Get started

Introduction

Welcome to Arkéa Developer Portal ! Here, you will be able to use the PSD2 APIs of banks hosted by Arkéa :

  • Crédit Mutuel de Bretagne [CMB]
  • Crédit Mutuel du Sud-Ouest [CMSO]
  • Fortuneo
  • Arkéa Banque Privée [ABP]
  • Arkéa Banque Entreprises et Institutionnels [ABEI]
  • Arkéa Banking Services [ABS]
  • BPE
  • Allianz Banque
  • Axa Banque

We provide RESTful APIs, secured with OAuth V2 (see Sandbox and Production mode description to know how it works). The PSD2 APIs follow STET description and formats. The documentation is available here.

We are currently providing a new version of our APIs in accordance with the 1.4.2.18 STET specifications (this version is designated as "1.4.2" in this web site)

Registration

You can consult the API documentation without creating an account. To be able to use our API's, you have to create a developer account and, at least, add an application to your account. 
For that, you just have to go to the registration form here. You will be invited to provide your contact informations : first name, last name, a user name and a contact email address.
We advise you to avoid giving a personal email address but a company one. Your company's applications will be linked to this developer account and hence should last even if the personal contact leaves your company.
You will then receive a confirmation email to validate your account (follow the instructions provided in this email).
The created account is the same for all banks hosted by Arkea.
 
An application is required for each bank you want to interact with.
The following informations are requested :

  • App Name : the name you want to provide for your application,
  • Callback URL : this URL will be used in OAuth V2 flows,
  • Bank : the bank hosted by Arkéa the application will interact with,
  • TPP identity : your identity in eIDAS format,
  • Agent identifier (optional) : if the application is used for an agent,
  • Commercial Name : this name will be displayed in bank consent applications,
  • Logo URL or Logo (optional : the logo will be displayed in bank consent applications,
  • QWAC X.509 Certificate Chain (see below) : optional in sandbox environment,
    It will be checked at runtime if specified and if you establish mutual TLS connection,
  • QSealC X.509 Certificate Chain (see below) : optional in sandbox environment,
    It will be checked at runtime if you establish mutual TLS connection and sign the request.

If the application created for the sandbox has valid eIDAS certificates and TPP identity, the same application will be able to be used in production.

 

Certificate chains

When you create an application with a certificate chain, you have to indicate the QWAC and QSealC public certificate chains (*) . And when you have a new QWAC or a new QSealC, you have to update the application, with the new value. Note that old certificate chain could be still used up to its expiration date. The public certificate chain contains your public certificate and the CA public certificates (intermediate and root authorities). This field is in the PEM format - for instance:

-----BEGIN CERTIFICATE-----
MIIHfDCCBWSgAwIBAgIUYImxnz9CjSlR4qjWEwkWHfeBH6kwDQYJKoZIhvcNAQEL
<..and so on...>
19elYPNdZhl1pCxAy8dduotshRw2ONI16f8DFSRYmwY/mWCh1oFqEsXoT0mxxYaj
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIHszCCBZugAwIBAgIUNgYGCneQH5TiHtlT8u0h6XcfdmEwDQYJKoZIhvcNAQEL
<..and so on...>
BkqPNd/MXEMJGdVMKAeNncbqNeAUt13MUNn1NE0G+TQu4aVkYOJfq42gUfJu5ejz
05T1O2pMrA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF1jCCA76gAwIBAgIUXPhoWe8aK2+a26ov44mnhAwDA6EwDQYJKoZIhvcNAQEL
<..and so on...>
2zEVJK4Az1nljA9vTY2dZFNDOSzVK84cio4jQkB1SuTDwL/0a5urw3fUIJgz7YI9
P92ky9jdw1v9Ow==
-----END CERTIFICATE-----

Warning: your certificate chain is not checked when you create the application, but at runtime. 

(*) Note : A public certificate chain is an ordered list of certificates, containing a public SSL certificate and Certificate Authority (CA) certificates, which enable the receiver to verify that the sender and all CA's are trustworthy.
The chain or path begins with the public SSL certificate, and each certificate in the chain is signed by the entity identified by the next certificate in the chain.
The chain terminates with a Root CA Certificate.
When you create an application in developer portal, you have to indicate for each QWAC and QSealC fields, the whole ordered list of certificates.

Certificate data must be separated by line breaks, not spaces

 

Sandbox

The sandbox is described here.

Production

The Production is described here.

 

Contingency measures

In case of a system breakdown or unexpected unavailability of the PSD2 APIs, the contingency measures are defined. You can consult the documentation here.

Support

The API documentation is available here.
In case you are not able to find what you are looking for in the documentation or in the FAQ, you can use our Contact form.