37 lines
1.2 KiB
Markdown
37 lines
1.2 KiB
Markdown
# bunq API Client Implementation Hints
|
|
|
|
## Response Signature Verification
|
|
|
|
The bunq API uses response signature verification for security. Based on testing:
|
|
|
|
1. **Request Signing**: Only the request body is signed (not headers or URL)
|
|
2. **Response Signing**: Only the response body is signed
|
|
3. **Current Issue**: Response signature verification fails because:
|
|
- smartrequest automatically parses JSON responses
|
|
- When we JSON.stringify the parsed object, it may have different formatting than the original
|
|
- The server signed the original JSON string, not our re-stringified version
|
|
|
|
### Temporary Solution
|
|
Response signature verification is currently only enforced for payment-related endpoints:
|
|
- `/v1/payment`
|
|
- `/v1/payment-batch`
|
|
- `/v1/draft-payment`
|
|
|
|
### Proper Fix
|
|
To properly fix this, we would need to:
|
|
1. Access the raw response body before JSON parsing
|
|
2. Verify the signature against the raw body
|
|
3. Then parse the JSON
|
|
|
|
## Sandbox API Keys
|
|
|
|
Sandbox users can be created without authentication by posting to:
|
|
```
|
|
POST https://public-api.sandbox.bunq.com/v1/sandbox-user-person
|
|
```
|
|
|
|
This returns a fully functional API key for testing.
|
|
|
|
## IP Whitelisting
|
|
|
|
When no permitted IPs are specified, use `['*']` to allow all IPs for sandbox testing. |