Authentication and Authorization

In this section we specify all the similarities between our two authentication APIs.

Stored data

The test data in the sandbox consists of a fixed set of accounts and transactions that is associated with your bearer key or test certificate. The AIS and PIS endpoints have basic functionality so that you can create new transfers and it will affect the account balance.

Please note that the sandbox environment is exclusively based on mocked data with limited or no capability to save your results, and saved data may be purged without warning.

API usage

SBAB API’s uses our own flavour of OAuth2 for authorization, therefore you will have to provide an access token for all requests to protected resources.

Also, the base URL for all requests to the sandbox is the following:

All flow examples utilize the cURL— öppnas i ny flik command line tool, and you can easily follow and repeat them in the Sandbox user interface— öppnas i ny flik.

Also, for illustrative purposes in the cURL samples, we're going to assume that the bearer token you received with your account is 12345678-90ab-cdef-1234-567890abcdef.

Token validity

All obtained access tokens have a defined TTL (time-to-live). The value is configured per client, and by default it is 1800 seconds (30 minutes) in production, but it is set to 300 seconds (5 minutes) in the Sandbox environment. As a rule of thumb, check the validity of the received token as exposed in the expires_in field that is sent along with all access tokens, instead of assuming a fixed value.

The APIs

The authentication APIs are separated based on the required authentication method:

• Enterprise Authentication API: for the Enterprise API only, utilizes system users and end-user authentication depending on the operation performed
• PSD2 Authentication API: for the AIS and PIS APIs, utilizes eIDAS certificates for TLS handshake