Card-Based Payment Instrument Issuer (CBPII)
Last updated
Was this helpful?
Last updated
Was this helpful?
Heya! Before checking this page, make sure that you in our API first.
As a CBPII, you are allowed to authenticate in a user’s account to validate the availability of funds for the payment in question.
Collect an alias for the bunq user's account (their name and IBAN, email address, or phone number).
Check the availability of funds via POST /user/{userID}/confirmation-of-funds passing the following information:
your userId;
the amount of money needed for the payment;
the name of the bunq user and the IBAN of the account (email address or phone number pointing at the user are also possible).
Here is the full specs of the endpoint:
Used to confirm availability of funds on an account.
The standard HTTP Cache-Control header is required for all signed requests.
The User-Agent header field should contain information about the user agent originating the request. There are no restrictions on the value of this header.
The X-Bunq-Language header must contain a preferred language indication. The value of this header is formatted as a ISO 639-1 language code plus a ISO 3166-1 alpha-2 country code, separated by an underscore. Currently only the languages en_US and nl_NL are supported. Anything else will default to en_US.
The X-Bunq-Region header must contain the region (country) of the client device. The value of this header is formatted as a ISO 639-1 language code plus a ISO 3166-1 alpha-2 country code, separated by an underscore.
This header must specify an ID with each request that is unique for the logged in user. There are no restrictions for the format of this ID. However, the server will respond with an error when the same ID is used again on the same DeviceServer.
This header must specify the geolocation of the device. The format of this value is longitude latitude altitude radius country. The country is expected to be formatted of an ISO 3166-1 alpha-2 country code. When no geolocation is available or known the header must still be included but can be zero valued.
The authentication token is used to authenticate the source of the API call. It is required by all API calls except for POST /v1/installation. It is important to note that the device and session calls are using the token from the response of the installation call, while all the other calls use the token from the response of the session-server call