End-to-end encryption
Last updated
Was this helpful?
Last updated
Was this helpful?
Banking credentials are very sensitive data. As an integrator of our services, you must ensure that confidentiality is guaranteed all the way from the user interface where they are entered, to our API endpoint where they are consumed. The whole transmission flow must be processed over a , but it may still involve intermediate components such as third-party API servers or caches that are not legally authorized to handle cleartext credentials.
Our API allows you to secure user credentials transmission using , by encrypting values before they are transmitted to your intermediate architecture. The resulting payload can only be decrypted by our API.
UserUser InterfaceIntermediate APIOur APIEncrypt credentialsDecrypt credentials🔓 Enter credentials🔒 Encrypted credentials🔒 Encrypted credentials
End-to-end encryption apply to the following endpoints:
for initial values of a connector's fields (this endpoint is only accessible to agents and white-mark contracts);
for values of transient additionnal fields;
Transfer update for values of transient additionnal fields;
, when implementing a validation webview.
End-to-end encryption consists in substituting every cleartext sensitive values in HTTP requests with an encrypted . The resulting HTTP request body is still a JSON object, with modified values.
Before: Cleartext credentials as string value in request body
After: Sensitive values are encrypted in request body
Implementation details vary with each library. They usually include the following steps:
Import the key according to the library documentation.
If needed, convert text values of credentials to raw bytes (UTF-8 encoding).
Encrypt the payload according to the library documentation, with RSA-OAEP-256 padding and A256GCM algorithm. We require the key ID (kid
) to be included in the JWE header.
Serialize the JWE to its compact format (URL-safe Base64 parts delimited by period), ready to be sent to our API.
Obtain the public end-to-end encryption key associated with your API domain by calling the following endpoint. The key is available as a .
Encryption keys are available in the , on your domain's settings page.