Rabobank APIs require user authorization or consent to access their account. You can request your user (account holder) for permissions (referred to as Scope) to access their account history and process authorized transactions and the user must approve this request to proceed. This consent flow is applicable for the following APIs with their respective type of accounts:
- Business Account Insight - Current + Savings accounts
- Business Direct Debit - Current
- Business Bulk Payment Initiation - Current
User (Account holder) flow
-
Your application identifies the required Scope and automatically requests consent from the user.
-
Your application redirects the user to Rabobank together with the Scope for approval.
An application now supports multiple active consents.
https://oauth.rabobank.nl/openapi/oauth2-premium/authorize?client_id=f50dc66f-9843-4c85-bad5-d34c8adcd003&response_type=code&scope=bai.accountinformation.read&redirect_uri=https://localhost -
The user is asked to give their consent to your application.
The user can decide whether to grant the consent to your application. The user is not allowed to alter the Scope of the request, they can choose to grant the full consent for each bank account or decline the request entirely.
If the user decides to approve the request the below steps follow.
-
The user selects the account(s) to give access.
There can be multiple active consents per Rabobank Card and clientID.
-
They are asked to review the details and sign the request using their access code or Rabo Scanner.
-
After the user signs the request, Rabobank redirects the user to your application, together with an authorization code.
https://localhost/?code=AAMmk-p0Io-UNoKNap5XZDjymq3_vyxOrFRIGZZJi6HHm_UrsHZ4r9rlecoA05o-h_I_-0iN1bDtb62WXhq7FxWF6OytOuBfiFbJfivVyCyMZbg2ZD4q4nYq9sJAhWdz5QXnMvTmet2OngMu76omJ7HzXY97gaPschGf3_LDIuTo5LTLg-DTqiAQSGCpc0vSKcHlk0n6y4QuigEFwL8mQU1auXkSL7VY3ExlpEbMaA8MF2Vzt-zf3Bs1XfuuwrxffAI -
Your application uses the sent authorization code to request an access token using the Request Access Tokens API.
-
The Rabobank API sends your application an access token and a refresh token.
-
Your application includes the access token in the Authorization header of its API request for data from a resource or processing transaction(s) in the Rabobank API.
Bearer AAIkNTQ3OTE5NTktY2IxZS00ZmY3LWE1NjEtYTE4NDg2MDllMDUzy2k6Kt0gFNgTh5KQZ1l6oddOJrXLD4jcf4HParcXv9itWE-6oQcD1MWgbUX6m9n_kDrnZle2B0r3zNJABLuTjW8oJFqUSAb0oWpn4DWX4iCsHnqdyQcFFxYej6YnnSyUp98ZupDN2qcvr6duyZcWvg5f3flHB4dGubtEHjgUhrnQcUIXMVKc905Q6dQxPaiOChFwGoatEXEdKg9eAMkvbzhygo4IMGhspY5bAN1BI0SQV9gNq0QB-ih9YE1orqMTsRAPXIFfKE1Mq7fHIsZs3TALaJHRl8DkG1a4h4ZOrk3aDAtBap8oRd-_gb0b9VmMTJz5XmwbA8Vm6Z7xItxsDh9nITS-LZZ-hPOx6ZiY5J63qcFjt8YnV0CZekhicmdjYqSpYN9T8-hyqJM4t9GL62YC6_QovsBQEC_CzZXrnCRK-klkdKoPt9JO2HpHIZp-jojBOaSDgDhwdrGzju2uWKF2A0ZxfQA1JmSuBv6dZEmgyitslG4MnsZvg-0IpEUWYNAk8B2Lxa1btp3zP4JkEjOpTsFH5ite-0YFgFhvoX_K0rZiImbMM5yQ4oG89QBgOcYRKkLbusZ8LtuS3885z3Q823he1ufE_ncWYjaZDNULzLfVIAT7NmVQmIdEX6lFkq0KOA8lHyyUzaK9awRuAwfXnnXCMPRFuA2Md6aBm65V3Zfpdd9DyhAUNIuNWfOp832GQw6494DGuHLmrmc9DgGET https://api.rabobank.nl/openapi/payments/insight/accounts/Wp-xhZMGEWRIIgVjPwTC1aKJJ0VCRZ_4bScUVXof7e0 -
The Rabobank API sends a response to your application.
{ "accounts": [ { "_links": { "account": "/accounts/Wp-xhZMGEWRIIgVjPwTC1aKJJ0VCRZ_4bScUVXof7e0", "balances": "/accounts/Wp-xhZMGEWRIIgVjPwTC1aKJJ0VCRZ_4bScUVXof7e0/balances", "transactions": "/accounts/Wp-xhZMGEWRIIgVjPwTC1aKJJ0VCRZ_4bScUVXof7e0/transactions" }, "currency": "EUR", "iban": "NL52RABO0125618484", "name": "Some alias 1", "ownerName": "Some company 1", "resourceId": "Wp-xhZMGEWRIIgVjPwTC1aKJJ0VCRZ_4bScUVXof7e0", "status": "enabled" } ] }