OAuth for Bookkeeping APIs

Rabobank APIs require user authorization or consent to access their account. You can request your user (account holder) for permissions (referred to as Scope) to access their account history and process authorized transactions and the user must approve this request to proceed. This consent flow is applicable for the following APIs with their respective type of accounts:

  • Business Account Insight - Current + Savings accounts
  • Business Direct Debit - Current
  • Business Bulk Payment Initiation - Current

Consent Flow

User (Account holder) flow

  1. Your application identifies the required Scope and automatically requests consent from the user.
  2. You application redirects the user to Rabobank together with the Scope for approval.

    An application supports only one consent at a time, for example you cannot use one application for both PSD2 and Commercial consent.

    We recommend creating separate applications in the Rabobank Developer Portal for PSD2 and Commercial consent(s).

    Application redirect URI
    https://oauth.rabobank.nl/openapi/oauth2-premium/authorize?client_id=f50dc66f-9843-4c85-bad5-d34c8adcd003&response_type=code&scope=bai.accountinformation.read&redirect_uri=https://localhost
  3. A The user is asked to give their consent to your application.

    The user can decide whether to grant the consent to your application. The user is not allowed to alter the Scope of the request, they can choose to grant the full consent for each bank account or decline the request entirely.

    If the user decides to approve the request the below steps follow.

  4. The user selects the account(s) to give access.

    There can only be 1 active consent per Rabobank Card and clientID.

  5. They are asked to review the details and sign the request using their access code or Rabo Scanner.
  6. After the user signs the request, Rabobank redirects the user to your application, together with an authorization code.

    Redirect URL Authorization code
    https://localhost/?code=AAMmk-p0Io-UNoKNap5XZDjymq3_vyxOrFRIGZZJi6HHm_UrsHZ4r9rlecoA05o-h_I_-0iN1bDtb62WXhq7FxWF6OytOuBfiFbJfivVyCyMZbg2ZD4q4nYq9sJAhWdz5QXnMvTmet2OngMu76omJ7HzXY97gaPschGf3_LDIuTo5LTLg-DTqiAQSGCpc0vSKcHlk0n6y4QuigEFwL8mQU1auXkSL7VY3ExlpEbMaA8MF2Vzt-zf3Bs1XfuuwrxffAI
  7. Your application uses the sent authorization code to request an access token using the Access Authorization API.
  8. The Rabobank API sends your application an access token and a refresh token.
  9. Your application includes the access token in the Authorization header of its API request for data from a resource or processing transaction(s) in the Rabobank API.

    Authorization Header
    Bearer AAIkNTQ3OTE5NTktY2IxZS00ZmY3LWE1NjEtYTE4NDg2MDllMDUzy2k6Kt0gFNgTh5KQZ1l6oddOJrXLD4jcf4HParcXv9itWE-6oQcD1MWgbUX6m9n_kDrnZle2B0r3zNJABLuTjW8oJFqUSAb0oWpn4DWX4iCsHnqdyQcFFxYej6YnnSyUp98ZupDN2qcvr6duyZcWvg5f3flHB4dGubtEHjgUhrnQcUIXMVKc905Q6dQxPaiOChFwGoatEXEdKg9eAMkvbzhygo4IMGhspY5bAN1BI0SQV9gNq0QB-ih9YE1orqMTsRAPXIFfKE1Mq7fHIsZs3TALaJHRl8DkG1a4h4ZOrk3aDAtBap8oRd-_gb0b9VmMTJz5XmwbA8Vm6Z7xItxsDh9nITS-LZZ-hPOx6ZiY5J63qcFjt8YnV0CZekhicmdjYqSpYN9T8-hyqJM4t9GL62YC6_QovsBQEC_CzZXrnCRK-klkdKoPt9JO2HpHIZp-jojBOaSDgDhwdrGzju2uWKF2A0ZxfQA1JmSuBv6dZEmgyitslG4MnsZvg-0IpEUWYNAk8B2Lxa1btp3zP4JkEjOpTsFH5ite-0YFgFhvoX_K0rZiImbMM5yQ4oG89QBgOcYRKkLbusZ8LtuS3885z3Q823he1ufE_ncWYjaZDNULzLfVIAT7NmVQmIdEX6lFkq0KOA8lHyyUzaK9awRuAwfXnnXCMPRFuA2Md6aBm65V3Zfpdd9DyhAUNIuNWfOp832GQw6494DGuHLmrmc9Dg
    Request example for BAI
    GET https://api.rabobank.nl/openapi/payments/insight/accounts/Wp-xhZMGEWRIIgVjPwTC1aKJJ0VCRZ_4bScUVXof7e0
  10. The Rabobank API sends a response to your application.

    Response example
    {
        "accounts": [
            {
                "_links": {
                    "account": "/accounts/Wp-xhZMGEWRIIgVjPwTC1aKJJ0VCRZ_4bScUVXof7e0",
                    "balances": "/accounts/Wp-xhZMGEWRIIgVjPwTC1aKJJ0VCRZ_4bScUVXof7e0/balances",
                    "transactions": "/accounts/Wp-xhZMGEWRIIgVjPwTC1aKJJ0VCRZ_4bScUVXof7e0/transactions"
                },
                "currency": "EUR",
                "iban": "NL52RABO0125618484",
                "name": "Some alias 1",
                "ownerName": "Some company 1",
                "resourceId": "Wp-xhZMGEWRIIgVjPwTC1aKJJ0VCRZ_4bScUVXof7e0",
                "status": "enabled"
            },
            {
                "_links": {
                    "account": "/accounts/hBS4MQ0Oc4LLJRiUiE_R94_-zoU4B2vwnPkXmsGh_bA",
                    "balances": "/accounts/hBS4MQ0Oc4LLJRiUiE_R94_-zoU4B2vwnPkXmsGh_bA/balances",
                    "transactions": "/accounts/hBS4MQ0Oc4LLJRiUiE_R94_-zoU4B2vwnPkXmsGh_bA/transactions"
                },
                "currency": "EUR",
                "iban": "NL80RABO1127000002",
                "name": "Some alias 2",
                "ownerName": "Some company 2",
                "resourceId": "hBS4MQ0Oc4LLJRiUiE_R94_-zoU4B2vwnPkXmsGh_bA",
                "status": "enabled"
            }
        ]
    }