OAuth
Last updated
Was this helpful?
Last updated
Was this helpful?
Important Note If you, as a developer, intend to access data belonging to other bunq users (e.g., account information, transaction history, or initiate payments on their behalf), you must ensure that you:
✅ Fully comply with for API usage.
✅ Obtain explicit user consent as required.
⚖️ May be subject to , including registration as an AISP (Account Information Service Provider) or PISP (Payment Initiation Service Provider) with your national competent authority.
Misuse or non-compliance may lead to access being revoked or legal consequences.
OAuth 2.0 is an industry-standard protocol that allows third-party applications to securely access bunq user accounts without exposing credentials. This method enables seamless authorization while maintaining user control over permissions.
OAuth lets your app request access to a bunq user’s account. If the user grants permission, your app receives an access token, which functions similarly to an API key but with predefined scopes. Depending on your use case, you may need a PSD2 permit to access sensitive financial data or initiate payments on behalf of users.
To integrate OAuth authentication, follow these steps:
Register an OAuth Client – Create an app in bunq Developer and add at least one Redirect URL.
Get OAuth Credentials – Retrieve your client_id and client_secret from the app settings in bunq Developer.
Redirect Users to Authorize Your App – Send users to the OAuth authorization URL.
Handle the Authorization Code – If the user grants access, they are redirected to your redirect_uri with an authorization code.
Exchange the Code for an Access Token – Use the token endpoint to retrieve an access token.
Use the Access Token – Authenticate API calls with the received access token, similar to an API key.
OAuth credentials and redirect URLs can also be managed via API endpoints for automated setup.
By default, bunq OAuth grants access to: ✔ Read and create Monetary Accounts ✔ Read Payments & Transactions ✔ Create Payments within a user’s accounts ✔ Create Draft-Payments (approval required in the bunq app) ✔ Assign a Monetary Account to a Card ✔ Read, create, and manage Cards ✔ Read and create Request-Inquiries ✔ Read Request-Responses
PSD2-licensed developers have scope limitations based on their regulatory role.
Your web or mobile app must redirect users to the following authorization URL:
With the following parameters:
response_type
Set to code for authorization code grant (required)
client_id
Your OAuth Client ID from bunq Developer (required)
redirect_uri
The URL users are redirected to after authorization (must be registered) (required)
state
Unique string for request validation (optional)
For sandbox testing, use:
If the user grants access, they are redirected with an authorization code:
To obtain an access token, make a POST request to:
With the following parameters:
grant_type
Must be authorization_code (required)
code
The authorization code received (required)
redirect_uri
The same redirect URL used in the authorization request (required)
client_id
Your OAuth Client ID (required)
client_secret
Your OAuth Client Secret (required)
For sandbox testing, use:
Use the access_token for authenticated API requests.
Once you receive an access token, use it like an API key to open a session or interact with the API.
Example request using OAuth access token:
When fetching user details, you will receive a UserApiKey object, referencing both the requesting app and the user who granted access.