Frequently Asked Questions

Your Client Secret application is stored encrypted, so we can't retrieve the unencrypted version to tell you the value if you forgot it. If you reset it, the stored value will be updated and returned to you. To do this, click "Apps" in the main menu, click the appropriate application, and then click the Reset link in the section "Client Secret".
Your new secret will appear at the top of the page.

A plan is a collection of API resources or a subset of resources from one or more APIs. A plan can contain different http request methods like GET, PUT, POST and DELETE from various APIs. A plan can have a common rate limit for all the resources or each resource can have its own individual limit. Rate limits specify how many requests are allowed for an application during a given time interval.

You may use the developer portal for browsing the different plans that are available. Select a plan that fits most to your needs. Some plans have restricted access. To gain access, please submit a request to our API administrator. 

When you add an application, you will receive a customer ID and a "client secret". You must specify the customer ID when you call an API that requires you to identify your application by a customer ID or a customer ID and a client secret. 

To register an application, click on “Apps” in the main menu and then on the "Register an application" link. Once you have entered an application name, description, etc., your application client ID and client secret will be displayed. Make a note of your "client secret" as it will only be displayed once. You must specify the "client secret" when calling an API that requires you to identify your application by a customer ID and a customer secret.

If you have problems with the registration in the sandbox, please contact us under the menu item Contact (xs2a-support@santander.de). Please describe the problems as precisely as possible (e.g. registered e-mail address) so that we can solve them as quickly as possible.

By giving your app a name it should be possible to create your app. You can also enter your email address, phone number and a short description of your app. To create your app successfully, please make sure you check the Enable Authentication box.
If you still have problems creating your app, please contact us (xs2a-support@santander.de).

In principle, there is no limit to the number of Apps you are allowed to register. However, we recommend specifying the title and description as precisely as possible for making the management of your Apps as easy as possible. You may assign additional APIs or you may remove previously subscribed APIs.

Santander Consumer Bank will release fully PSD2/Berlin Group compliant APIs in 2019 that use the EIDAS certificate for authentication and include all requirements described in the Berlin Group standards.

The Santander API environment is usually free. We reserve the right to change our prices for very specific API services in the future.

Please use our contact form to easily place your feature request.

After having finished sandbox testing it is time for moving to the live environment.

 We have described the required steps in a separate document which you will receive from here.

Santander does not support custom test data in this version of Market Place.

The current scope of our API focuses exclusively on German current accounts.

The API Explorer enables you implementing your Apps quickly and reviewing the exchanged data during API calls.

Please follow these steps for using the API explorer:
1. Select a plan and subscribe an API
2. You will receive a Client-ID and a Client Secret which you may keep safe, you will need the two keys for generating an access token according to OAuth2
3. Build and test your App

In order to test your App you will need test data. The test documentation can be downloaded from the link given in the footer of the API Portal. The link will be visible for users logged in to the portal.

The sandbox is the dedicated for testing your application. It contains a simulator for the various API responses. You may use any REST capable client like POSTMAN for execution but you need to use the provided credentials (Client-ID and Client Secret).
The simulator only supports the exact requests explained in the documentation of each API. To get a response the request has to match specific input parameters like IBAN, consent-ID, transaction-ID, etc. If the simulator gets a request that does not match a request from the documentation, it will return a correlating error message.
The security mechanisms of the sandbox are the same as of the productive environment. In contrast to productive environment the sandbox has no consent page for the authorization code grant flow. The consent is given implicitly allowing you for testing the complete flow without any physical user interaction. The test documentation can be downloaded from the link given in the footer of the API Portal. The link will be visible for users logged in to the portal.

For accessing the PSD2 API endpoint you also need to subscribe the “Security” API. This API comes with a /authorize- and /token-endpoint. For Sandbox testing you will only make use of the /token-endpoint as you will authorize your calls to the PSD2-API with a Client ID- and Client Secret-pair. As per http-standard valid authorizations via the /token-endpoint require a Base64 encoded Client ID- and Client Secret-string , i.e. the encoding of

 

Base64(“2eaa5f03-307b-4b40-8945-9db2314a3358:O5tV4lL7kG3eT8xY4qY3gS3uL2gJ5gS6oO7bE8fB2rC1fI3uJ1”) retrieves e.g.

“MmVhYTVmMDMtMzA3Yi00YjQwLTg5NDUtOWRiMjMxNGEzMzU4Ok81dFY0bEw3a0czZVQ4eFk0cVkzZ1MzdUwyZ0o1Z1M2b083YkU4ZkIyckMxZkkzdUox”

 

An example call to the API could look like this (only most relevant fields displayed):

 

Access token request (POST /token)
POST https://apigateway-sandbox.api.santander.de/scb-openapis/sx/oauthsos/password/token
Authorization:_”Basic_MmVhYTVmMDMtMzA3Yi00YjQwLTg5NDUtOWRiMjMxNGEzMzU4Ok81dFY0bEw3a0czZVQ4eFk0cVkzZ1MzdUwyZ0o1Z1M2b083YkU4ZkIyckMxZkkzdUox”

grant_type: ”client_credentials”

Access token response

200 success
{"access_token":"9ad37345-5fd2-4ee6-8088-12f61d223da0","token_type": "bearer","expires_in":599,
"scope":"payments.write fundsconfimations.read consents.write consents.read accounts.read payments.read"}

API call (e.g. POST /consent)

POST https://apigateway-sandbox.api.santander.de/scb-openapis/sx/v1/consents
Authorization: ”Bearer 9ad37345-5fd2-4ee6-8088-12f61d223da0”
X-IBM-Client-Id: ”2eaa5f03-307b-4b40-8945-9db2314a3358”
X-Request-ID: ”12345”

Deleting your account will also delete any APIs you may already have registered in the API Market.

You can delete your account via your profile.