Getting Started

Create an account

Sign up to get access to our sandbox APIs and collaborate with our advisors and business partners.

Create an application

After signing up, sign in and create a developer app.

Select the API Products your application is going to use. If required, fill in the associated application form. You'll find your API key (also functions as client ID) in the Developer Dashboard.

You may share the API key with your team, but do not share your API key with the public e.g. in public github repos, on a website, in code samples, etc.

Request production access

When you're ready, you can apply for production access on OP Developer. For certain APIs, (e.g. Accounts V3.0), we provide an application form. For others, contact us directly at

Note that banking APIs usually require appropriate licensing from a competent authority.


Subscribe to our newsletter and we will keep you up to date when there is new features added


More questions? See our page for frequently asked questions! If you still can't find the information you need, don’t hesitate to give feedback or email us at


It is important to us that our APIs are easy to use. Here are examples to help you get started.


To help you getting started, we have created a Javascript SDK for our APIs. You can start using the SDK by following instructions here:

If you have improvement suggestions please create an issue or a pull request to our GitHub repository


You can find other examples in our GitHub:

Usage examples


Example using OP JS SDK for getting all accounts for example customer

import SDK from "@op/api-sdk";

const options = {
    headers: {
        'x-api-key': 'your-api-key',
        'x-authorization': 'b6910384440ce06f495976f96a162e2ab1bafbb4'
const client = new SDK.Client(options)

const accounts = await client.getAllAccounts();
// accounts is array of Account objects.


Example curl request for getting all accounts for example customer:

curl -X GET \ \
  -H 'x-api-key: * your_api-key *' \
  -H 'x-authorization: b6910384440ce06f495976f96a162e2ab1bafbb4' \


        "accounId": "064418ca1d292a5112e9804af4dc66df5b90203c",
        "iban": "FI2350009421535899",
        "bic": "OKOYFIHH",
        "accountName": "KÄYTTÖTILI",
        "balance": 0,
        "amountAvailable": 0,
        "currency": "EUR",
        "ownerId": "b6910384440ce06f495976f96a162e2ab1bafbb4"


All API requests require an API key and an authorization token. See below for more information.


Our sandbox APIs are available to anyone wanting to test or develop their applications.

API products are tagged with current API lifecycle status (experimental, in development, in production, deprecated).

Sandbox environment

This sandbox is your environment to get to know about our APIs. It provides the same APIs as our production environment but with mock data.

Currently the sandbox environment is in beta stage, so some changes to the APIs and request header structure are subject to change.

Production environment and support

Once you have tested your business case in the Sandbox environment and feel confident that APIs here fulfil your needs, it’s time to move on to production.

You can apply to production environment by sending an email to stating your business case, schedule and the APIs you’d need. You will first receive the terms of use for the APIs in the reply email. After accepting the terms of use, you will then receive the information on how to use the APIs in production.

Note that APIs have different classifications which directly correlate to lead time for getting the production keys – open data APIs have typically shorter lead times and regulated data APIs longer. This is simply due to legislative requirements.

Also note that you can only apply to APIs which are explicitly stated to being in production. Follow OP-Developer site and our newsletters to keep up to date on production status of our APIs.


We are currently developing our authentication flows for different use cases. You can read more from here.

At the moment most of the APIs the authentication is simulated with static tokens. You can pass along the x-authorization header with one of following tokens to get access to different end-user data:



All requests are made over https to ensure that request payload and headers are encrypted. Be aware that TLS 1.0 and 1.1 versions are nearing their end of life, so we strongly encourage you to use clients that support TLS version 1.2.

API Security Considerations For Production

  • Security requirements and mechanisms for a particular API depends on the risk level of the service and the confidentiality of the data processed.

  • Authentication and authorization requirements are set according to the risk levels as well.

  • As a minimum requirement, confidential data must be protected both in transit and in store.

  • Risk levels are evaluated and security levels and requirements are set accordingly, please see the table below.

Security levelAccess Control Requirements
HighThe client app must be authenticated and authorized to use the API. Strong customer authentication methods are used to authenticate the end-user using the OIDC protocol. The end-user can also be subject to fine grained authorization within the API processing logic. TLS Mutual authentication and encryption is compulsory.
SubstantialThe client app must be authenticated and authorized to use the API. Strong customer authentication of the end-user as well as end-user authorization is often required.
BasicThe client app must be registered and will be authenticated prior to granting access to the API. A user can be a technical user e.g. a system or a process and it must be authorized to use the API. Usually, there is no need to authenticate the end-user, though the user information can be relayed in the payload.
OpenClient application must be registered.

Refer to the technical documentation of the API in question for detailed security implementation guidelines.

API Versioning

API's version is embedded in the URI: The v1 part of the URI is the current major version for the API. When the next major version of the API is published the version number is increased by one e.g. Backward compatibility between major API versions is not guaranteed and usually previous major version is deprecated when new version is published.


You should use these custom headers in your requests:

x-api-keya161-43ee-b222(Required) Consumer application's API key
x-session-idc38a-11e7-abc4(Optional) Session identifier for in-memory data
x-request-idstring(Optional) Request unique identifier (not validated at the moment)
x-authorizationsee authentication(Required) Token for end-user simulation

Rate limiting

Currently requests to all sandbox APIs are limited to 1000 requests / application / day. If the daily limit is reached the server responds with a HTTP status code 429 (see below) along with X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset headers, which tells the caller that the request limit has been reached.

If you feel that 1000 requests per day isn't enough for your developer application feel free to contact us, along with a description of your usage needs.


Normal operation of an API request is indicated in a response message by an HTTP status in the range of 200-399.

The list below summarizes HTTP normal operation status codes.

200 OK

A successful retrieval or update operation


The request contained invalid or missing request headers, parameters or payload. A retry of an identical request will not succeed. Possible error conditions:

  • Validation errors of headers or payload
  • Missing or malformed content, invalid encoding etc.

Resource access requires user identification. Identity token is missing or invalid.


Optional, used when a request is rejected due to rate limiting.


A system error, specified in detail by the error data descriptor in the response payload.
Possible error conditions include:

  • Runtime exception in a service
  • Application server failure
  • Unrecoverable technical exception
  • Business level exception

The service exists but it is temporarily unavailable, e.g. due to overload or maintenance. The application server instance is not accepting requests.


Sometimes the execution of an API call fails and the error situation must be handled. In these cases, the error situation is indicated by proper HTTP status code as defined in response status code listing. In addition to standard HTTP status codes, also custom consumable error descriptors are provided to the client as part of the response payload. The examples below show the structure of an error descriptor in JSON format which is the default format for REST APIs. The error descriptor might contain 1-n errors. If there is an error descriptor in the response, it is the only payload data available. The following table describes the error descriptor content.

IdyesA unique identifier for the error event, for example UUID. Generated on the server side when the error occurs.
LevelyesError level can be FATAL, ERROR or WARN. For a FATAL, no retry is likely to succeed without server side maintenance measures. An ERROR may be temporary and the request may be retried later. A WARN level error indicates that as part of the request execution, something went wrong but the end result is ok.
TypeyesAllowed error types are SECURITY, VALIDATION, TECHNICAL and BUSINESS. A BUSINESS type of an error message must include a business specific error code and a an optional detailed error code.
MessageyesA textual description of the error condition.
CodenoAn error code defined by the application, for errors of type BUSINESS only.
DetailedConstraitViolationsnoDetailed map of validation fields and constraints that failed, for errors of type VALIDATION only.

Error descriptor is attached to the response message payload as children of top-level element "errors" in the event of a server side error.

    "errors": [
            "id": "G_-20343744:143e886a59f:-7ff9",
            "level": "ERROR",
            "type": "BUSINESS",
            "message": "Account balance exceeded",
            "code": "ACC_ERR_123"




In development
Corporate Account Services

Corporate Accounts

Real-time information of corporate accounts and transactions into your business applications.

In development
Corporate Payment Services

Corporate Payments

Payments initiated on corporate accounts directly from your business applications.

In production

Accounts V3.0

Effortless access to account and transaction information.

In development


Initiate and confirm SEPA payments.

In production
icon-op yrityssiirto

OP Yrityssiirto

The API allows merchants to pay real time transfers directly to consumers’ bank accounts.

Go to OP Yrityssiirto API docs >

    In development

    Consumer Financing

    Integrate consumer financing seamlessly into your online and offline customer experience.

    In production

    Pivo Payment

    Finland’s largest mobile wallet payment solution is designed to make paying online easy and fast. The API supports online, in-app and Facebook Messenger.

    Go to Pivo API docs >

      In production

      Payment Highway

      Payment Highway offers Finland’s best app payment experience. The APIs enable one-click payments and recurring charging in-app and on the web.

      Go to Payment Highway >

        In production
        psd2 cof

        PSD2 Confirmation of Funds Service

        Confirm availability of funds on an account.

        In production
        psd2 payments

        PSD2 Payment Initiation Service

        Initiate SEPA payments.

        In production
        psd2 accounts

        PSD2 Account Information Service

        Account and transaction information.

        api-accounts with ai

        Accounts with AI 2.0

        Accounts with AI APIs provide access points to basic, enriched, and predictive information on accounts and transactions.


        Banking is OP’s largest business segment providing customers with a comprehensive range of products and services.

        In the coming years, we will see a big shift in banking as the PSD2 obliges European banks to open their APIs. We consider this a great opportunity to collaborate with FinTechs and startups and expand the services we offer our customers. Alongside PSD2 APIs, we also offer premium APIs for our partners.

        OP is dedicated to continously develop our Banking APIs. More APIs are on the way to our sandbox in 2019!

        Pricing & Usage

        Sandbox APIs are free to use although some restrictions on the number of calls apply.

        When you're ready and want to go live with your service or application, just contact us at




        In development


        APIs for user's fund information and creating redemption and subscription orders.

        In development


        APIs for user's holdings information.

        In development

        Financial Instruments

        Trade stocks listed in Nasdaq Nordic.

        In development


        Open new custodies for stock trading.


        A key element of OP’s mission is bolstering the sustainable prosperity of our owner-customers, customers and operating regions. Making saving and investing easier and more accessible to wider customer groups is a key driver towards this goal.

        Using our APIs for mutual funds and stocks, developers can embed the concepts of saving and investing in their new service experiences. The APIs let your customers trade OP's mutual funds and stocks listed in OMX Helsinki, as well as track the value of their investments within your service.

        Unlike many other investment products, mutual funds don't have a minimum investment limitation, making it possible to accumulate savings over time with very small one-time transactions.

        We are planning to release more Wealth API products in the areas of stock market trading and custodies. The APIs will be available in production to selected partners.

        Pricing & Usage

        Sandbox APIs are free to use, although some restrictions on the number of calls apply.




        In production


        Branches API provides your customers with up-to-date information on the closest bank branches.

        In production
        DriveNow Logo


        DriveNow is a free-floating car sharing service in the capital area of Finland. DriveNow API allows users to see the real-time location and pricing of cars. More information on the API at


          Mobility APIs are about making everyday travel from A to B as smooth and user-friendly as possible.

          New technology and a cultural shift are enabling more creative mobility services such as OP Kulku and DriveNow. Sharing economy permits expansive data which can be used for improving safety and reducing emissions linked to traditional transportation.

          OP is dedicated to continously develop our Mobility APIs. More APIs are on the way to our sandbox in 2019!

          Pricing & Usage

          Sandbox APIs are free to use although some restrictions on the number of calls apply.

          When you're ready and want to go live with your service or application, just contact us at




          In production
          identity service broker

          OP Identity Service Broker

          Identify customers in your application with any Finnish bank credentials or mobile ID.

          Documentation | Sample Implementation

            About Identity APIs

            OP Identity APIs allow you to identify and authenticate your Finnish end users.

            OP Identity Service Broker is OP's replacement for TUPAS. It implements Strong Customer Authentication (SCA) and allows you to make use of all Finnish Strong Customer Credentials - including Mobile ID and banks.

            Note - Identity APIs are independent API products. Authentication and authorization for other API products use their own, separate flows (see e.g. Authorization Code Grant).


            OP Identity Service Broker is currently available in sandbox and in production.

            Pricing & Usage

            Sandbox APIs are available free of charge. When you want to adopt OP Identity Service Provider in production, contact your local bank. Read more about the Terms and Conditions of ISB here.



            We have listed typical questions on our Frequently asked questions page.


            If you’re still missing an answer don’t hesitate to give us feedback

            Please include your email address if you want us to reply.


            You can email us at