For Developers
The best way to discover our APIs is to try them out in our sandbox. You can create test APIs in the sandbox, like those in production, but with mock data.
All our sandbox APIs are available free of charge for all registered developers.
See our FAQ for the most common questions.
1) Register on OP Developer
Sign up to access our sandbox APIs.
2) Test APIs in sandbox
After a successful registration and login you are ready to create a sandbox application by choosing relevant APIs from the list and filling in the basic information for the application.
As a result, you now have an API key and API secret that are used to access the selected sandbox APIs.
You are now ready to take the selected APIs into use. To do this, see the technical overview below. After that, go through the detailed integration instructions under the selected API product’s documentation.
3) Request production access
Each production access requires a formal agreement and is processed case-by-case. See the detailed production onboarding, pricing, and usage instructions in the API’s documentation. For a quick preview, see onboarding information under each product.
Technical overview
Security
Additional Security measures and requirements for authentication and authorization depend on the API. Security requirements vary case-by-case and will be explained in the API documentation.
The table below describes our general principles for API security.
Note that for all security levels the client application must be registered, and API requests are made over HTTPS.
Some APIs (e.g., PSD2 APIs) require the use of mutually authenticated TLS 1.2 (mTLS).
Security level | Access Control Requirements |
High | The client app must be authenticated and authorized to use the API. A user (client) can be authorized by using mutual TLS. Transmitted payload can be verified by using HMAC. Strong customer authentication (SCA) is required. |
Restricted | The client app must be authenticated and authorized to use the API. A user (client) can be authorized by using mutual TLS. Transmitted payload can be verified by using HMAC. |
Basic | The client app must be authenticated and authorized to use the API. A user (client) can be a technical user, e.g. a system or a process. |
Open | - |
Authentication
In sandbox, most of our APIs also support static tokens for simulating authorization. Static tokens can be used in the x-authorization or Authorization header, depending on the API.
The following static tokens are available for use:
Token |
6c18c234b1b18b1d97c7043e2e41135c293d0da9 |
b6910384440ce06f495976f96a162e2ab1bafbb4 |
7a66629ddf3691a66eb6466ab7a9f610de531047 |
3af871a0e3ebfc46f375ff2b63d1414982bd4f76 |
Versioning
Each API bears a version number in its uri, e.g. sandbox.apis.op.fi/v1/accounts. Major versions of each API are not compatible. However, minor updates and version bumps will retain backwards compatibility; these will not be reflected in the URI.
Requests
The following headers are recommended for each request:
Name | Example | Description |
x-api-key | a161-43ee-b222 | (Required) API key of the client app |
x-session-id | c38a-11e7-abc4 | (Optional) Session identifier for in-memory data |
x-request-id | string | (Optional) Unique ID for the request (not validated at the moment) |
x-authorization / Authorization | see authentication | (Required) Authorization token |
Currently, all sandbox APIs have a limit of 1000 requests / day for each application. If you exceed the daily limit, the server responds with HTTP status code 429 and three headers: X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset. Of these, the latter describes the period of time after which the rate limit will be reset.
Responses
Successful operations are indicated by HTTP status codes in the range 200-399.
Below is a list of the most common HTTP status codes.
Code | Message | Description |
200 | OK | The has been completed successfully. |
201 | CREATED | The resource has been successfully created. |
400 | BAD REQUEST | Some headers, parameters, or payload contents are missing or invalid. Retrying the same request again will not succeed. |
401 | UNAUTHORIZED | Invalid or missing authentication/authorization. |
403 | FORBIDDEN | The authenticated/authorized user or application does not have access rights to the requested. |
429 | TOO MANY REQUESTS | The client application has exceeded its rate limit. The application must wait until the limit expires. |
500 | INTERNAL SERVER ERROR | A system error prevented the operation from being completed. |
503 | SERVICE UNAVAILABLE | The service is temporarily unavailable due to e.g. overload or maintenance. |
Errors
Occasionally, API calls fail. In these cases, the error type is indicated by an HTTP status code, and a further error description will be provided in the error payload.
Authorization flows are a notable exception: in some cases, providing accurate error descriptors is considered unsafe and only a general error page will be returned.
The following table describes the contents of a typical error payload:
Field | Required | Description |
Id | yes | A unique identifier for the error. |
Level | yes | Error level: FATAL, ERROR or WARN. For a FATAL, no retry is likely to succeed without server side maintenance measures. An ERROR may be temporary and the request may be retried later. A WARN level error indicates that some part of the execution of the operation went wrong, but that the operation was nonetheless successful. |
Type | yes | Errors are of type SECURITY, VALIDATION, TECHNICAL and BUSINESS. Errors of type BUSINESS will be accompanied by a business specific error code and an optional detailed error code. |
Message | yes | A human-readable description of the error condition. |
Code | no | An error code defined by the application, for errors of type BUSINESS only. |
DetailedConstraitViolations | no | A map of validation fields and constraints that failed, for errors of type VALIDATION only |
Below is a sample error payload.
{
"errors": [
{
"id": "G_-20343744:143e886a59f:-7ff9",
"level": "ERROR",
"type": "BUSINESS",
"message": "Account balance exceeded",
"code": "ACC_ERR_123"
}
]
}
Contact
If you need support, want to give us feedback or have any other inquiry, don't hesitate to contact us.
You can reach us either by filling this form or by emailing us at api@op.fi. We will get back to you as soon as possible.
If you would like a reply to your feedback, please provide your email address.