- General information
- Access & Identification of TPP
- On-boarding of new TPPs
- OAuth as a Pre-step
- Consent endpoints
- AIS endpoints
- PIS endpoints
- CBPII endpoints
Our sandbox environment provides the means by which to perform limited testing of our API calls without requiring real user accounts. (e.g. to test formatting, errors etc)
Endpoints and interactions are as described in the general API documentation, except where otherwise discussed here.
This is a minimum viable product; we value feedback and suggestions for improvements. We don’t currently recommend to go directly to a full public rollout after testing with the sandbox alone, although it should be a useful starting point.
https://xs2a.tech26.de/sandbox
This is as described for the real interface, and all valid QWAC certificates are accepted. If you are facing issues accessing this interface using a test certificate, please reach out to us with the following:
- The certificate used to access the interface
- Details of the request and response received
This may be simulated as follows:
- Make a request to /sandbox/oauth2/authorize providing a redirectUrl and a hashed code verifier.
- Make a request to /sandbox/psu-interaction/generate-auth-code to generate an authorisation code (this simulates the user interaction).
- Make a request to /sandbox/oauth2/token with the auth code and the code verifier to get an access token. In reality, the auth code should be appended to your URL by a redirect from N26, but we do not cover that case here.
This begins the authorization process. In reality, users should be redirected to the URL supplied in the response, but we provide a dummy URL for the time being.
GET /sandbox/oauth2/authorize?client_id=PSDDE-BAFIN-000001&
scope=DEDICATED_AISP&
code_challenge=w6uP8Tcg6K2QR905Rms8iXTlksL6OD1KOWBxTK7wxPI&
redirect_uri=https://tpp.com/redirect&
response_type=CODE&
state=1fL1nn7m9a
HTTP/1.1
HTTP/1.1 302 Found
location: https://app.n26.com/open-banking?requestId=0daa152a-651a-4592-8542-47ff60799deb&state=1fL1nn7m9a&authType=XS2A
For sandbox, this endpoint replaces the following user interaction on the real API:
- The TPP redirects the PSU to the URL returned by the authorize endpoint.
- We communicate directly with the PSU to give them an authorization code.
- The PSU redirects back to the TPP, providing the authorization code.
Because we don’t have equivalent UI for sandbox (and because it’s easier for automated testing), we replace this entire flow with a single call to the following endpoint, which returns an authorisation code directly without requiring a redirect to and from N26.
You can also provide an email for the user you want to authorize, using parameter user, by default the email of the user is [email protected].
POST /sandbox/psu-interaction/generate-auth-code/{requestId}?role=DEDICATED_AISP&[email protected]
HTTP/1.1
{
"code": "j1Q70A6a11AOnvav221Fc8t04TTdH5eEEWh2+WcVdBd3qkal2zBIkBJ9rCdPb4vWBYCkdO4Vhebe9EP0v4o/L2UWKctYljCqAYjJ04OHTuU="
}
POST /sandbox/oauth2/token?role=DEDICATED_AISP HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=j1Q70A6a11AOnvav221Fc8t04TTdH5eEEWh2+WcVdBd3qkal2zBIkBJ9rCdPb4vWBYCkdO4Vhebe9EP0v4o/L2UWKctYljCqAYjJ04OHTuU=&
code_verifier=foobar&
redirect_uri=https://tpp.com/redirect
HTTP/1.1 200 OK
{
"access_token": "{{access_token}}",
"token_type": "bearer",
"refresh_token": "{{refresh_token}}",
"expires_in": {{expires_in_seconds}}
}
Consent interactions are the same as for the real API, except that some edge cases may not be covered identically. We also have an additional endpoint allowing TPPs to simulate the SCA flow (described below).
All endpoints are prefixed with /sandbox compared to the live system so, for example, the root URL for consents would be:
https://xs2a.tech26.de/sandbox/v1/berlin-group/v1/consents
And the root URL for CBPII consents would be:
https://xs2a.tech26.de/sandbox/v1/berlin-group/v1/consents/confirmation-of-funds
As described in our AISP documentation, we currently use the DECOUPLED SCA flow to establish consent, which means that the normal sequence of events from a TPP perspective is:
- POST /consents to create the consent
- Instruct the user to confirm with N26 directly (in our mobile app).
- In the meantime, poll the consent status
For sandbox, step 2 is replaced by an endpoint which simulates the PSU interaction without requiring UI, similar to what is done for the authorisation code above, so the flow changes to:
- POST /consents to create the consent
- POST /psu-interaction/consents/{consentId}/scas to simulate SCA
- In the meantime, poll the consent status
You can pass “APPROVED” or “REJECTED” to this endpoint, which is equivalent to the user confirming or cancelling in the N26 app. The consent status will update accordingly.
POST /sandbox/psu-interaction/consents/{consentId}/scas
HTTP/1.1
{
"result": "APPROVED"
}
HTTP/1.1 204 No Content
These endpoints currently respond with dummy data. You can expect requests to be validated for correct syntax and valid responses to be returned.
All endpoints are prefixed with /sandbox compared to the live system so, for example, the root URL for accounts would be:
https://xs2a.tech26.de/sandbox/v1/berlin-group/v1/accounts
These endpoints currently respond with dummy data. You can expect requests to be validated for correct syntax and valid responses to be returned.
All endpoints are prefixed with /sandbox compared to the live system so, for example, the root URL for payments would be:
https://xs2a.tech26.de/sandbox/v1/berlin-group/v1/payments
For PIS endpoints, we provide a set of user emails listed in the below table, which simulate different use cases. For example, logging in with the email [email protected] will show how the payment status changes in the default happy path, in the following order: RCVD (Immediately after the payment creation) -> ACCP (2 seconds after the previous status) -> ACFC -> ACSC:
| User email | Use case description | Payment Status/Time | Payment Status/Time after previous status | Payment Status/Time after previous status | Payment Status/Time after previous status |
|---|---|---|---|---|---|
| [email protected] | Payment is successful | RCVD / After creating payment | ACCP / 2 seconds | ACFC / 2 seconds | ACSC / 2 seconds |
| [email protected] | Payment is successful after customer selects account to initiate the payment from | RCVD / After creating payment | ACCP / 5 seconds | ACFC / 5 seconds | ACSC / 5 seconds |
| [email protected] | Payment fails after customer account selection expires | RCVD / After creating payment | RJCT / 5 seconds | ||
| [email protected] | Payment fails because customer rejects certification | RCVD / After creating payment | RJCT / 2 seconds | ||
| [email protected] | Payment fails, user is not authorised to initiate a payment from given account | ||||
| [email protected] | Payment fails, provided account does not exist |
In addition to the users listed above, the below users are also available to see periodic payment user flows.
| User email | Use case description | Payment Status/Time | Payment Status/Time after previous status | Payment Status/Time after previous status | Payment Status/Time after previous status |
|---|---|---|---|---|---|
| [email protected] | Payment is successful | RCVD / After creating payment | ACCP / 2 seconds | ACFC / 2 seconds | ACSC / 2 seconds |
| [email protected] | Payment fails cause customer rejects certification | RCVD / After creating payment | RJCT / 2 seconds |
As described in our PISP documentation, customers are required to accept specific Terms and Conditions in order to perform instant transfers. Calling the endpoint below assumes the customer has already accepted the Terms and Conditions:
POST /sandbox/v1/berlin-group/v1/payments/instant-sepa-credit-transfers
If you would like to test the redirection performed when the customer has not accepted the Terms and Conditions, you can include an additional parameter called signed in your request in order to be redirected to the provided URI:
POST /sandbox/v1/berlin-group/v1/payments/instant-sepa-credit-transfers?signed=https://n26.com HTTP/1.1
HTTP/1.1 307 Temporary Redirect
Location: https://n26.com
As described in our PISP documentation, we currently use the DECOUPLED SCA flow to confirm payment initiation, which means that the normal sequence of events from a TPP perspective is:
- POST /payments to create the payment
- Instruct the user to confirm with N26 directly (in our mobile app).
- In the meantime, poll the payment status
If you choose not to use one the emails and use cases specified above, please note that the API function differently. By default, as soon as you query the payment status, you will receive that the payment was accepted. This means that the flow changes to:
- POST /payments to create the payment
- Payment is immediately considered to be accepted without any other action required.
- Poll the payment status; you’ll get back that it’s been accepted.
If you want to test the polling case more thoroughly, you can store state on the client side and use an additional header when calling the GET payment/payment status endpoints, as shown in the following sample request.
GET /sandbox/v1/berlin-group/v1/payments/sepa-credit-transfers/{{paymentId}}/status HTTP/1.1
Authorization: bearer {{access_token}}
X-Request-ID: {{Unique UUID}}
X-Sandbox-Transaction-Status: RCVD
Content-Type: application/json
{
"transactionStatus": "RCVD"
}
These endpoints currently respond with dummy data. You can expect requests to be validated for correct syntax and valid responses to be returned.
All endpoints are prefixed with /sandbox compared to the live system, so for example for the root URL for funds confirmation would be:
https://xs2a.tech26.de/sandbox//v1/berlin-group/v1/funds-confirmations