Info

1. Register your TPP application

This information is relevant for all API products.

 

Log in on this developer portal and click the “Apps” section in menu.

apps

Click the »Create new App« button.

create new app

Enter the »Title« of your application and optional »Description and »OAuth Redirect URI«. Click on »Submit« button to complete the registration of your application.

submit

Now that you've registered your application, you can browse the APIs and subscribe on them. Client ID and Client Secred Id are generated automatically. 

created

2. Test cases 

This information is relevant for PSD2 API products only.

 

In Bankart Open banking portal mandatory PSD2 APIs with connection to Slovenian banks are available. 

API specification is available as a Swagger file, under »Explore our API« button.

All APIs follow Berlin standard, JSON format is supported.

APIs published on the portal are sandbox versions and return static answers.

All data in the tables below is intended for testing and has no relation to real data.

Data in tables can change at any time without prior notice.

Currently supported are

BANK BIC
ABANKA d.d. ABANSI20
Addiko bank d.d. HAABSI20
BKS Bank AG BFKKSI20
Delavska hranilnica d.d. HDELSI20
Deželna banka Slovenije d.d. SZKBSI20
Gorenjska bank d.d. GORESI20
LON d.d. HLONSI20
Nova KBM d.d. KBMASI20
Primorska hranilnica Vipava d.d. HKVISI20
SKB bank d.d. SKBASI20
Sparkasse d.d. KSPKSI20

Payment Instrument Issuing

API IBAN CURRENCY Expected result
POST / funds-confirmations SI56051001001033999 EUR "true"
  SI56051001001033988 EUR "false"
  SI56051001001033977 EUR "true"
  SI56051001001011977 EUR "false"

Account Information Service

API IBAN CURRENCY Consent-ID WithBalance Account-id TransactionId
get /accounts SI56051001001033999 EUR 12345 TRUE    
  SI56051001001033999 EUR 123456 FALSE    
  SI56051001001044999 EUR 1234567 TRUE    
get /accounts/{account-id} SI56051001001033999 EUR   TRUE or FALSE 8735076338630656  
  SI56610000018109471 EUR   FALSE 8735076338658900  
get /accounts/{account-id}/transactions SI56051001001033999 EUR   FALSE 8735076338630656  
  SI56051001001044999 EUR   TRUE 8735076338630333  
get /accounts/{account-id}/transactions/{transactionId} SI56051001001033999 EUR     8735076338630656 2030000202303039
  SI56051001001044999 EUR     8735076338630545 2030000202303040
get /accounts/{account-id}/balances SI56051001001033999 EUR     8735076338630656  
  SI56031101000397567 EUR     8735076338630655  

Payment Initiation Service API

  IBAN payment-product paymentId
POST /{payment-service}/{payment-product}
FR7612345987650123456789014
sepa-credit-transfers
* token is mandatory
 
SI56330000009782150
instant-sepa-credit-transfers
* token is mandatory
 
SI56051007003486303
target-2-payments
* token is mandatory
GET /{payment-service}/{payment-product}/{paymentId}   sepa-credit-transfers 73bafcc1-ddc1-4c58-abcc-3b4de6e5e482
    instant-sepa-credit-transfers b16641f9c68e4c28ac7e3290ee55g002
    target-2-payments 8da11ec325ae407780c646041f453277
GET /{payment-service}/{paymentId}/status    sepa-credit-transfers 73bafcc1-ddc1-4c58-abcc-3b4de6e5e482
     sepa-credit-transfers 73bafcc1-ddc1-4c58-abcc-3b4de6e5e222
     instant-sepa-credit-transfers b16641f9c68e4c28ac7e3290ee55g002
     target-2-payments 8da11ec325ae407780c646041f453277
DELETE /{payment-service}/{payment-product}/{paymentId}   sepa-credit-transfers 73bafcc1-ddc1-4c58-abcc-3b4de6e5e482
    sepa-credit-transfers 73bafcc1-ddc1-4c58-abcc-3b4de6e5e222
    instant-sepa-credit-transfers b16641f9c68e4c28ac7e3290ee55g002
    target-2-payments 8da11ec325ae407780c646041f453277

Consents Service API

  consentId
POST /consents * token is mandatory
GET /consents/{consentId}/status 6dd7e042-963f-4e28-9a50-334a167a44ba
GET /consents/{consentId} 6dd7e042-963f-4e28-9a50-334a167a44ba
DELETE /consents/{consentId} 6dd7e042-963f-4e28-9a50-334a167a44ba

Authorisation - consent

  consentId authorisationId
GET /consents/{consentId}/authorisations
c62790af-5c35-8877-e332-c3b844629b8c
 
GET /consents/{consentId}/authorisations/{authorisationId}
c62790af-5c35-8877-e332-c3b844629b8c
a95a6e0f-3f07-416f-8321-72221185

Authorisation - payment

  paymentId authorisationId / cancellationId
GET /{payment-service}/{payment-product}/{paymentId}/authorisations
73bafcc1-ddc1-4c58-abcc-3b4de6e5e482
 
GET /{payment-service}/{payment-product}/{paymentId}/authorisations/{authorisationId}
b16641f9c68e4c28ac7e3290ee55g002
a95a6e0f-3f07-1111
GET /{payment-service}/{payment-product}/{paymentId}/cancellation-authorisations
8da11ec325ae407780c646041f453277
 
POST /{payment-service}/{payment-product}/{paymentId}/cancellation-authorisations
8da11ec325ae407780c646041f453277
 
GET /{payment-service}/{payment-product}/{paymentId}/cancellation-authorisations/{cancellationId}
8da11ec325ae407780c646041f453277
13670ed950544c9cacd498ae4fbb16ec

 

3. Instructions for testing APIs with enabled advanced security features (OAuth2, SCA) 

This information is relevant for PSD2 API products only.

By definition certain crucial PSD2 APIs require OAuth2. These are marked accordingly in our API documentation and swagger definitions. Here are some examples:

- consent APIs (all within PSD2 Account Information product)

- payment APIs (e.g. payment initiation request) 

On top of that, these APIs in principle (when there is no exemption defined by business rules) also require an SCA (strong customer authentication) post step. 

3.1 OAuth2

We are using the authorization code flow. As a first step you need to open the GET /oauth2/authorize link in a browser with the URL parameters response_type, client_id, redirect_uri and scope.

Possible values for scope are: 

- for Account Information: psd2:acc+iban:SI56XXXXXXXXXXXXXXX

- for Payment Initiation: psd2:pay+iban:SI56XXXXXXXXXXXXXXX

Please mind scope used in this sandbox differs from scope that should be used in production environment. Check production swagger for more information as to production values.

Example

.../oauth2/authorize?response_type=code&client_id=db...&redirect_uri=https://www.xyztpp.si&scope=psd2:pay+iban:SI56XXXXXXXXXXXXXXX 

Of course you need to use your own i.e. you subscribed applications client_id and redirect URI. You can also achieve this redirect by selecting the "Authorize" button in the documentation of the protected API. As the authorization page opens, enter any username and password combination and select "Allow Access" on the second page. This will send you to the redirect URI with a newly generated access code as an URL parameter. You need to extract this code from this URL to get the token. To exchange the access code for the token you need some tool that can do a simple POST request, for example curl. You need to pass grant_type, client_id and code as x-www-form-urlencoded data. Here is an example:

curl -d "grant_type=authorization_code&client_id=dbe...&code=AAL7lhdq6k..." -H "Content-Type: application/x-www-form-urlencoded" -H "accept:application/json" -X POST https://api.bankart.si/psd2/hub/sandbox/oauth2/token

This will return a JSON object with the token, which you can then use to call the OAuth2 protected APIs (insert the token value prefixed with "Bearer " in the "authorization" header field) or simply paste it in the "Acces token" field in the developer portal and call the API this way. For details (URLs , parameters etc.) please also see the published swagger documents. 

3.2 SCA (Strong Customer Authentication)

According to PSD2 Berlin Group standard a SCA step is required after certain crucial i.e. sensitive API calls. We are using an implicit flow with a simple redirect (not OAuth2) for this purpose. Please check the API response header for ASPSP/PISP-SCA-Approach value and when present send i.e. redirect the end user to the URL provided in the _links/scaRedirect response element. There is no direct return of information from this redirect to your app, but certain crucial calls are made in the background to complete the authorization and process the payment or create a consent object. In our sandbox environment you can even omit this step, but for production APIs it is critical for the client to be redirected to the SCA link (when provided) if you wish the entire API flow to complete as intended. You are able to check the outcome of SCA with corresponding .../status API calls (for their details please see the API documentation i.e. swagger definition) from your application. 

 

4. Using Simulation plan for TPPs

We offer a simulation bank for registered TPPs. The simulation bank can be accessed by subscribing to a simulation plan (seen under the plans for each production PSD2 API).

When you subscribe, you must use a separate test application for the simulation bank. When you use the simulation plan, no real transactions are performed.

To get tokens and perform SCA, please use the link:

 

In the Simulation bank these IBANs are available:

ACCOUNT_ID IBAN CURRENCY STATUS BIC
TINA123456789 SI56340001013783836 EUR ENABLED KSPKSI20
A15963287 SI56040010000055279 EUR ENABLED KBMASI20
B15987455 SI56042400012560351 EUR ENABLED KBMASI20
D58887702 SI56051007022999114 EUR DELETED ABANSI20
G56565988888 SI56031351000931879 EUR ENABLED SKBASI20
E8974588800 SI56610900000003503 USD ENABLED HDELSI20
F8854700D SI56041100013431282 EUR ENABLED KBMASI20
H665874110 SI56031351000931782 USD ENABLED SKBASI20
K8745814L588 SI56051007012327465 EUR ENABLED ABANSI20
L8888745000 SI56350010001896165 EUR ENABLED BFKKSI20
M856955544 SI56340001014356330 USD ENABLED KSPKSI20
N444712541 SI56340001006966191 EUR BLOCKED KSPKSI20