR0nOpLF1ZUrHRrWqp3rY7G13hy",  

"token_type": "Bearer",  

"expires_in": 15551999,  

"scope": "resource.WRITE resource.READ",  

"finInst": "fid-smn",  "state": "3138229"

}

Extract the access_token from the response.

This OAuth token authorizes the end-user's access to API endpoints, and is valid for six months.

Invoke an API

The SpareBank 1 APIs are HTTP-based RESTful APIs, using JSON-formatted requests and response bodies.

Use the OAuth token to access any SpareBank 1 API endpoint your application has access to on behalf of the end-user. E.g. the accounts API:

$ curl https://api.test.sparebank1.no/personal/banking/accounts/all --header "Authorization:Bearer 9VKwFeoS8QfeQEeFxD5MiOf6YlFQR0nOpLF1ZUrHRrWqp3rY7G13hy"