Getting started

1) Register on OP Developer

Sign up to access our sandbox APIs.

Note that OP Identity Service Broker does not require registering on OP Developer.

2) Test APIs in sandbox

Sandbox is the place where you can get to know our APIs. It provides the same APIs as our production environment but with mock data.

In addition, our sandbox hosts APIs that have not yet entered production (marked as "in development"). We do this so you can get to know them ahead of time, and voice your opinion on what they should look like in production.

The requirements for using an API in sandbox depend on the API in question. Check the detailed instructions in the API's documentation.

All our sandbox APIs are available free of charge for all registered developers although some restrictions on the number of calls apply.

3) Request production access

Once you've tested your application and business case in sandbox, and feel confident that our APIs fulfil your needs, it’s time to move on to production.

Different APIs have different requirements for consumers, so the time it takes to approve production keys varies by API product. In addition, some APIs pose additional requirements for production access, such as appropriate licenses, or a suitable business case. Each application is processed on a case-by-case basis.

See detailed instructions on how to request production access in the API's documentation.

Pricing information is available for our partners and production users. Depending on the API, we use combinations of various pricing models based on revenue share, events, API calls and license fees. However, following EU regulation, PSD2 APIs are free of charge both in sandbox and in production.

Technical overview

Security

All API requests are made over HTTPS.

Some APIs (e.g. PSD2 APIs) require the use of mutually authenticated TLS. TLS version 1.2 is strongly recommended over all previous versions.

Additional Security measures and requirements for authentication and authorization depend on the API and the type of data being processed. Confidential data must be protected both in transit and in store. Detailed requirements vary case-by-case and will be explained in API documentation.

The table below describes our general principles for API security.

Security levelAccess Control Requirements
HighThe client app must be authenticated and authorized to use the API. Strong customer authentication (SCA) using OIDC flow is required. Further requirements include (but are not limited to) mutually authenticated TLS and data encryption.
SubstantialThe client app must be authenticated and authorized to use the API. Strong customer authentication and end-user authorization are usually required.
BasicThe client app must be registered and will be authenticated prior to granting access to the API. A user can be a technical user, e.g. a system or a process, and it must be authorized to use the API. Usually, there is no need to authenticate the end-user, though the user information can be relayed in the payload.
OpenThe client application must be registered.

Authentication

Our APIs use authentication and authorization methods based on Oauth 2.0 and OpenID Connect.

In sandbox, most of our APIs also support static tokens for simulating authorization. Static tokens can be used in the x-authorization or Authorization header, depending on the API.

The following static tokens are available for use:

Token
6c18c234b1b18b1d97c7043e2e41135c293d0da9
b6910384440ce06f495976f96a162e2ab1bafbb4
7a66629ddf3691a66eb6466ab7a9f610de531047
3af871a0e3ebfc46f375ff2b63d1414982bd4f76

Versioning

Each API bears a version number in its uri, e.g. sandbox.apis.op-palvelut.fi/v1/accounts. Major versions of each API are not compatible. However, minor updates and version bumps will retain backwards compatibility; these will not be reflected in the URI.

After the publishing of a new version of an API, older versions will be deprecated. Once deprecated, the API will no longer be developed aside from important bug fixes. We encourage users to migrate to newer versions once an API is marked as deprecated.

Requests

The following headers are recommended for each request:

NameExampleDescription
x-api-keya161-43ee-b222(Required) API key of the client app
x-session-idc38a-11e7-abc4(Optional) Session identifier for in-memory data
x-request-idstring(Optional) Unique ID for the request (not validated at the moment)
x-authorization / Authorizationsee authentication(Required) Authorization token

Currently, all sandbox APIs have a limit of 1000 requests / day for each application. If you exceed the daily limit, the server responds with HTTP status code 429 and three headers: X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset. Of these, the latter describes the period of time after which the rate limit will be reset.

If you feel that 1000 requests per day isn't enough, please contact us at api@op.fi and tell us about your needs.

Responses

Successful operations are indicated by HTTP status codes in the range 200-399.

Below is a list of the most common HTTP status codes.

CodeMessageDescription
200OKThe has been completed successfully.
201CREATEDThe resource has been successfully create.
400BAD REQUESTSome headers, parameters, or payload contents are missing or invalid. Retrying the same request again will not succeed.
401UNAUTHORIZEDInvalid or missing authentication/authorization.
403FORBIDDENThe authenticated/authorized user or application does not have access rights to the requested.
429TOO MANY REQUESTSThe client application has exceeded its rate limit. The application must wait until the limit expires.
500INTERNAL SERVER ERRORA system error prevented the operation from being completed.
503SERVICE UNAVAILABLEThe service is temporarily unavailable due to e.g. overload or maintenance.

Errors

Occasionally, API calls fail. In these cases, the error type is indicated by an HTTP status code, and a further error description will be provided in the error payload.

Authorization flows are a notable exception: in some cases, providing accurate error descriptors is considered unsafe and only a general error page will be returned.

The following table describes the contents of a typical error payload:

FieldRequiredDescription
IdyesA unique identifier for the error.
LevelyesError level: FATAL, ERROR or WARN. For a FATAL, no retry is likely to succeed without server side maintenance measures. An ERROR may be temporary and the request may be retried later. A WARN level error indicates that some part of the execution of the operation went wrong, but that the operation was nonetheless successful.
TypeyesErrors are of type SECURITY, VALIDATION, TECHNICAL and BUSINESS. Errors of type BUSINESS will be accompanied by a business specific error code and an optional detailed error code.
MessageyesA human-readable description of the error condition.
CodenoAn error code defined by the application, for errors of type BUSINESS only.
DetailedConstraitViolationsnoA map of validation fields and constraints that failed, for errors of type VALIDATION only.

Below is a sample error payload.

{
    "errors": [
        {
            "id": "G_-20343744:143e886a59f:-7ff9",
            "level": "ERROR",
            "type": "BUSINESS",
            "message": "Account balance exceeded",
            "code": "ACC_ERR_123"
        }
      ]
}

Examples

GitHub

We provide SDKs, example apps, and other useful code on GitHub. Read the instructions to learn how to use our JavaScript SDK.

If you find bugs, have features to suggest, or want to contribute in other ways, feel free to create an issue or pull request!

NodeJs

The following code uses the OP JS SDK to fetch a list of accounts for the example customer:

import SDK from "@op/api-sdk";

const options = {
    headers: {
        'x-api-key': 'your-api-key',
        'x-authorization': 'b6910384440ce06f495976f96a162e2ab1bafbb4'
    }
}
const client = new SDK.Client(options)

const accounts = await client.getAllAccounts();
// accounts is array of Account objects.

Curl

This sample cURL request retrieves a list of accounts using Accounts V3.0.

curl -X GET \ "https://sandbox.apis.op-palvelut.fi/accounts/v3/accounts" \
-H "x-api-key: <YOUR_APP_API_KEY>" \ 
-H "authorization: Bearer 6c18c234b1b18b1d97c7043e2e41135c293d0da9" \ 
-H "accept: application/hal+json"

Response body:

{
  "accounts": [
    {
      "accountId": "L0wWwLC8voZD8ldyxYatUg0PMy03De8tk9egONlkiGE.qkLSpsR8NZhBUb7TXgfTHQ.pp9G_SlZVouGL1ncVjj-PA",
      "identifier": "FI2350009421535899",
      "identifierScheme": "IBAN",
      "nickname": "",
      "name": "KÄYTTÖTILI",
      "balance": 0,
      "currency": "EUR",
      "servicerScheme": "BIC",
      "servicerIdentifier": "OKOYFIHH",
      "_links": {
        "self": {
          "href": "https://sandbox.apis.op-palvelut.fi/accounts/v3/accounts/L0wWwLC8voZD8ldyxYatUg0PMy03De8tk9egONlkiGE.qkLSpsR8NZhBUb7TXgfTHQ.pp9G_SlZVouGL1ncVjj-PA"
        },
        "transactions": {
          "href": "https://sandbox.apis.op-palvelut.fi/accounts/v3/accounts/L0wWwLC8voZD8ldyxYatUg0PMy03De8tk9egONlkiGE.qkLSpsR8NZhBUb7TXgfTHQ.pp9G_SlZVouGL1ncVjj-PA/transactions"
        }
      }
    },
    {...}
  ],
  "_links": {
    "self": {
      "href": "https://sandbox.apis.op-palvelut.fi/accounts/v3/accounts"
    }
  }
}

banking-section

Banking

About

Banking is OP’s largest business segment providing customers with a comprehensive range of products and services.

PSD2 regulation has obliged European banks to open their APIs to Third Party Providers, which brings a big shift in banking. We consider this a great opportunity to collaborate with FinTechs and startups and expand the services we offer our customers.

However, open banking is more than just PSD2. We are dedicated to continously develop our selection of high-quality banking APIs that would best meet our partners' needs. Our first premium API was Accounts V3.0 released in February 2019. More premium API releases will follow.

Products

In development
Corporate Account Services

OP Corporate Account Data API

Real-time information of corporate accounts and transactions into your business applications.

In development
Corporate Payment Services

OP Corporate Payment API

Payments initiated on corporate accounts directly from your business applications.

In production
icon-accounts

Accounts V3.0

Effortless access to account and transaction information.

In development
api-payments

Payments

Initiate and confirm SEPA payments.

In development
prod-customer-financing-v2

Consumer Financing

Integrate consumer financing seamlessly into your online and offline customer experience.

In production
pivo-logo

Pivo Payment

Finland’s largest mobile wallet payment solution is designed to make paying online easy and fast. The API supports online, in-app and Facebook Messenger.

Go to Pivo API docs >

    In production
    paymenthighway-logo

    Payment Highway

    Payment Highway offers Finland’s best app payment experience. The APIs enable one-click payments and recurring charging in-app and on the web.

    Go to Payment Highway >

      In production
      psd2 cof

      PSD2 Confirmation of Funds Service

      Confirm availability of funds on an account.

      In production
      psd2 payments

      PSD2 Payment Initiation Service

      Initiate SEPA payments.

      In production
      psd2 accounts

      PSD2 Account Information Service

      Account and transaction information.

      Deprecated
      api-accounts with ai

      Accounts with AI 2.0

      Accounts with AI APIs provide access points to basic, enriched, and predictive information on accounts and transactions.


      wealth-section

      Wealth

      About

      A key element of OP’s mission is bolstering the sustainable prosperity of our owner-customers, customers and operating regions. Making saving and investing easier and more accessible to wider customer groups is a key driver towards this goal.

      Using our APIs for mutual funds and stocks, developers can embed the concepts of saving and investing in their new service experiences. The APIs let your customers trade OP's mutual funds and stocks listed in OMX Helsinki, as well as track the value of their investments within your service. Unlike many other investment products, mutual funds don't have a minimum investment limitation, making it possible to accumulate savings over time with very small one-time transactions.

      Products

      In development
      icon-funds

      Funds

      APIs for user's fund information and creating redemption and subscription orders.

      In development
      api-holdings

      Holdings

      APIs for user's holdings information.

      In development
      icon-instruments

      Financial Instruments

      Trade stocks listed in Nasdaq Nordic.

      In development
      api-custodies

      Custodies

      Open new custodies for stock trading.


      mobility-section

      Mobility

      About

      Mobility APIs are about making everyday travel from A to B as smooth and user-friendly as possible.

      New technology and a cultural shift are enabling more creative mobility services such as DriveNow. Sharing economy permits expansive data which can be used for improving safety and reducing emissions linked to traditional transportation.

      Products

      In development
      prod-branches-v2

      Branches

      Branches API provides your customers with up-to-date information on the closest bank branches.

      In production
      DriveNow Logo

      DriveNow

      DriveNow is a free-floating car sharing service in the capital area of Finland. DriveNow API allows users to see the real-time location and pricing of cars. More information on the API at api@op.fi.


        identity

        Identity

        About

        Identity APIs allow you to identify and authenticate your end users.

        OP Identity Service Broker is OP's replacement for TUPAS. It implements Strong Customer Authentication (SCA) and allows you to make use of all Finnish Strong Customer Credentials - including Mobile ID and bank credentials.

        When you want to adopt OP Identity Service Provider in production, contact your local bank.

        Read more about the Terms and Conditions of ISB >

        Note - Identity APIs are independent API products. Authentication and authorization for other API products use their own, separate flows (see e.g. Authorization Code Grant).

        Products

        In production
        identity service broker

        OP Identity Service Broker

        Identify customers in your application with any Finnish bank credentials or Mobile ID.

        Documentation | Sample Implementation

          Support

          FAQ

          Check Frequently asked questions for the most common questions we get.

          Contact

          If you need support, want to give us feedback or have any other inquiry, don't hesitate to contact us.

          You can reach us either by filling this form or by emailing us at api@op.fi. We will get back to you as soon as possible.

          If you would like a reply to your feedback, please provide your email address.

          Newsletter

          Sign up for the OP Developer newsletter now and stay updated on our latest API product releases, piloting opportunities and other news.

          You can unsubscribe anytime you want.