• Developers

  • API ACL levels.

I'm wondering if the API keys allow any kind of access control?


So for example a read only API key that is only able to retreive transactions with a set number of bank accounts associated with a bunq account.

Or for example only being able to retreive balance.


Asking this because I'm trying to orient myself into building a transparancy feature which would publish realtime payment data to a website.

Security wise I would think that bunq side access control would be way preferable over my own or third party programming skills ;)

The docs don't seem to mention anything on the authentication page, and I don't have premium yet to start testing and verifyin on my own.

    Hey there!


    At the moment, API keys give access to the entire account. You could try using it with the Connect feature where you can make it read only. 👍

      I'd call that a bit of an ugly and hacky solution ;)


      Switched the topic type from question to idea, perhaps something for on a whishlist? ;)

        2 months later

        +1


        I am trying to automate things in a WordPress website, but if someone could get code execution, they can in theory transfer money out from the account.


        ACL could solve this by not allowing this API key to make payments (for example).

          This is so needed Bunq, it is literally the last thing that is keeping our company from switching over from ABN Amro to bunq. I want to be able to give my staff access to make a draft payment, which I then only have to OK. Permissions at API level should make this possible. Please put this higher on your wishlist priority, it would make life so much easier for us.

            @Koen: could you explain how the Connect feature works from a developer perspective? What API key would you use?

              Hi Wessel! if you use connect, then you use your own developer key. Just as you do when using the app, you login with your credentials and via the connect you can see MA details of the other person.

              Check out this page to learn how to set up a Connect through our API. Cheers!

                a month later

                +1

                I also am looking for a solution, where you can only have read-only access, ideally over only total amount and not even individual transactions.

                It really should be the norm, then when you have an API layer, you have ACLs, instead of the current, one API Key can do anything.

                  Why wouldn't the Connect option meet your needs?

                    That should already be possible through Connect, although only via the API. You'd be able to grant someone the right to create draft payments. From the docs: "If set to true, the invited user will be able to make draft payments from the shared account.".

                      Write a Reply...