Comprehensive reference for integrating with Brankas API endpoints

Endpoint and Schema Overview

Here’s the full list of Brankas endpoints and guideline

Products Endpoints
Direct /v1/checkout, /v1/transfer
Disburse /v1/disbursements, /v1/disbursements/process, /v1/disbursements/account-inquiry
Statement /v1/notification, /v1/statement-retrieval, /v1/statements, /v1/statement-init, /v1/static-link
Pay /v1/merchant, /v1/invoice, /v1/deposit-account
Account Opening /v1/product-list, /v1/form-request, /v1/status

API Access

To gain access to the Brankas API, create an account on the Brankas developer dashboard. Once you’ve completed the signup process and acknowledged our terms, you can access API Key via the Dashboard.

API Protocols and Header

The Brankas API use POST request to communicate and HTTP response codes to indicate status and errors. All responses come in standard JSON. The Brankas API is served over HTTPS TLS v1.2+ to ensure data privacy; HTTP and HTTPS with TLS version below 1.2 are not supported, as they will transmit your API Key in plaintext over the network.

Always validate certificates. You should not proceed with a connection if you receive a certificate validation error from Brankas. Make sure all parts of your application are using encryption and HTTPS and failing when certificate validation fails.

To use it, you can put it in your API request header.

For example:

-H 'Content-Type:application/json' \
-H 'x-api-key:O66Q9XWlyoV0A5xhTeF2uRpVXFPXqmutUESQEB6C5ziQJp3lVSHR5eiDkAE8823R' \

Revoke API Keys

Due to security constraints and how OAuth has been set up, API key cannot be revoked. API Key will be automatically revoked when you re-create a new API Key.

Store API Keys

API keys are identifiers that authenticate your access to your Brankas account. It is essential to safeguard your API keys. Here are some reminders to keep your tokens safe:

  • Obfuscation - Use third-party framework such as Obfuscator and Appfigurate or code generation tool such as GYP
  • Encapsulation
    • Create a frame or static library to store the secret and import it as a project. Call the API key method to retrieve from the framework
    • Server Storage - API key can be retrieve from:
    • Own server through API server
    • Apple Services - On-Demand Resources, Plain-Text Download - CloudKit Database (private database from CloudKit Dashboard) - APNS (Silent Push Notification)•Save the key in Secure Enclave
  • Save the key in Secure Enclave

Anti-reverse Engineering Helper Tools

Listed are tools for anti-reverse engineer

  • DO NOT store API Keys as plaintext files in the Version Control System (VCS). Storing API Keys in the VCS may result in sharing it publicly. Thus, allowing anyone with the token to access your accounts.
  • DO NOT store tokens in email inboxes or chat logs. Tokens should only live in Brankas and production systems. You can retrieve API Keys from your Profile Setting page.
  • DO NOT store the token in user-accessible code such as browser-side, JavaScript, or Android apps that can be decompiled.

In case of security breach

In case of incidents where an API Key has been accidentally pushed to a remote public repository, we suggest to rotate it. Deleting an access token from VCS is not sufficient because a VCS stores historical changes, is distributed and has automation assigned to new pushes.

API Host

The Sandbox environment is unrestricted and supports only test Items. All testing should be done in the Sandbox. All activity in the Production environment will be billed. When you’re getting ready to launch into Production, request Live API access via the dashboard.

Product Sandbox Live
Direct direct.sandbox.bnk.to direct.bnk.to
Disburse disburse.sandbox.bnk.to disurse.bnk.to
Statement statement.sandbox.bnk.to statement.bnk.to
Pay api.pay.sandbox.bnk.to api.pay.bnk.to
Account Opening account-opening.sandbox.bnk.to account-opening.bnk.to

API Versioning and Changelog

This page covers backwards-incompatible, versioned API changes. For a list of all API updates, including non-versioned ones, see the API changelog for each of the products you are using.

Whenever we make a backwards-incompatible change to a general availability, non-beta product, we release a new API version to avoid causing breakages for existing developers. You can then continue to use the old API version, or update your application to upgrade to the new Brankas API version. APIs for beta products are subject to breaking changes without versioning.

We consider the following changes to be backwards compatible:

  • Adding new API endpoints
  • Adding new options parameter to existing endpoints
  • Adding new data elements to existing response schemas
  • Adding new enum values, including error_type and error_codes
  • Changing the length or content of any API identifier

Version 2021-2-1

  • Direct updated version is v2.1.0
  • Disburse updated version is 2.2.0
  • Statement updated version is 2.2.0
  • Pay updated version is 1.2.0

Postman Collection

Learn more about the Brankas Postman Collection, which allows you to send API request without code


Brankas offers a Postman Collection as a convenient tool for exploring Brankas API endpoints without writing code. The Postman Collection provides pre-formatted requests for almost all of Brankas’s API endpoints. All you have to do is fill in your API keys and any arguments.

Brankas Postman Collection