Files
bunq/readme.hints.md
Juergen Kunz 4ec2e46c4b update
2025-07-18 11:42:06 +00:00

1.2 KiB

bunq API Client Implementation Hints

Response Signature Verification

The bunq API uses response signature verification for security. Based on testing:

  1. Request Signing: Only the request body is signed (not headers or URL)
  2. Response Signing: Only the response body is signed
  3. Current Issue: Response signature verification fails because:
    • smartrequest automatically parses JSON responses
    • When we JSON.stringify the parsed object, it may have different formatting than the original
    • The server signed the original JSON string, not our re-stringified version

Temporary Solution

Response signature verification is currently only enforced for payment-related endpoints:

  • /v1/payment
  • /v1/payment-batch
  • /v1/draft-payment

Proper Fix

To properly fix this, we would need to:

  1. Access the raw response body before JSON parsing
  2. Verify the signature against the raw body
  3. Then parse the JSON

Sandbox API Keys

Sandbox users can be created without authentication by posting to:

POST https://public-api.sandbox.bunq.com/v1/sandbox-user-person

This returns a fully functional API key for testing.

IP Whitelisting

When no permitted IPs are specified, use ['*'] to allow all IPs for sandbox testing.