Changelog

Release 2021-03-31-132816

  • [XS2A][Deprecation Warning] Added new customerOnline and customerIpAddress attributes on the synchronization creation endpoint. customerOnline allows to define wether the customer is actively using your app or not.
    • When customerOnline is set to true, it means your customer is actively using your app and you that must set the customerIpAddress. This IP address is then forwarded to the financial institution and allows you to make as many attended calls per day as needed.
    • In the case customerOnline is set to false, it means this is an unattended synchronization and you cannot access the account information more than 4 times a day (according to PSD2, no technical limitation exist on the Ibanity XS2A side). 
    • While it was not the case in the past, financial institutions are starting to check illegal unatended calls to their APIs, and you should implement these attributes as soon as possible to avoid any trouble. The customerOnline attribute will eventually be mandatory. In the meantime, if this attribute is not set, we will behave as if the customer was online to avoid any interruption of services.
  • [XS2A] Improved UI for our authorization portal (used during the decoupled authorization flow of N26 and Deutsche Bank)

Release 2021-02-17-083018

  • [Ponto Connect] Complete refactoring of the authorization flow. Your customers can now create their Ponto account, link their bank accounts and grant you access to them in one simple flow
  • [Ponto Connect] Added a new onboarding details resource. It allows you to simplify your customers' onboarding even more by pre-filling the  onboarding forms for them.
  • [Codabox Connect] Added the new Codabox Connect product on Ibanity. This first version allows  you to access your customer's credit cards statements .
  • [XS2A] Avoid revoking customer credentials on the first refusal of the ASPSPs. We now retry during 6 hours before revoking them permanently. It allows to cope with temporary issues on the ASPSPs side.
  • [XS2A] Added Payment initiation support on much more banks.
  • [XS2A]  Fix a bug in the payment initiation request delete endpoint.
  • [XS2A] Added support for banks with a decoupled step in their authorization flow (e.g. the new N26 API and Deutsche Bank Group). In this case we redirect the customer to our authorization portal (authorization.ibanity.com) to ask them to open their banking app and approve the request.
  • [XS2A] Fix a bug in the sandbox preventing the synchronization of more than 10 transactions.

Release 2020-12-03-124430

  • [Ponto Connect] Added a new revoke account endpoint. It allows to remove an account from your integration. (The bank account will not be deleted from the Ponto account itself).
  • [Ponto Connect] The revoke refresh token endpoint  now works even if the related organization is currently blocked. It allows you to be sure you wont be charged for that integration if we unblock the organization afterward (because they paid their outstanding invoices).
  • [Ponto Connect] Added a new delete organization integration endpoint. It provides an alternative method to revoke the integration (in addition to the revoke refresh token endpoint). This endpoint remains accessible with a client access token, even if your refresh token is lost or expired.
  • [Isabel Connect] [breaking change] The offset and size query parameters are not supported anymore on the list balances endpoint. (You should now use from and to to control the returned balances).

Release 2020-11-05-135715

  • [Ponto Connect] You can now upload your application logo on our developer portal. It will be shown in the integrations page on the Ponto dashboard.
  • [XS2A] Added new maintenanceType, maintenanceFrom and maintenanceTo attributes on the financial institutions . Allowing you to know if there is an ongoing or scheduled maintenance. When maintenanceType is 'internal' it means we are working on the connection and no data access is possible. When maintenanceType is 'financialInstitution' it means that the data saved in Ibanity are available in read-only mode. (Creating an account information access request, payment initiation request or synchronization will fail with a 503 Service Unavailable instead of a 500 before).
  • [XS2A] Related to the maintenance status of the financial institutions, added an availability meta attribute.  It will be set to 'readonly' during a financialInstitution maintenance and to 'available' otherwise.
  • [XS2A] Added a new financialInstitutionCustomerReferenceRequired attribute on the financial institutions. When set to true, it means that you have to fill the new financialInstitutionCustomerReference attribute when creating an account information access request to the PSU login on the financial institution interface. (Only required by Deutsche Bank and MeDirect at the moment).
  • [XS2A] The country attribute on the financial institutions might now be null, in this case in means the financial institution isn't specific to a country. (e.g. Paypal and international corporate channels like ING InsideBusiness).
  • [XS2A] You can now paginate the financial institutions using a paged based pagination strategy in addition to the default cursor based strategy. It might be useful when presenting the financial institution list in your frontend. To use this pagination strategy you should use the new page[number] and page[size] query parameters.
  • [XS2A] [Deprecation Warning]  The pagination query parameters before, after and limit  are now deprecated and should be replaced by page[before], page[after] and page[limit].
  • [XS2A] Added new sharedBrandName and sharedBrandReference attributes on the financial institutions. When set it contains the name and reference of a brand shared by multiple banks (e.g. the "Caisses régionales" of the Crédit Agricole in France, or the ~400 Sparkassen in Germany). You can fetch all financial institutions sharing a brand whith the filter query parameter: e.g. ?filter[sharedBrandReference][eq]='creditagricole-fr'.
  • [XS2A] Added a new like filter query parameter on the financial institution name. Allowing you to find financial institutions based on user input containing typos.
  • [XS2A] Added a new financial institution country resource. It provides a list of the unique countries for which there are financial institutions available in the list financial institutions endpoint. These can be used to filter the financial institutions by country.

Release 2020-09-23-122753

  • [Deprecation Warning] The mTLS client certificates and the ones used for HTTP signatures are now splitted in our developer portal. The previously issued certificates will still work for both use cases until their expiration (in at most 1 year). Please make sure that your app is able to use two different certificates by the time these expires. It is the case if you use one of our client library.
  • [Deprecation Warning] We upgraded our HTTP signature algorithm to the 12th version of the draft RFC on HTPP signatures. The previous one was based on the 9th version.  While the previous implementation is still supported, it will be dropped in the next API version. Here are the main changes:
    • We now use RSA-PSS instead of the deprecated RSA-256 signing algorithm.
    • You should use the (created) virtual header instead of the Date header to transmit the signature creation time. This solves issues when the framework you are using does not allow to change the Date header value or format.
  • You now have to provide your password when validating sensitive changes on our developer portal while your sessions was opened too long ago. For example when creating a new certificate or granting access to  a new developer to your team.

Release 2020-08-20-095507

  • [e-Invoicing] Allow to off-board suppliers.
  • [e-Invoicing] Allow retrieve Peppol and Zoomit invoices and credit notes whose status has changed within a given period of time.
  • [e-Invoicing] [breaking change] The supplier properties  that were nested in a ZoomitSupplierInfo object, are now moved to the parent level
  • [Ponto Connect] Add a new OAuth2 userinfo endpoint allowing retrieve the Ponto organization's id and name (by requesting a new scope).
  • [Ponto Connect] Allow to retrieve the monthly usage of an organization based on the organization's id. (useful to automate your billing process of the Ponto usage).
  • [Ponto Connect] New attributes on the accounts.
  • [Ponto Connect] New attributes on the transactions.
  • [XS2A] You can now browse the complete list of available financial institutions on our developer portal (in the financial institutions tab of your live app). It also includes all properties that are available on the API. You can then directly request access to new ones and manage their activation status for the ones that have been authorized.
  • [XS2A] Add filters the financial institution list based on the financial institution's name, country, paymentsEnabled and bulkPaymentsEnabled.
  • [XS2A] The sandbox is now actually processing payments. When you create a payment initiation request, the debtor account reference must match one account of the financial institution user. The sandbox will also checks that the account has enough funds. Finally, it will create a transaction in the account after signature of the payment on the fake bank interface.
  • [XS2A] Allow to set the sandbox accounts description to null
  • [XS2A] Fix a bug preventing the cancel button of the sandbox authorization portal to work.
  • [XS2A] Fix a bug preventing the update of sandbox financial institutions

Release 2020-06-29-113824

  • Brand new UI for our developer portal.
  • [XS2A] New attributes on the accounts:
    • [datetime] authorizationExpirationExpectedAt: When the authorization towards the account is expected to end. Formatted according to ISO8601 spec.
    • [datetime] authorizedAt: When the account was authorized for the last time. Formatted according to ISO8601 spec.
    • [datetime] availableBalanceChangedAt: When the available balance was changed for the last time. Formatted according to ISO8601 spec. This field might be null if the financial institution does not return it.
    • [datetime] availableBalanceReferenceDate: Reference date of the available balance. Formatted according to ISO8601 spec. This field might be null if the financial institution does not return it.
    • [datetime] availableBalanceVariationObservedAt: Last time that a variation (positive or negative) was detected in our system on the available balance. Formatted according to ISO8601 spec. We can only detect such variation when you synchronize the account details.
    • [datetime] currentBalanceChangedAt: When the current balance was changed for the last time. Formatted according to ISO8601 spec. This field might be null if the financial institution does not return it.
    • [datetime] currentBalanceReferenceDate: Reference date of the current balance. Formatted according to ISO8601 spec. This field might be null if the financial institution does not return it.
    • [datetime] currentBalanceVariationObservedAt: Last time that a variation (positive or negative) was detected in our system on the current balance. Formatted according to ISO8601 spec. We can only detect such variation when you synchronize the account details.
    • [string] holderName: Name of the account holder. This field might be null if the financial institution does not return it.
    • [string] internalReference: Internal resource reference given by the financial institution. 
    • [string] product: Name of the account product. This field might be null if the financial institution does not return it.
  • [XS2A] New attributes on the transactions: 
    • [string] additionalInformation: Additional transaction-related information provided from the financial institution to the customer. This field might be null if the financial institution does not return it.
    • [string] bankTransactionCode: Bank transaction code, based on ISO 20022. This field might be null if the financial institution does not return it. Some financial institutions does not comply to the ISO2022 standard.
    • [string] creditorId: Identification of the creditor, e.g. a SEPA Creditor ID. This field might be null if the financial institution does not return it.
    • [string] digest: A digest of the transaction payload from the financial institution. This may NOT be unique if the exact same transaction happens on the same day, on the same account and if the financial institution does not return a unique internal reference.
    • [string] endToEndId: Unique identification assigned by the initiating party to unambiguously identify the transaction. This identification is passed on, unchanged, throughout the entire end-to-end chain. This field might be null if the financial institution does not return it.
    • [string] internalReference: Internal resource reference given by the financial institution.
    • [string] mandateId: Unique reference of the mandate which is signed between the remitter and the debtor. This field might be null if the financial institution does not return it.
    • [string] proprietaryBankTransactionCode: Bank transaction code prorietary to the financial institution. Content will vary per financial institution. This field might be null if the financial institution does not return it.
    • [string] purposeCode: Purpose code, based on ISO 20022. This field might be null if the financial institution does not return it.
  • [XS2A] The new account and transaction attributes are also available in the sandbox. These attributes will be set to null to the existing account and transactions though.
  • [XS2A] Single, detailed, financial institution offered and global authorization models are now supported in our sandbox. You can selected the supported model when creating the sandbox financial institution.
  • [XS2A] Multicurrency accounts are now supported in the sandbox. Simply create two accounts with the same reference (IBAN) and a different currency for the same financial insitution user in a sandbox financial institution. You will then have to use the allowMulticurrencyAccounts flag when creating the account information access request.

Release  2020-05-14-152347

  • Certificates expiration reminder emails are now sent 30, 7 and 1 day before their expiration.
  • [XS2A] Add support for multi-currency accounts. When setting the new allowMulticurrencyAccounts attribute to true on the account information account access request, you will allow multi-currency accounts to be returned by XS2A. It then means you can receive multiple accounts with the same IBAN but with different currencies. You then have to synchronise the account details and transactions for each account currency.
  • [XS2A] Add support for authorization flows with multiple redirections of the PSU for account information access requests and for payment initiation requests.
  • [XS2A] Expose the supported authorization models for each financial institutions.
  • [XS2A] Fix the payment initiation request status which was empty when created in the sandbox.
  • [Ponto Connect] Add support for payment initiation requests.
  • [Ponto Connect] You can now retrieve the list of available financial institutions on Ponto. (In addition to the previously existing list of financial institutions in which an organization has accounts.)
  • [Ponto Connect] Replace misleading invalid_request error code when the refresh token is not valid or already used. You will now receive the more specific invalid_grant OAuth2 error code instead.
  • [Ponto Connect] You can now create new transactions in the sandbox accounts you have access to. It allows you to create automated tests as well as to test more use cases like structured remittance informations, account balance updates,...
  • [Isabel Connect] Add a new accountReferences  attribute on the account reports.

Release 2020-02-20-151305

  • [XS2A] New support for securities accounts. Our sandbox now allows to create securities accounts and holdings in it. You can then allow securities accounts in your account information access requests. And then retrieve the holdings of these accounts.
    Important note: Securities accounts are only available on a limited set of Belgian financial institutions for the moment and implies specific legal and contractual requirements. Please contact us upfront if you want to use this feature in live.
  • [XS2A] In case of 500 errors due to a financial institution error, we now add a new meta attribute containing the original error details. This will allow faster feedback loop and more transparency for the TPPs. It is also added on the synchronization errors.
  • [Ponto Connect] You can now choose if you want to pay for your users or not when creating an application on our developer portal.

Release 2020-01-30-112732

  • [XS2A] New TPP managed authorization flows for account information and payment initiation. These new flows allow fully transparent app-to-app redirections when supported by the financial institution. it can be enabled by using the new skipIbanityCompletionCallback attribute and authorization endpoints for account information and payment initiation
  • [XS2A] [DEPRECATION WARNING] The redirectUri  attribute should only contain your redirectUri without any query parameters, you should now use the new state attribute if you want a state to be added on your redirect uri. This is applicable to the account information access request and payment initiation request creation. Using query parameters in your redirectUri will be forbidden in the next API version.
  • [XS2A] Added a new allowFinancialInstitutionRedirectUri attribute on the payment intiation request creation endpoint. It allows to be redirected directly to the remote financial institution. Fixing app-to-app redirects on IOS. While it will be the default behavior in the next API version, it is an optional choice for now to ensure backward compatibility.

Release 2019-12-17-065028 

Release 2019-10-23-131333

  • [XS2A] Added a new allowFinancialInstitutionRedirectUri attribute on the account information access request creation endpoint. It allows to be redirected directly to the remote financial institution. Fixing app-to-app redirects on IOS. While it will be the default behavior in the next API version, it is an optional choice for now to ensure backward compatibility.
  • [Ponto Connect] The Java library does now support Ponto Connect.
  • [Ponto Connect] You do not have to provide the initial redirect uri when creating a new refresh token anymore.
  • [Ponto Connect] The synchronizations per account details and per account list are now limited to one every 30 minutes via the API.

Release 2019-07-25-073118

  • [XS2A] Fix a bug on account delete.
  • [XS2A] Use BigDecimals instead of doubles in the Java client Library.
  • [Isabel Connect] Add transactions and intraday transactions endpoints.

Release 2019-07-09-110624

  • [XS2A] Allow to fetch more than 90 days of transactions in the past during enrollment (for the financial institutions supporting it. 
  • [XS2A] Release of our Java client library and adding it in our documentation.
  • [XS2A] Release of our Elixir client library and adding it in our documentation.
  • [XS2A] Add a country attribute on the financial institution.
  • [XS2A] Add a status attribute, defining the level of maturity of our connector on the financial institution.
  • [XS2A] Parse credit cards debit transaction properly on ING BE Reverse connector. 
  • [XS2A] Fix the inversion of debtor and creditor in some transactions for the KBC BE connector.
  • [XS2A] Support unicode characters in the remittance information attribute for the KBC BE connector.
  • [IsabelConnect] Allow to upload up to 10 mb bulk payments initiation requests.
  • Improve IE11 compatibility on all our frontends.

Release 2019-05-14-073357

  • [XS2A] Allow payment initiation requests without remittance information.
  • [XS2A] Add a 'requestedExecutionDate' attribute on payment initiation requests in order to support future dated payments.
  • [XS2A] Add a 'futureDatedPaymentsAllowed' attribute on financial institutions to determine if a specific financial supports or not future dated payments.
  • [XS2A] Improved transactions parsing in AXA Belgium, ING Belgium and KBC Belgium reverse connectors.
  • [XS2A] Fix a bug preventing to authorize an account if the account number was containing spaces.
  • Allow to invite a developer again when the invitation has expired after two weeks.

Release 2019-04-29-090315

  • [XS2A] Add a new status attribute on the account information access requests.
  • [XS2A] Add a new endpoint allowing to retrieve the status of an account information access request.
  • [XS2A] Add a new endpoint allowing to retrieve the list of accounts enrolled during a specific account information access request flow.
  • [XS2A] Add a new endpoint allowing to delete the payment initiation requests stored by Ibanity.
  • [XS2A] Remove the 'back' link when the user isn't authenticated on the authorization portal.
  • [XS2A] Fix AXA Belgium reverse engineered connector transaction fetch.
  • Fix CSR generation command in developer portal.

Release 2019-03-21-140029

  • Global performance improvements.
  • Updated HTTP Signature implementation to align on the HTTP Signature RFC. The old implementation is still supported but deprecated (see deprecation warnings below).
  • [XS2A] A new optional locale attribute has been added on the account information access request and on the payment initiation request. It allows to define the language of the authorization flow when supported by the financial institution and it replace the locale attribute in the account information access request meta which is now deprecated (see deprecation warnings below).
  • [XS2A] You can now pass the customer IP address on account information access requests and payment initiation requests. Depending on the requiresCustomerIpAddress attribute defined on the financial it might be mandatory.
  • [XS2A] The Axa reverse engineered connector is autocompleting the N character in the card number.
  • [XS2A] The KBC-CBC connector is parsing standing order information correctly.
  • [XS2A] Integration of the new payment initiation API of KBC-CBC.
  • [XS2A] Improved parsing of standing orders in the BNPPF reverse connector
  • [XS2A] Fixed a bug in the redirect URL when the user clicks on Cancel in the Authorization Portal
  • [XS2A] Added a new unsupported_multi_currency_account error in the redirect URL in case the user tries to enrol a multi currency account. Support for multi-currency accounts is coming.

Deprecation warnings (the previous implementations will still be supported until a new API version is published).

- The account information access request data.meta.authorizationPortal.locale attribute has been replaced by: data.attributes.locale.

- The HTTP signature is now using Base64 instead of Base64 URL Safe to encode the payload digests and the signature itself.

- The Signature header is now formatted with comas instead of spaces between the keys, e.g:

'keyId="rsa-key-1",algorithm="rsa-sha256",headers="(request-target) host date digest content-length",signature="Base64(RSA-SHA256(signing string))"

Release 2019-03-08-143105

  • Document the Ibanity-Request-Id response header allowing to simplify support requests.
  • Make social media previews working with the Documentation app.
  • [IsabelConnect] Support bulk payment initiation requests by uploading PAIN files.
  • [IsabelConnect] Add Ruby library examples in the documentation.
  • [XS2A] Fix the KBC BE connector to be compliant with their updated API.
  • [XS2A] Fix a bug in the sandbox preventing to display the counterpart name in transactions. You should remove the account and re-authorise it to see it working.
  • [XS2A] Return a invalidAccountReferences error code when trying to create an account information access request with an IBAN that does not match the selected financial institution.
  • [XS2A] Support multiple languages in the Axa BE connector instead of always returning the french version of transaction details.

Release 2019-03-04-142308

  • The Isabel Connect product is now available on Ibanity! Check the documentation for more details.
  • [XS2A] Account details & transactions synchronisation speed improvements.
  • Documentation section now have a permalink button to ease documentation sharing

Release 2019-02-20-152453

  • Refactor the Documentation and Developer Portal UX to support more than one product (XS2A only until now). The Isabel Connect product will soon be available on Ibanity.
  • Move XS2A endpoints on https://api.ibanity.com/xs2a/. The old endpoint without scope are still available but deprecated.
  • Enhance HTTP request signatures handling, the error messages are now clearer when something is wrong in your signature.
  • [XS2A] Fix some translations in the Authorization Portal.
  • [XS2A] Fix a bug preventing to return the account name in the BNPPF connector.
  • Global performance and stability improvements.

Release 2019-02-07-150708

  • [XS2A] Allow spaces in card ids, client ids and challenge responses in the authorization portal

Release 2019-02-05-154431

  • [Developer Portal] Enhance developer portal global security.
  • [XS2A] Allow more user friendly input of card numbers and user ids on our Authorization Portal for reverse engineered connectors.
  • [XS2A] Allow to set custom credentials expiration time per app to ease expiration testing by the TPPs.
  • [XS2A] Fix a bug preventing to enroll some IBANs.
  • [XS2A] Add synchronization errors documentation: https://documentation.ibanity.com/api#sync
  • [XS2A] Add payment initiation requests statuses documentation: https://documentation.ibanity.com/products#pir-status-codes
  • [XS2A] Allow to cancel an account information access request and a payment initiation request in the sandbox authorization portal.
  • [XS2A] Improve /accounts endpoint performances.
  • [XS2A] Display the application display name instead of an unknown device for the customer in the web banking device list for the reverse engineered connectors.