1.2 KiB
1.2 KiB
bunq API Client Implementation Hints
Response Signature Verification
The bunq API uses response signature verification for security. Based on testing:
- Request Signing: Only the request body is signed (not headers or URL)
- Response Signing: Only the response body is signed
- Current Issue: Response signature verification fails because:
- smartrequest automatically parses JSON responses
- When we JSON.stringify the parsed object, it may have different formatting than the original
- The server signed the original JSON string, not our re-stringified version
Temporary Solution
Response signature verification is currently only enforced for payment-related endpoints:
/v1/payment
/v1/payment-batch
/v1/draft-payment
Proper Fix
To properly fix this, we would need to:
- Access the raw response body before JSON parsing
- Verify the signature against the raw body
- Then parse the JSON
Sandbox API Keys
Sandbox users can be created without authentication by posting to:
POST https://public-api.sandbox.bunq.com/v1/sandbox-user-person
This returns a fully functional API key for testing.
IP Whitelisting
When no permitted IPs are specified, use ['*']
to allow all IPs for sandbox testing.