KB API

Banking without borders. Obtain current data and information and control your accounts in your own application with KB API

Partner Service

ACCOUNT DIRECT
ACCESS SANDBOX

Download transaction history and account balance for your accounts conveniently and securely.

What does ADAA do?

The Account Direct Access API (ADAA) service provides secure access to information about:

  • Client’s transaction history
  • Bank account balance

Information about transaction history is provided in connection with current accounts of a client of Komerční banka.

Account balance information is provided in the following details:

  • Account balance
  • Available balance (including card transactions)
Prerequisites

In order to use Account Direct Access API (ADAA), you must have a certificate that is deemed credible by Komerční banka. To obtain such certificate, it is necessary to apply to:

We support any of the following certificate types:

  • Commercial certificate
  • Employee qualified certificate
  • Company qualified certificate
  • Company commercial technology certificate (server)

Account Direct Access API (ADAA) requires a certificate that must contain Organisation name and identification number (IČO). When applying for a certificate, the client must explicitly specify this.

Examples

Transactions in an instant

Online stores, clubs, and associations that collect membership fees – all these entities need to actively work with payments. With Account Direct Access API (ADAA), clients can obtain information about payments in real time and subsequently use such information in their processes – such as shipping of goods in online stores or reconciliation of invoices by accounting firms. 

Management of financial flows

Clients may use account balance information for active management of their financial flows. It is possible to monitor balances of individual accounts and subsequently, based on the results, initiate further actions – such as notification that a current account balance is below a specific limit.

Cost / Fees

The Account Direct Access API (ADAA) service is provided free of charge.

 

About ADAA

1. Client logs in an application with an already implemented support of the Account Direct Access API (ADAA) service. Client will subsequently work with the relevant data in such application as well. 

2. Client must consent to data downloads in the application. This consent is given through one of the available bank authentication methods:

              a. Security password
              b. File-based personal certificate
              c. Smartcard-based personal certificate
              d. KB Klíč

3. The consent is given for a specific period of time of no more than 12 months.

4. Once the consent is given, the relevant third-party application is ready to download data and process transaction history.

Requirements

In order to access the service, the following is necessary:

  • Valid qualified certificate issued by a certification authority that is deemed credible by KB (I.CA, PostSignum).
  • When using the service, we advise you to follow the rules of prudency in connection with data and system security; for our recommendations, see the API Security rules
Coming soon

We are continuously working on and improving the Account Direct Access API (ADAA) service. The following improvements are coming soon:

  • 2020
    • Notification of a new transaction
    • Transaction history – incrementally, from the last download
Access

In order to access the production version of Account Direct Access API (ADAA), it is necessary to have a certificate that contains name and identification number (IČO) of an organisation, for which the transaction history/account balance data are to be downloaded.

The application developer must register the application as follows:

1. Visit the API portal of Komerční banka, select the relevant service in the section for developers (in this case, select Account Direct Access API - ADAA), and click the service details.

2. In the service details, go to the Using API Step by Step section and select the following:

              a. Test your solution - sandbox for unlimited testing and experiments

3. In order to register your application for testing purposes, you must first register (or sign in if you already have a user account within the KB API portal). In order to register, you need the following:

              a. Email account
              b. Password

4. Once you register / sign in successfully, select “Add Application” and register your application. You only need the following information to register the application:

              a. Application name
              b. Application description

5. The developer then selects the “Sandbox Key” tab to generate an application key.

6. Once the key is generated, it is necessary to register 3 applications:

              a. Oauth2-Sandbox - (version 1)
              b. Oauth2-Software-statements-Sandbox - (version 1)
              c. Account-Direct-Access-API-Sandbox - (version 1)

7. The process is as follows:

              a. Select the “Subscriptions” tab;
              b. Select the specific application you wish to register;
              c. Confirm the registration process.

8. And we are all done!

Authentication

The service is secured in line with the OAuth 2 standard, thereby providing high level of security. Therefore, client’s consent is required to use the service.

Environment

Environment  

Description

Update

Sandbox

https://openbanking.kbcloud.cz/

12 December 2019

Limits

Limits are defined per API key – for calls per minute and calls per day; the limits are as follows:

 Calls per minute  

 Calls per day

60

 3600 x 24 (86,400)

Example of API calls
API Call Diagram

Issuance of a software statement signed by the bank

  • Signing of the statement is based on the OAUTH2 standard in line with RFC 7591 for dynamic registration of oauth2 clients.
  • The statement is necessary for automatic registration if client’s application to ensure the application credibility and security.|
  • Once API is successfully called, you will receive a statement – signed by the bank – in the form of a JWT token, by which a client’s application will register in the bank.
  • JWT token must be securely implemented / saved in your application or its installations to ensure they can be registered with the bank. For detailed API description, see the swagger documentation.

Registration of OAUTH2 agent – client application

  • The process of registering client’s application with the bank is subject to client’s consent to the operation.
  • Registration URI must be opened upon client’s initiative, through which the client logs in with the bank, assigns a name to the application instance registration and signs the operation.

Client’s consent to data downloads via client’s application and obtaining an authorization code (5.)

  • The approval process of client’s transaction history downloads is subject to client’s consent to the operation.
  • Bank web service calls are used for this purpose, through which the client gives its consent to access to his accounts.
  • URI (parameters) must be opened upon client’s initiative, through which the client logs in with the bank and signs the operation.
  • Following the operation completion, an authorization code is dispatched to the specified redirectUri for the purpose of obtaining refresh and access tokens that are used to download client data.

Receive tokens

  • Once you receive an authentication code issued on the basis of client’s consent to transaction history downloads, it must be exchanged for a refresh and access token. 
  • Endpoint is also used to obtain an access token with a refresh token. Using an access taken (access_token), it is possible to call upon all ADAA endpoints. For detailed API description, see the swagger documentation.

Replace IBAN with an account ID

  • For the purpose of enhanced security, it is necessary to apply for information for the relevant IBAN, using its ID number that can be obtained through this endpoint.
  • Transaction history or account information downloads are called using IBAN identification number - accountId. For detailed API description, see the swagger documentation.

Transaction history downloads

  • Endpoint is used to download transaction history for the given account. For detailed API description, see the swagger documentation.

Account balance downloads

Endpoint is used to download account information. For detailed API description, see the swagger documentation.

2019-12-12

Sandbox release

Will this API be useful for you?

21 people 
voted