Frequently Asked Questions

General questions

Q: What is SBAB's Developer Portal?

SBAB's Developer Portal is an open API platform that lets you explore the various products of household finance offered by SBAB in a production like environment. The static test data and endpoints are called the Sandbox.

Q: What data does the SBAB Development Portal/Sandbox contain?

Our sandbox environment contains static test data with the same data structure that is used in production. You are free to test all endpoints available and the documentation covers both sandbox as well as production environment.

Q: How do I test Sandbox APIs?

In our Get Started section, you will find the information you need to start use the APIs in our sandbox environment.

Q: Is the Sandbox API working exactly as the production API?

The object model used in Sandbox and in Production is exactly the same. Validation of input data works the same making it possible to experiment with input AIS/PIS/Enterprise data ranges to try out accepted values. The APIs and the flows of the Sandbox and Production are the same way in most cases. Hopefully the sandbox will be useful despite the minor differences listed below:

• the Sandbox uses non production data, for example interest rates differ in the Sandbox and in Production
• the Sandbox API needs the personal bearer token for secured AIS/PIS/Enterprise calls instead of an authenticate/authorize created access token
• the Sandbox API has a simplified PIS transfer flow
• the Sandbox API has a simplified Enterprise flow for pre-approvals and loan applications
• the Sandbox API does not handle all Production API error cases

Q: Is it associated with any costs to use the SBAB Development Portal?

No, it's free! But please note that some production APIs may incur a fee to allow access to the production environment.

Q: How do I login?

Login here with your mail address and your chosen password.

Q: What gateways are you publishing and what are they used for?

• https://developer.sbab.se/sandbox : Sandbox for both PSD2 and Enterprise endpoints
• https://psd.sbab.se : Production for PSD2 endpoints
• https://api.sbab.se : Production for SBAB Enterprise and SBAB Open endpoints

Onboarding questions

Q: How do I get access to production data?

Please login and fill the data under the Production Access section or contact us for further information.

Please also note that access to production data via the SBAB Bank API is a strictly B2B matter and requires that the applicant represents a corporate with relevant permission from the National Competent Authority (Finansinspektionen in Sweden). There are currently no opportunities for private persons to develop services based on the SBAB Bank API.

Q: How can I test that our flow with SBAB works in production?

If you have access to the production client certificate, you can verify if the handshake is completing successfully with the following command:

Authenticate/authorize questions

Q: Can I use my Sandbox bearer token in the production environment?

No. In the production environment, you use a different authorization scheme. Read more about this under the auth section in the documentation.

Q: Why is the access token created in the Sandbox authorization/authentication flow not working for Sandbox AIS/PIS/Enterprise calls?

This is how the flow works in production, yet the authorization/authentication flows in the Sandbox are just for demonstration and therefore the created access tokens are not valid for calling protected endpoints.

Please utilize your personal bearer token when calling AIS/PIS/Enterprise API endpoints in the Sandbox.

Q: Why should I use a PSD2 certificate in the sandbox?

If you want to test the PSD2 authentication flow in the Sandbox, it will be easy to integrate with our production environment since it is the same flow and the same business objects.

Q: How is the authorization/authentication done in the Sandbox?

Please refer to the Authorization section in the documentation, which includes the explanation of the authentication and authorization flows, including code examples.

Q: Something seems to be wrong with my bearer token, I get a 401 Error: unauthorized

Make sure that you send in the complete token including the Bearer prefix in the Authorization header:

This is valid for both calls to the Sandbox and calls to the Production environment. Note however that a token used in production can never be used in the Sandbox, and vice versa.

Q: Why are there two endpoints, authorize and authenticate, to get an access token for PSD2?

Both flows are very similar, the difference being that the authenticate flow returns just an access token while the authorize flow also returns a refresh token. Refresh tokens can be used to obtain more access tokens for a period of up to 90 days (soon to be extended to 180 days). See the refresh token section below for more detailed info about refresh tokens.

Q: What do I do when I get an HTTP status 403 with kyc_questions_not_completed ?

First and foremost this indicates that the customer has not answered all KYC (Know Your Customer) questions. This is a requirement to be able to proceed.

The customer must answer all questions, which will be presented when logging to the user's account or by using the SBAB app, available for iOS and Android devices.

This error will never be thrown in the Sandbox.

Refresh token questions

Q: What's the difference between a refresh token an access token?

An access token is valid for a single session of a certain time (usually 5 or 30 minutes) after completed authentication. The refresh token is exclusive for the PSD2 authorization flow and is valid for 90/180 days, and can be used for exchange of new access token up to 4 times per day before the refresh token expires. Note that an access token issued from a refresh token is only valid for 5 minutes.

Q: How often can I use the refresh token?

It's limited to 4 times per day and each renewed access token is valid for 5 minutes.

Q: What happens when my refresh token expires?

You need to use the authorize endpoint again to get a new refresh token, incurring in a new user interaction.

Q: Why do I want the refresh token?

To access end user data without end user interaction for a longer period of time.