Welcome to Arkéa Developer Portal ! Here, you will be able to use the PSD2 APIs of banks hosted by Arkéa :
- Crédit Mutuel de Bretagne [CMB]
- Crédit Mutuel du Sud-Ouest [CMSO]
- Arkéa Banque Privée [ABP]
- Arkéa Banque Entreprises et Institutionnels [ABEI]
- Arkéa Banking Services [ABS]
- Allianz Banque
We provide RESTful APIs, secured with OAuth V2 (see Sandbox and Production mode description to know how it works). The PSD2 APIs follow STET description and formats. The documentation is available here.
The current version of our APIs follows the 22.214.171.124 STET specifications (this version is designated as "1.4.1" in this web site).
We are currently in the process of providing a new version of our APIs in accordance with the 126.96.36.199 STET specifications (this version is designated as "1.4.2" in this web site) : the migration phase is described here.
You can consult the API documentation without creating an account. To be able to use our API's, you have to create a developer account and, at least, add an application to your account.
For that, you just have to go to the registration form here. You will be invited to provide your contact informations : first name, last name, a user name and a contact email address.
We advise you to avoid giving a personal email address but a company one. Your company's applications will be linked to this developer account and hence should last even if the personal contact leaves your company.
You will then receive a confirmation email to validate your account (follow the instructions provided in this email).
The created account is the same for all banks hosted by Arkea.
An application is required for each bank you want to interact with.
The following informations are requested :
- App Name : the name you want to provide for your application,
- Callback URL : this URL will be used in OAuth V2 flows,
- Bank : the bank hosted by Arkéa the application will interact with,
- TPP identity : your identity in eIDAS format,
- Agent identifier (optional) : if the application is used for an agent,
- Commercial Name : this name will be displayed in bank consent applications,
- Logo URL or Logo (optional : the logo will be displayed in bank consent applications,
- QWAC X.509 Certificate Chain (see below) : optional in sandbox environment,
It will be checked at runtime if specified and if you establish mutual TLS connection,
- QSealC X.509 Certificate Chain (see below) : optional in sandbox environment,
It will be checked at runtime if you establish mutual TLS connection and sign the request.
If the application created for the sandbox has valid eIDAS certificates and TPP identity, the same application will be able to be used in production.
When you create an application with a certificate chain, you have to indicate the QWAC and QSealC public certificate chains (*) . And when you have a new QWAC or a new QSealC, you have to update the application, with the new value. Note that old certificate chain could be still used up to its expiration date. The public certificate chain contains your public certificate and the CA public certificates (intermediate and root authorities). This field is in the PEM format - for instance:
-----BEGIN CERTIFICATE----- MIIHfDCCBWSgAwIBAgIUYImxnz9CjSlR4qjWEwkWHfeBH6kwDQYJKoZIhvcNAQEL <..and so on...> 19elYPNdZhl1pCxAy8dduotshRw2ONI16f8DFSRYmwY/mWCh1oFqEsXoT0mxxYaj -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIHszCCBZugAwIBAgIUNgYGCneQH5TiHtlT8u0h6XcfdmEwDQYJKoZIhvcNAQEL <..and so on...> BkqPNd/MXEMJGdVMKAeNncbqNeAUt13MUNn1NE0G+TQu4aVkYOJfq42gUfJu5ejz 05T1O2pMrA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIF1jCCA76gAwIBAgIUXPhoWe8aK2+a26ov44mnhAwDA6EwDQYJKoZIhvcNAQEL <..and so on...> 2zEVJK4Az1nljA9vTY2dZFNDOSzVK84cio4jQkB1SuTDwL/0a5urw3fUIJgz7YI9 P92ky9jdw1v9Ow== -----END CERTIFICATE-----
Warning: your certificate chain is not checked when you create the application, but at runtime.
(*) Note : A public certificate chain is an ordered list of certificates, containing a public SSL certificate and Certificate Authority (CA) certificates, which enable the receiver to verify that the sender and all CA's are trustworthy.
The chain or path begins with the public SSL certificate, and each certificate in the chain is signed by the entity identified by the next certificate in the chain.
The chain terminates with a Root CA Certificate.
When you create an application in developer portal, you have to indicate for each QWAC and QSealC fields, the whole ordered list of certificates.
The sandbox is described here.
The Production is described here.
In case of a system breakdown or unexpected unavailability of the PSD2 APIs, the contingency measures are defined. You can consult the documentation here.