API Reference Review
The current version is v2.0.3 release on September 29th 2020.
The current version is v1.2.0 release on July 15th 2020.
The current version is v1.5.1 release on September 12nd 2020.
Sign Up Account
- Go to https://brank.as/create-account and register for an account.
- Verify your email address to be able to log in to the Brankas Admin Dashboard.
Download the API Collection and Test API
- Download a collaboration platform to test API calls like Postman.
- Click the product you want to test to view the Brankas API collection.
- Click Run in Postman in the upper right corner to import and run the Brankas API Collection.
An API key is available for you to use for triggering our API.
Revoke API Tokens
Due to security constraints and how OAuth has been set up, API key cannot be revoked. API Key will be automatically revoked when you re-create a new API Key.
Store API Tokens
Store API tokens API tokens are identifiers that authenticate your access to your Brankas account. It is essential to safeguard your API tokens. Here are some reminders to keep your tokens safe:
- Store API tokens in the dedicated mechanism for storing data secrets if it is available.
- Store API tokens in the configuration file that is excluded from your version control. It can be created manually or stored in the deployment server using automated tools.
- Ensure that that only your web application can read your file.Brankas recommends to limit access only to users who require the information.
- DO NOT store API tokens as plaintext files in the Version Control System (VCS). Storing API tokens in the VCS may result in sharing it publicly. Thus, allowing anyone with the token to access your accounts.
- DO NOT store tokens in email inboxes or chat logs. Tokens should only live in Brankas and production systems. You can retrieve API tokens from your Profile Setting page.
In case of security breach
In case of incidents where an API Key has been accidentally pushed to a remote public repository, we suggest to rotate it. Deleting an access token from VCS is not sufficient because a VCS stores historical changes, is distributed and has automation assigned to new pushes.
Brankas APIs require HTTPS with TLS >= 1.2. Non-encrypted HTTP connections are not accepted because it transmits your access token into plaintext.
If your application is large, consider extracting Brankas-specific functionality into a separate middleware or service layer. This enables you to store API tokens separate from the main application.
If you need to pass the token around via HTTP requests, use HTTP headers or POST body - do not store the token in URI or query parameters. Web servers usually log the URL and browsers pass it between websites via the Referer header.
Brankas Identity Provider (IdP) for Direct and Statement
Brankas leverages a web application called the Brankas Identity Provider service (IdP) to secure this exchange of sensitive information.
After initiating a request with the Brankas product, the service returns a pre-formatted URL to the Brankas IdP that end-users can be redirected to. These URLs are unique and specific to the current request.
The Brankas IdP supports various the end-user authentication and authorization mechanisms used by their bank’s internet banking platform. These include:
- Internet banking login credentials
- TFA challenges of various types to authenticate the end user as part of login
- TFA challenges of various types to authorize a fund transfer
Brankas IdP automatically adjusts its flow to enforce the authentication and authorization requirements of any bank that it has been integrated with.
Brankas uses Redirect URIs to a unique Brankas IdP user session to ensure that there are no touch points for third party applications to gain access to sensitive internet banking credentials or TFA codes.
Additionally, we enforce secure HTTPS connections to the Brankas IdP and all internal micro-service communications are encrypted using mTLS >= 1.2. It also uses Cross-Site Request Forgery (CSRF) tokens and secure cookies to ensure the uniquene access to Brankas IdP sessions, preventing any potential session hijacking by malicious actors.
End-user credentials and TFA challenges are never stored. Access to internet banking credentials and accounts cannot abused.
Our client libraries are set to raise the following exceptions:
- failed charge
- invalid parameters
- authentication errors
- network unavailabilityBrankas recommends writing codes that can handle all possible API exceptions. You can learn more about the errors in each product sections.
All requests made to the Brankas’ API must be authorized using a API Key-based authentication.
API authorization involves sending x-api-key header value with a base 64-encoded UUID assigned to your organization
To access user data, please include your API key when you submit your request to the endpoint.
To maintain security, the data shared to the endpoints should be transferred via HTTPS.
After acquiring API Key from Brankas Dashboard, You need to pass the API Key in your request header in x-api-key in all subsequent resource requests. This involves sending a header value of x-api-key followed by the API Key, please note the colons after the word ‘‘x-api-key’. example: –header ‘x-api-key: Th!sis4n4P1K3y’