Frequently Asked Questions
Q: What is SBAB's Developer Portal?
SBAB's Developer Portal is an open API platform that lets you explore the various products of household finance offered by SBAB in a production like environment.
Q: What data does the SBAB Development Portal contain?
Our sandbox environment contains static test data with the same data structure that is used in production. You are free to test all endpoints available and the documentation covers both sandbox as well as production environment.
Q: How do I test Sandbox APIs?
In our get started-section, you will find the information you need to start use the APIs in our sandbox environment.
Q: Is it associated with any costs to use the SBAB Development Portal?
No, it’s free! But please note that some APIs may incur a fee to allow access to the production environment.
Q: How do I login?
Login here with your mail address and your chosen password.
Q: How do I get access to production data?
Please login and apply for production access by clicking on 'Apply for production access' button or contact us for further dialog/access to production environment. Please also note that access to production data via the SBAB Bank API is a strictly B2B matter and requires that the applicant represents a corporate with relevant permission from the National Competent Authority (in Sweden: Finansinspektionen). There are currently no opportunities for private persons to develop services based on the SBAB Bank API.
Q: Can I use my bearer token in the production environment?
No. In the production environment, you use a different authorization scheme. Read more about this under the auth section in the documentation.
Q: Something seems to be wrong with my bearer token, I get a 401 Error: unauthorized
- Make sure that you send in the complete token including Bearer ('Bearer xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxxxx') in the key authorization
- Only send in the Bearer once in you call.
Q: Why should I use a PSD2 certificate in the sandbox?
If you want to test the PSD2 authentication flow in the sandbox, it will be easy to integrate with our production environment since it is the same flow and the same business objects.
Q: How is the authorization/authentication done in the sandbox?
First you need to ask for a pending access code and then exchange the pending code to an access token.
Q: How do I find the PSP authorization number used for onboarding?
It is stored in your client certificate information and is a part of the principal DN, tagged tagged with 'OID.126.96.36.199' and with a value like 'PSDSE-FINA-32017'. The complete string must be given in the onboarding process. Check with your security department if unsure how to find the value in the client certificate.
Q: What’s the difference between a refresh token an access token?
An access token is valid for a session of 30 minutes if an authenticate has been used. The refresh token is valid for 90 days and can be used for exchange of new access token up to 4 times per day after expiration. Note that an access token issued from a refresh token is only valid for 5 min.
Q: How often can I use the refresh token?
It’s limited to 4 times per day and each access token is valid for 5 minutes.
Q: What happens when my refresh token expires?
You need to use the authorize endpoint again.
Q: Why are there two endpoints, authorize and authenticate, to get an access token?
Both authorize and authenticate endpoints returns a pending code in step 1. When in step 2 calling the token endpoint with the pending code, a previous authorize endpoint call returns both an access token and refresh token. A previous authenticate endpoint call only returns the access token. Note that the pending code is used to retrieve the access token once the end user has signed.
Q: Why do I want the refresh token?
To access end user data without end user interaction.