Sorry, you need to enable JavaScript to visit this website.

General information

SEB's Developer portal is an open API platform that lets you easily access financial solutions and seamlessly implement them in your apps. The APIs available in this portal are sandbox versions, and the documentation covers general principles, workflows as well as API functional and technical details. The portal also allows developers to experiment and build applications that will use the APIs before applying for production status. In this starter guide you may find useful information for the APIs found in the developer portal. Request and response attributes, their descriptions and examples for specific API endpoints, are provided under API Products.

All SEB's APIs are implemented using RESTful architecture style. For all requests and responses, only JSON format can be used.

API Products

Under the API Products tab in the menu above you will find our API catalogue that shows all the APIs available in this portal – both overview and technical documentation Currently our APIs focus on Sweden, but we will add more geographies going forward.

Sandbox

The Developer portal sandbox contains mock data to aid in testing the integration of our APIs in developer applications.

Dynamic test data is available for most of the APIs in the Sandbox, including testing the OAuth token flow.

Developer Portal Profile

To use SEB’s Developer Portal you must sign up for an account. SEB collects certain information for your Developer Portal Profile in order to provide access to the portal and its services. To read more about SEB’s Privacy Policy click here.

In your profile settings you can change your profile information, add a picture, or change your password.

When you have an account you will be able to create applications and test the integration of our APIs. Apps provide a Client ID and Client Secret that are used to verify the subscriptions of your app.

Production Data

To gain access to production environment, you must have a registered account in SEB's Developer Portal. Once you are registered you can request an access to the production APIs from your application page.

Please check the status of APIs if it's available for production access. API products stated as PSD2 are only availble for PSD2 approved TPPs with a valid QWAC certificate.

We take the handling of our customers’ data very seriously. Because of this all applications that requested access to production data will be analyzed thoroughly by the bank.

Calling production status APIs that provide sensitive customer data always requires customer consent.

Security and Authorization

TLS

At SEB all communication is secured by TLS encryption.

OAuth 2.0

SEB uses the OAuth 2.0 protocol for authentication and authorization. The OAuth flow is a way for your application to get an access token and a refresh token. Customer consent is required for all API calls that request sensitive customer data.

The Authentication API in the Sandbox provides a simulated authentication flow for production status APIs. See documentation for our Authentication API.

Note!
The authentication flow in this portal is a simulation and may differ in production due to country specific rules and regulations.

SEB uses 3-legged authorization to delegate access to user data.

To use the Authentication API an Access code must be obtained that will be used to get the Access token. These tokens ensure access only to those protected resources granted by the user.

  • The Access token is short lived
  • The refresh token is long lived and could be used to get a new access token.

To read more in depth about how the OAuth 2.0 Protocol works click here.

 

Note!
API Products that require authentication flows in the Sandbox will include */identified [1-4]/* in the basepath URI when used in Production

The Authentication API only supports the authorization code grant, additional security measures may be added later on. It is assumed that the client server will retrieve the token for the user, not the client application. Always keep you credentials safe, never where they can be publicly accessed such as in a client application

API Overview

API Documentation and swagger files are available on the page API Products

Currently, only PSD2 approved TPPs with a valid QWAC certificate will be granted access to production data.

We use standard http methods and response codes when building our APIs. Click here to read more about which standards we use to build our APIs.

Versioning

API version number is included into the URI:

https://api.sebgroup.com/accounts/v1/

Sign Up

The first thing you need to do is sign up, just click here.

You need to have an account to test the integration of SEB's APIs in your client.

Scopes

We use scopes to authorize access to APIs. Scope is used as part of the OAuth flow and is required as a parameter in the API call to the authorize endpoint as described in the documentation about OAuth.

 https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/authorize 

See API documentation for which scopes are necessary for each API.

Create an Application

The next step is to configure your application (App). Apps keep track of your credentials for using our APIs. For each app you will receive a Client ID and a Client Secret.

Note!
Your Client Secret should never be available to the public. Never store your Client Secret where someone else can see it!

To create a new app, just click here

Subscribe to an API

In order to test APIs in the Developer Portal Sandbox your application must be subscribed to an API.

You can subscribe to APIs from the API Products page or each API documentation. If you have more than one application, you will be able to choose the application you want to subscribe after click on the subscribe button.

You can view and manage your subscription in each application under the Apps menu header.

Testing APIs

The Developer Portal gives you the option to quickly test what kind of response an API returns by using the console attached to the API documentation.

We recommend testing using Postman or a similar interface.

These things are needed to test APIs::

  • Registered App
  • Client ID
  • Client Secret
  • Access token

Click on API Products in the menu to browse our APIs and see the documentation.

Test using Postman

Postman is a great way to test and integrate SEBs APIs. If you don’t have Postman, download it here. See Postman’s documentation and tutorials for any questions about using Postman!

On our GitHub you will find Postman collections that will make it easier to test and integrate APIs in this portal. Download the collection and import it to Postman.

You can integrate the OAuth2 process in Postman to make it easier to acquire and use tokens in testing. Follow the link below to do this.

https://www.getpostman.com/docs/v6/postman/sending_api_requests/authorization

Use the following configuration:

Grant Type: Authorization Code
Callback URL: [Callback URL for your App]
Auth URL: https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/authorize
Access Token URL: https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/token
Client ID: [Client ID for your app]
Client Secret: [Client Secret for your app]
Scope: [Required Scope, eg., psd2_accounts]
Client Authentication: Send client credentials in body

Now you can run the collection!

PSD2 Sandbox Certificate

It is possible to test the PSD2 APIs in the Sandbox Environment using MTLS. We have provided a test certificate for this process, which is located on our github pages at: https://github.com/sebgroup/openbanking.
The hostname for testing is: https://tpp-api-sandbox.sebgroup.com.
The password for these certificate is: qwerty

Instructions for OAuth 2.0

The following are instructions on how to use the Authentication API as part of the sandbox. This is not required for doing simple calls using the API Console.

Step 1

Make a HTTP GET to https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/authorize with the following parameters in query:

Parameter Value Description
response_type [code] Authorization Code (required)
redirect_uri [URL] OAuth Redirection URL in your App (required)
scope [App_Scope] Scope being requested (required)
state [State] State is redirected back (optional)
client_id [Client_Id]  Client ID for your App (required)

This is an example of a correctly formed authorize request:

{
    https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/authorize?client_id=
    869bb300-f2ea-4z90-9ad5-aa33a1ab&response_type=code&scope=psd2_accounts psd2_payments
    &redirect_uri=http://seb.se/tpp/tokencallback&state=1886540203615345268377437
}                                   
                               
Step 2

This redirects the customer to a login page as shown below. Enter a valid Sandbox Identity Number and click Login. The Sandbox Identity Number is API specific. This can be found in the API documentation under Authentication.

Step 3

Make a HTTP POST to

{
     https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/token 
}
with the following parameters as application/x-www-form-urlencoded:

Body parameter Value Description
grant_type [authorization_code, refresh_token] Type of grant (required)
code [Authorization code] Authorization code redirection from earlier request (required)
scope [App_Scope] Scope being requested (optional)
client_id [Client_Id]  Client ID for your App (required)
client_secret [Client_Secret] Client secret for your App (required)
redirect_uri [URL] OAuth Redirection URL in your App (required)

The example below is a PSD2 request:

{
curl -X POST \
  https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/token \
  -H 'Accept-Encoding: gzip, zlib, deflate, zstd, br' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'cache-control: no-cache' \
  -d 'client_id=RZdfERgbjiP6oS&client_secret=gjiGHduisSi8tnfo&grant_type=authorization_code&
  redirect_uri=https%3A%2F%2Flocalhost%2F&code=w35x1FFNu8lR1bDi9ilngHjS7lfRn'
}

Response:

{
    "access_token": "OEtqqacYfnfioFdsgaswSNYf",
    "refresh_token": "UFxjCNDIruRTrn9RstryvfSDJFdugbskfopmdWSoRyz",
    "scope": "psd2_accounts psd2_payments",
    "token_type": "bearer",
    "expires_in": 3599
}

You will now have your authorization token, which you can use for your API calls. Pay attention to the lifetime of the authorization token, if you are having issues you may need to retrieve a new token.

Your authorization token should be included in the header and look like this:

Authorization: Bearer [Token]