# bunq API Client Implementation Hints

## Response Signature Verification

The bunq API uses response signature verification for security. Based on testing:

1. **Request Signing**: Only the request body is signed (not headers or URL)
2. **Response Signing**: Only the response body is signed
3. **Current Issue**: Response signature verification fails because:
   - smartrequest automatically parses JSON responses
   - When we JSON.stringify the parsed object, it may have different formatting than the original
   - The server signed the original JSON string, not our re-stringified version

### Temporary Solution
Response signature verification is currently only enforced for payment-related endpoints:
- `/v1/payment`
- `/v1/payment-batch`
- `/v1/draft-payment`

### Proper Fix
To properly fix this, we would need to:
1. Access the raw response body before JSON parsing
2. Verify the signature against the raw body
3. Then parse the JSON

## Sandbox API Keys

Sandbox users can be created without authentication by posting to:
```
POST https://public-api.sandbox.bunq.com/v1/sandbox-user-person
```

This returns a fully functional API key for testing.

## IP Whitelisting

When no permitted IPs are specified, use `['*']` to allow all IPs for sandbox testing.