Agent API - Developer documentation

Swagger

See our swagger documentation for more details on the REST API used for inserting applications. You can use the Swagger UI to try out the API.

You need an access token (JSON Web Token, JWT) to access the API, and the public key must be sent to the bank, and configured.

Click the Authorize button in the top right of the Swagger UI page to apply the access token to your requests.

Versioning

We use URL Versioning with major versions. API releases are versioned using a one-part versioning scheme: {major version}, i.e. /api/v{major version}/{component}/{country}

Example: /api/v1/loanapplication/no

When a new major version becomes available, we will support the previous version for a few months, running the two APIs in parallel. A major version will be added when changes incompatible with previous versions (breaking changes) are necessary.

Some examples

• Removing an endpoint
• Removing a property in the response
• Changing the error response format (not the status code)
• Changing the status code from 2xx to another 2xx
• Changing the name of query parameters and body properties

Authentication

All Agent API calls are authenticated using JSON Web Tokens (JWT) standard (RFC 7519). The JWT-token should be included as a Bearer Token in the header of each request. JWT signature are validated with an authorization server using a corresponding public verification key, either by invoking a validation endpoint on the authorization server (RFC 7517) or by using a local verification key provided by the agent.

Acquiring a Json Web token (JWT)

The JWT is an open standard, and creating a JWT can be performed in a number of ways, if you have an infrastructure set up for it. Examples of JWT issuers can be Azure AD or KeyCloak among many others.

If you do not have an identity token issuer already, we have described a method for generating a JWT yourselves.

Callbacks

The application processing can take bit of time to complete, so we don't want to leave you hanging waiting for the result. Agents can register a callback URL to receive application statuses. Callbacks are only sent using HTTPS and are authenticated using Agent’s method of choice. The callback payloads are formatted in JSON and are submitted with a POST call.

Standard callback API

The preferred callback API to set up/implement for agents, is the standard callback API, which should cover most use cases. Please see the Agent callback API documentation for a swagger specification that is to be implemented.