General Overview

The purpose of this page is to help and guide developers who would like to implement applications that accesses the data of customers (resource owner) of DHB Bank. This document demostrates ways of API usage, explains challanging parts of APIs and describes TPP on-boarding and requests signing. The details on each endpoint can be found in swagger file under API documentation.

DHB Bank PSD2 infrastructure is an invitative platrorm for developers to build new products and services based on a set of APIs. Under PSD2 regulation, TPPs (Third Party Payment Service Provider) will be under supervision of the Financial Supervision Authority in one of the member states in the European Union. Being under supervision brings set of rights as well as a set of obligations.

DHB Bank PSD2 APIs allows accessing data of customers of the DHB Bank in Germany and the Netherlands. DHB Bank PSD2 API follows standards described in the Berlin Group standard NextGenPSD2 XS2A Framework Implementation Guidelines version 1.2 (BGS) and API documentation. 

Main URLs of DHB Bank PSD2 Environments

We strongly recommend TPPs to signup before enrolling to our sandbox environment. We will assist you throughout your enrollment and testing. The following URLs are our main URLs for our sanbox and production environments.

  • Sandbox environment: https://sandbox.dhbbank.com
  • Production environment: https://api.dhbbank.com

DHB Bank Design choices on PSD2 APIs

There are several design aspects that we have taken into our implementation that requires TPPs to understand it for their applications to work with PSD2 APIs of the DHB Bank. They are as following:

  • preOAuth authorisation mode. DHB Bank OAuth2 infrastreucture requires an authentication of a resource owner (PSU, which is also DHB Customer) in a pre-step, translating this authentication into an access token. Access token is mandatory for any other API call to PSD2 APIs of DHB Bank. 
  • DHB Banks offers a redirect integration method as main way of integration for the TPP and the PSU. Decoupled integration method supported for PIS to guaratee the integrity of the initiated payments. For decoupled integration customers of DHB Bank must use their assigned Digipass.
  • The exposure of data is done through RESTful services. 

DHB Bank PSD2 infrastructure OAuth Flows

Access Token Request Flow


Refresh Token Request Flow

Authorize  request

GET {dhburl}/auth/oauth/authorize?response_type=code&state={state}&client_id={clientId}&scope={scope}&redirect_uri={redirectUrl}

Example request with HTTP GET

[GET /auth/oauth/authorize?response_type=code&state=&client_id=ClientId&scope=FUND_AVAILABILITY%20ACCOUNT_INFORMATION%20PAYMENT_INITIATION&redirect_uri=%2F HTTP/1.1]

Access Token Request:

POST {dhburl}/auth/oauth/token Header  Content-Type: application/x-www-form-urlencoded        Authorization: Basic BASE64(CLIENT_ID + ":" + CLIENT_SECRET)Body     grant_type=authorization_code&code={code}&redirect_uri={ redirectUrl }&client_id={ClientId}

Example request with HTTP POST

[POST /auth/oauth/token HTTP/1.1Authorization: Basic Q2xpZW50SWQ6c2VjcmV0grant_type=authorization_code&code=6v9JDP&redirect_uri=%2F&client_id=ClientId]

Example Token Response

Access Token    2c2e3b1b-e719-42b4-903a-8049ce07a7cdToken Type    bearerrefresh_token    e6554a28-d648-4968-b4bc-5b8bb5818150expires_in    19scope        ACCOUNT_INFORMATION FUND_AVAILABILITY

Refresh Token Request:

POST {dhburl}/auth/oauth/token Header Content-Type: application/x-www-form-urlencoded        Authorization: Basic BASE64(CLIENT_ID + ":" + CLIENT_SECRET)Body     grant_type= refresh_token&refresh_token={refreshToken} 

Example request

[POST /auth/oauth/token HTTP/1.1Authorization: Basic Q2xpZW50SWQ0OnNlY3JldA==grant_type=refresh_token&refresh_token=e6554a28-d648-4968-b4bc-5b8bb5818150]

Example Token Response

Access Token    2c2e3b1b-e719-42b4-903a-8049ce07a7cdToken Type    bearerrefresh_token    e6554a28-d648-4968-b4bc-5b8bb5818150expires_in    19scope        ACCOUNT_INFORMATION FUND_AVAILABILITY

Expired token result example

Response status  401

{    "error": "invalid_token",    "error_description": "Access token expired: 2c2e3b1b-e719-42b4-903a-8049ce07a7cd"}

Response status  401

{    "error": "invalid_token",    "error_description": "Invalid access token: e6554a28-d648-4968-b4bc-5b8bb5818150"}

Are you curious to see what you can do with the Account Information Service API?