Device Registration
Last updated
Was this helpful?
Last updated
Was this helpful?
Registering a device links the API key to a specific phone, computer, or server. This prevents stolen or exposed keys from being used on untrusted devices.
By using POST /device-server, bunq ensures that only pre-approved machines can make API calls. This approach is crucial in banking, where unauthorized access could lead to financial fraud. Unlike simple API keys, this extra layer significantly reduces attack surfaces by restricting access to known, registered devices.
Ensure you have a bunq API Key. You can generate one from the bunq APP if you haven't already.
When you use a standard API Key, the DeviceServer and Installation are linked to the IP address where they were created. You won’t be able to add new IP addresses later.
Using a Wildcard API Key gives you the freedom to make API calls from any IP address after the POST device-server. You can switch to a Wildcard API Key by tapping on “Allow All IP Addresses” in your API Key menu inside the bunq app. You can also programatically switch to a Wildcard API Key by passing your current ip and a * (asterisk) in the permitted_ips field of the device-server POST call.
Payload example:
Pass the installation_token received in the last step as value for the header X-Bunq-Client-Authentication to authenticate yourself in this endpoint.
With the installation_token in hands, we are able to authenticate ourselves and register our device for future endpoint calls.
Create a new DeviceServer providing the installation token in the header and signing the request with the private part of the key you used to create the installation. The API Key that you are using will be bound to the IP address of the DeviceServer which you have created.Using a Wildcard API Key gives you the freedom to make API calls even if the IP address has changed after the POST device-server.Find out more at this link https:/bunq.com/en/apikey-dynamic-ip.
The standard HTTP Cache-Control header is required for all signed requests.
The User-Agent header field should contain information about the user agent originating the request. There are no restrictions on the value of this header.
The X-Bunq-Language header must contain a preferred language indication. The value of this header is formatted as a ISO 639-1 language code plus a ISO 3166-1 alpha-2 country code, separated by an underscore. Currently only the languages en_US and nl_NL are supported. Anything else will default to en_US.
The X-Bunq-Region header must contain the region (country) of the client device. The value of this header is formatted as a ISO 639-1 language code plus a ISO 3166-1 alpha-2 country code, separated by an underscore.
This header must specify an ID with each request that is unique for the logged in user. There are no restrictions for the format of this ID. However, the server will respond with an error when the same ID is used again on the same DeviceServer.
This header must specify the geolocation of the device. The format of this value is longitude latitude altitude radius country. The country is expected to be formatted of an ISO 3166-1 alpha-2 country code. When no geolocation is available or known the header must still be included but can be zero valued.
The authentication token is used to authenticate the source of the API call. It is required by all API calls except for POST /v1/installation. It is important to note that the device and session calls are using the token from the response of the installation call, while all the other calls use the token from the response of the session-server call
The description of the DeviceServer. This is only for your own reference when reading the DeviceServer again.
The API key. You can request an API key in the bunq app.
An array of IPs (v4 or v6) this DeviceServer will be able to do calls from. These will be linked to the API key.