The information contained in this section is intended to facilitate TPP in the development of applications using the Postbank PSD2 API.
PSD2 API Sandbox enables training and help developers familiarize themselves with methods of accessing data within PSD2 open banking. The API follows the Berlin Interoperability Interface Interoperability Specifications of the Berlin Group and the BISTRA National Market Initiative. The Postbank API can be enriched to expand scope. The current Sandbox implementation and services are based on BISTRA version 1.3. We encourage you to provide feedback in order for us to improve our services by sending an email to tppsupport@postbank.bg.
Versions
| Product name | Product Version | API name | API Version | Date for Sandbox | Date for production | Date of retire | Maintenance |
| Account Information | v1.0.0 | AIS API | v1.0.0 | 14.03.2019 | 13.09.2019 | - | Yes |
| Account Information | v1.0.0 | AIS API | v1.1.0 | 13.12.2022 | 13.12.2022 | - | Yes |
| Account Information | v1.0.0 | AIS API | v1.2.0 | 13.08.2024 | 13.08.2024 | - | Yes |
| Payment Initiation | v1.0.0 | PIS API | v1.0.0 | 14.03.2019 | 13.09.2019 | - | Yes |
| Payment Initiation | v1.0.0 | PIS API | v1.1.0 | 29.09.2023 | 29.09.2023 | - | Yes |
| Payment Initiation | v2.0.0 | PIS API | v2.0.0 | 13.08.2024 | 13.08.2024 | - | Yes |
| Confirmation Of Funds | v1.0.0 | CFS API | v1.0.0 | 14.03.2019 | 13.09.2019 | - | Yes |
Developer Portal – on-boarding
- Use the GETTING STARTED tab for detailed information. At the bottom of the page you can download complete instructions for the Postbank Developer Portal
- Sign up now to create an account and get started. It is free to join. Create an account by clicking the button on the top right of the portal. After filling in the required information you will receive an e-mail for successful registration
- Log into the Developer Portal by clicking the 'Log in' button on the top right of the portal.
- To use the API you have to register your application. Application registration is available after you login. When you register an application, the application is assigned a unique client ID and client secret. You must use the client ID when you call an API that requires you to identify your application by using a client ID, or a client ID and client secret. Check the API description for the details. When creating your new application, give it a name, a description and a redirect URL. To use PSD2 APIs, you also need to add the public part of a QWAC (Qualified Website Authentication Certificate) when registering your application. For this purpose please use the test certificate from here.
- Once you've created an app, you need to subscribe to the API you want to develop. Select it from the "API PRODUCTS" section and click on the subscription button and select the application you created in step 4.
- After subscribing, you can begin testing.
PSD2 API Information
- APIs in sandbox are secured with TLS Mutual Authentication.
- We do not support JWS client assertion.
- As part of our implementation we support registration of an application with single oAuth2 redirect URLs. The TPP registers a redirect URL when creating an application on the Developer Portal, however once an application has been created and the Client ID and Client Secret generated it can be changed.
- Signing the data requests - in this release signing is not used for all API’s endpoints. Signing on application layer will be mandatory on upcoming releases.
- JSON format is used for services.
- The API sandbox consists of static mocked data for:
-
- Account Information Services (AIS) as defined by article 67 in the PSD2 Directive.
- Payment Initiation services (PIS) as defined by Article 66 in the PSD2 Directive.
- Confirmation on the availability of funds (CFS) as defined by Article 65 in the PSD2 Directive.
- PSU data used for creating consent and request an OAuth2 token.
- API PIS SANDBOX does not provide the ability to perform PSU's SCA tests after initiating a TPP payment.
The approach used for SCA is REDIRECT and after the PSU is redirected to the Bank's authorization site, the action will be taken entirely by the PSU. In the real process, but in the productive environment, after the SCA process is completed, the authorization site will redirect the PSU to the application URL of the TPP application (the URL specified when registering the App in the Developer Portal).
- The character set is UTF 8 encoded. This specification is only using the basic data elements "String", "Boolean", "ISODateTime", "ISODate", "UUID" and "Integer" (with a byte length of 32 bits) and ISO based code lists.
- We do not provide a paginated response for GET operations that return multiple records.
The sandbox uses following accounts:
| API name | IBAN |
| AIS | BG77BPBI000001 BG77BPBI000002 |
| PIS | BG009BPBI000001 BG009BPBI000002 |
| CFS | BG009BPBI000001 BG009BPBI000002 |
Work with the PSD2 APIs
Authorization for using API in Sandbox
For information about the Authorization process, predefined User Credential used for the developing take a look here:
https://developer.postbank.bg/authorization
The callback URL you registered in the application MUST match the redirect_uri you pass as query parameter in this process.
API Endpoints used in Sandbox
| Product name | Endpoint | Scope | Security flow |
| AIS v1.0.0 | ais | accessCode (authorization_code) | |
| PIS v1.0.0 | pis | accessCode (authorization_code) | |
| PIS v2.0.0 | pis | application (client_credentials) | |
| CFS v1.0.0 | cfs | accessCode (authorization_code) |
API Endpoints used in Live
| Product name | Endpoint | Scope | Security flow |
| AIS Live v1.0.0 | aisp | accessCode (authorization_code) | |
| PIS Live v1.0.0 | pisp | accessCode (authorization_code) | |
| PIS Live v2.0.0 | pisp | application (client_credentials) | |
| CFS Live v1.0.0 | cfsp | accessCode (authorization_code) |
Call the API endpoint
To be able to use and connect to the API there are requirements:
- In the request header Authorization with a value of Bearer (also called token authentication) followed by a string of characters. This value WILL be validated in ALL flows.
- X-Request-ID must be unique per request. This is a mandatory header throughout the API.
- Date must be added to request header. This is a mandatory header throughout the API.
Use API’s swagger for other information.
Error Codes and Responses
Every response returned by APIs has a response code. Response codes can be used to check the result of the requests e.g. was the request successful or did it fail.
The following table shows the return codes used by API.
| Status code | Description |
| 200 OK | GET - Request was fulfilled. Also used for COF POST |
| 201 Created | POST Response code where Payment Initiation or Consent Request was correctly performed. |
| 204 No Content | DELETE Response code where a consent resource was successfully deleted. The code indicates that the request was performed, but no content is returned. |
| 400 Bad Request | Validation error occurred. This code will cover malformed syntax in request or incorrect data in payload. |
| 401 Unauthorized | The TPP or the PSU is not correctly authorized to perform the request. Retry the request with correct authentication information. |
| 403 Forbidden | Returned if the resource that was referenced in the path exists but cannot be accessed by the TPP or the PSU. This code should only be used for non-sensitive id references as it will reveal that the resource exists even though it cannot be accessed. |
| 404 Not found | Returned if the resource that was referenced in the path does not exist or cannot be referenced by the TPP or the PSU. |
| 405 Method Not Allowed | This code is only sent when the http method (PUT, POST, DELETE, GET etc) is not supported on a specific endpoint. It has nothing to do with the consent, payment or account information data model. |
| 406 Not Acceptable | The ASPSP cannot generate the content that the TPP specified in the Accept header. |
| 408 Request Timeout | The server is still working correctly, but an individual request has timed out. |
| 415 Unsupported Media Type | The TPP has supplied a media type which the ASPSP does not support. |
| 429 Too Many Requests | The TPP has exceeded the number of requests allowed by the consent or by the RTS. |
| 500 Internal Server Error | Internal server error occurred. |
| 503 Service Unavailable | The server is currently unavailable. |
Additional information about the error may be passed using the data element “tpp_messages” in any JSON response message.
Account information service API (AIS)
Services and end points
| Service | Endpoints | Implemented in version |
| Receive valid consent | GET /consents | AIS Product v1.0.0:
|
| Create consent | POST /consents | AIS Product v1.0.0:
|
| Consent details info | GET /consents/{consent-id} | AIS Product v1.0.0:
|
| Consent status info | GET /consents/{consent-id}/status | AIS Product v1.0.0:
|
| Delete consent | DELETE /consents/{consent-id} | AIS Product v1.0.0:
|
| List of accounts | GET /accounts | AIS Product v1.0.0:
|
| Account details | GET /accounts/{account-id} | AIS Product v1.0.0:
|
| Account balances | GET /accounts/{account-id}/balances | AIS Product v1.0.0:
|
| Account transaction list | GET /accounts/{account-id}/transactions | AIS Product v1.0.0:
|
| Account transaction details | GET /accounts/{account-id}/transactions/{transaction-id} | AIS Product v1.0.0:
|
Rules
Consent:
- the maximum validity of consent is 180 days
Account information service:
- the list of account contains only the accounts the user has given access to TPP
Payment initiation service API (PIS)
Services and end points
| Service | Endpoints | Implemented in version |
| Initiate single payment | POST /payments/{payment-product} | PIS Product v1.0.0:
|
| Initiate single payment | POST /{payment-service}/{payment-product} | PIS Product v2.0.0:
|
| Content of a payment object | GET /payments/{payment-product}/{paymentId} | PIS Product v1.0.0:
|
| Content of a payment object | GET /{payment-service}/{payment-product}/{paymentId} | PIS Product v2.0.0:
|
| Status of payment object | GET /payments/{payment-product}/{paymentId}/status | PIS Product v1.0.0:
|
| Status of payment object | GET /{payment-service}/{payment-product}/{paymentId}/status | PIS Product v2.0.0:
|
| Start the authorisation process for a payment initiation | POST /{payment-service}/{payment-product}/{paymentId}/authorisations | PIS Product v2.0.0:
|
| Read the SCA status of the payment authorisation | GET /{payment-service}/{payment-product}/{paymentId}/authorisations/{authorisationId} | PIS Product v2.0.0:
|
Payment product
- domestic-credit-transfers-bgn
- domestic-budget-transfers-bgn
- sepa-credit-transfers
- cross-border-transfers
Rules
- Only positive amounts will be accepted;
- Initiating payment is possible only from an account with one single owner
- There is daily limits for the payments
Confirmation of funds API (CFS)
Services and end points
| Service | Endpoints | Implemented in version |
| confirm availability of funds | POST /funds-confirmations | CFS Product v1.0.0:
|
Rules
- Only positive amount will be checked