Getting Started

SEB's Developer portal is an open API platform that lets you easily access financial solutions and seamlessly implement them in your apps. The APIs available in this portal are sandbox versions, and the documentation covers general principles, workflows as well as API functional and technical details. The portal also allows developers to experiment and build applications that will use the APIs before applying for production status. In this starter guide you may find useful information for the APIs found in the developer portal. Request and response attributes, their descriptions and examples for specific API endpoints, are provided under API Products.

All SEB's APIs are implemented using RESTful architecture style. For all requests and responses, only JSON format can be used.

Under the API Products tab in the menu above you will find our API catalogue that shows all the APIs available in this portal – both overview and technical documentation Currently our APIs focus on Sweden, but we will add more geographies going forward.

The Developer portal sandbox contains mock data to aid in testing the integration of our APIs in developer applications.

Dynamic test data is available for most of the APIs in the Sandbox, including testing the OAuth token flow.

To use SEB’s Developer Portal you must sign up for an account. SEB collects certain information for your Developer Portal Profile in order to provide access to the portal and its services. To read more about SEB’s Privacy Policy click here.

In your profile settings you can change your profile information, add a picture, or change your password.

When you have an account you will be able to create applications and test the integration of our APIs. Apps provide a Client ID and Client Secret that are used to verify the subscriptions of your app.

To gain access to production environment, you must have a registered account in SEB's Developer Portal. Once you are registered you can contact us to request access to production data for those APIs that provide it.

Currently, only PSD2 approved TPPs with a valid QWAC certificate will be granted access to production data.

We take the handling of our customers’ data very seriously. Because of this all applications that requested access to production data will be analyzed thoroughly by the bank.

Calling production status APIs that provide sensitive customer data always requires customer consent.

TLS

At SEB all communication is secured by TLS encryption.

OAuth 2.0

SEB uses the OAuth 2.0 protocol for authentication and authorization. The OAuth flow is a way for your application to get an access token and a refresh token. Customer consent is required for all API calls that request sensitive customer data.

The Authentication API in the Sandbox provides a simulated authentication flow for production status APIs. See documentation for our Authentication API.

SEB uses 3-legged authorization to delegate access to user data.

To use the Authentication API an Access code must be obtained that will be used to get the Access token. These tokens ensure access only to those protected resources granted by the user.

• The Access token is short lived
• The refresh token is long lived and could be used to get a new access token.

To read more in depth about how the OAuth 2.0 Protocol works click here.

The Authentication API only supports the authorization code grant, additional security measures may be added later on. It is assumed that the client server will retrieve the token for the user, not the client application. Always keep you credentials safe, never where they can be publicly accessed such as in a client application

API Documentation and swagger files are available on the page API Products

Currently, only PSD2 approved TPPs with a valid QWAC certificate will be granted access to production data.

We use standard http methods and response codes when building our APIs. Click here to read more about which standards we use to build our APIs.

Versioning

API version number is included into the URI:

https://api.sebgroup.com/accounts/v1/

The first thing you need to do is sign up, just click here.

You need to have an account to test the integration of SEB's APIs in your client.

We use scopes to authorize access to APIs. Scope is used as part of the OAuth flow and is required as a parameter in the API call to the authorize endpoint as described in the documentation about OAuth.

 https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/authorize 

See API documentation for which scopes are necessary for each API.

The next step is to configure your application (App). Apps keep track of your credentials for using our APIs. For each app you will receive a Client ID and a Client Secret.

To create a new app, just click here

In order to test APIs in the Developer Portal Sandbox your application must be subscribed to an API.

You can subscribe to APIs from the API Products page or each API documentation. If you have more than one application, you will be able to choose the application you want to subscribe after click on the subscribe button.

You can view and manage your subscription in each application under the Apps menu header.

The Developer Portal gives you the option to quickly test what kind of response an API returns by using the console attached to the API documentation.

We recommend testing using Postman or a similar interface.

These things are needed to test APIs::

• Registered App
• Client ID
• Client Secret
• Access token

Click on API Products in the menu to browse our APIs and see the documentation.

Postman is a great way to test and integrate SEBs APIs. If you don’t have Postman, download it here. See Postman’s documentation and tutorials for any questions about using Postman!

On our GitHub you will find Postman collections that will make it easier to test and integrate APIs in this portal. Download the collection and import it to Postman.

You can integrate the OAuth2 process in Postman to make it easier to acquire and use tokens in testing. Follow the link below to do this.

https://www.getpostman.com/docs/v6/postman/sending_api_requests/authorization

Use the following configuration:

Now you can run the collection!

The following are instructions on how to use the Authentication API as part of the sandbox. This is not required for doing simple calls using the API Console.

Step 1

Make a HTTP GET to https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/authorize with the following parameters in query:

{
    https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/authorize?client_id=
    869bb300-f2ea-4z90-9ad5-aa33a1ab&response_type=code&scope=psd2_accounts psd2_payments
    &redirect_uri=http://seb.se/tpp/tokencallback&state=1886540203615345268377437
}                                   
                               

Step 2

This redirects the customer to a login page as shown below. Enter a valid Sandbox Identity Number and click Login. The Sandbox Identity Number is API specific. This can be found in the API documentation under Authentication.

Step 3

Make a HTTP POST to

{
     https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/token 
}

The example below is a PSD2 request:

{
curl -X POST \
  https://api-sandbox.sebgroup.com/mga/sps/oauth/oauth20/token \
  -H 'Accept-Encoding: gzip, zlib, deflate, zstd, br' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'cache-control: no-cache' \
  -d 'client_id=RZdfERgbjiP6oS&client_secret=gjiGHduisSi8tnfo&grant_type=authorization_code&
  redirect_uri=https%3A%2F%2Flocalhost%2F&code=w35x1FFNu8lR1bDi9ilngHjS7lfRn'
}

Response:

{
    "access_token": "OEtqqacYfnfioFdsgaswSNYf",
    "refresh_token": "UFxjCNDIruRTrn9RstryvfSDJFdugbskfopmdWSoRyz",
    "scope": "psd2_accounts psd2_payments",
    "token_type": "bearer",
    "expires_in": 3599
}

You will now have your authorization token, which you can use for your API calls. Pay attention to the lifetime of the authorization token, if you are having issues you may need to retrieve a new token.

Your authorization token should be included in the header and look like this:

Authorization: Bearer [Token]