Guides • Manage Accounts
3. Make your first API request

3. Make your first API request

To make your first API request, complete the initial setup, following this high-level procedure:

  1. Upload your certificate to authorize your application to access your Revolut Business account via the Business API.
  2. Provide a client assertion JWT to obtain a signing key.
  3. Consent to the application on the Business Portal to obtain an authorization code.
  4. Exchange authorization code for access token to authenticate your requests to the Business API.
  5. Try your first API request to get a list of all your accounts.
  6. When the access token expires, request a new access token.

After you complete and validate the setup, you can make requests to the Business API.

1. Upload your certificate

Authorize your application to access your Revolut Business account via the Business API. To do this, first upload your certificate on the Business API settings page of the Revolut Business portal.

Generate a private and public certificate

Run the following commands in your preferred CLI to create a private and a public certificate:

openssl genrsa -out privatecert.pem 2048
openssl req -new -x509 -key privatecert.pem -out publiccert.cer -days 1825

You will be asked to enter some details about your organization for the certificate's "Distinguished Name". Enter each piece of information and press Enter, until you get back to the command prompt. You may also leave some fields blank.

Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:

How to upload your certificate

To upload the generated certificate, copy and paste the content of publiccert.cer into the required field:

  1. Log in to the Revolut Business portal, and go to Settings > Business API.
  2. Click Add certificate.
  3. Copy and paste the content of publiccert.cer to the X509 public key field.
  4. Specify the OAuth redirect URI (in this example we use: example.com). This is the URL where you are redirected after you consent the application to access your Revolut Business account.
  5. Click Continue.

You are redirected to the API Certificate page with the parameters of your application. Copy the ClientID which will be needed in the following steps.

IP whitelisting

Optionally, provide a list of IP addresses for additional security. If provided, only traffic from these IP addresses will be allowed.

Single IP addresses as well as IP pools in CIDR notation are allowed.

2. Generate a client assertion

In order to grant the consent to your application you will need to generate a client-assertion JWT (JSON Web Token) which is cryptographically signed with your private certificate generated in step 1. This JWT will be used whenever a new access token needs to be requested and is composed of a header, a payload and signature.

JWT Header:

{
"alg": "RS256",
"typ": "JWT"
}

JWT Payload:

{
"iss": "<insert your_domain>",
"sub": "<insert ClientID>",
"aud": "https://revolut.com",
"exp": <insert expiry_date>
}

Ensure that the parameters meet the following format.

FieldDescriptionFormatRequired
issDomain from redirect_url (without https://).StringYes
subYour client_idStringYes
audhttps://revolut.comStringYes
expJWT expiration date, you can use this converter to provide the UNIX timestamp. Example for 90 days in the future: 1692904686.Number, in UNIX timestamp format, given in secondsYes
caution

Do not provide the exp value as a string!

There are several libraries to generate a JWT. To manually generate the JWT, follow these steps:

  1. Save the JWT header into a file named header.json.
  2. Save the JWT payload into a file named payload.json.
  3. Copy the privatecert.pem file from step 1 in the same directory.
  4. Open a CLI and navigate to the directory where you saved the files.
  5. Copy the following commands in the CLI and press Enter to ensure all lines are executed:
    cat header.json | tr -d '\n' | tr -d '\r' | openssl enc -base64 -A | tr +/ -_ | tr -d '=' > client_assertion.txt
    echo -n "." >> client_assertion.txt
    cat payload.json | tr -d '\n' | tr -d '\r' | openssl enc -base64 -A | tr +/ -_ | tr -d '=' >> client_assertion.txt
    cat client_assertion.txt | tr -d '\n' | tr -d '\r' | openssl dgst -sha256 -sign privatecert.pem | openssl enc -base64 -A | tr +/ -_ | tr -d '=' > sign.txt
    echo -n "." >> client_assertion.txt
    cat sign.txt >> client_assertion.txt
EXPECTED RESULT

A client_assertion.txt file is created, containing the client assertion JWT.


  1. Log in to the Revolut Business portal, and go to the Business API settings.

  2. Select the certificate you want to edit.

  3. On the API Certificate page, get your client ID from the ClientID field.

  4. Click Enable access. You are redirected to the /app-confirm URL where you grant your application access to your account via the Business API. See an example below.

    https://business.revolut.com/app-confirm?client_id=<ClientID>&redirect_uri=https://example.com&response_type=code#authorise
    tip

    Optional: you can narrow down the security permissions of the consent by adding &scope= and a comma separated list of the desired scopes defined in the API Reference. For example &scope=READ,WRITE.

  5. Click Authorise. This triggers a 2-factor authentication (2FA) process. On successful authorization, you are redirected to the OAuth redirect URI that you specified.

  6. Get the authorization code (code) from the redirect URI.

    https://example.com?code=oa_prod_vYo3mAI9TmJuo2_ukYlHVZMh3OiszmfQdgVqk_gLSkU
    caution

    The code is only valid for two minutes.

4. Exchange authorization code for access token

To exchange the authorization_code for an access_token, you can use the following cURL call:

curl https://b2b.revolut.com/api/1.0/auth/token \
-H "Content-Type: application/x-www-form-urlencoded"\
--data "grant_type=authorization_code"\
--data "code=<insert authorization_code>"\
--data "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"\
--data "client_assertion=<insert JWT>"

Request fields (URL-encoded)

FieldDescriptionFormatRequired
grant_typeThe OAuth grant type: authorization_code.StringYes
codeThe authorization code obtained from the redirect URI in step 3.StringYes
client_assertion_typeThe type of the client assertion: urn:ietf:params:oauth:client-assertion-type:jwt-bearer.StringYes
client_assertionThe JWT token that you generated in step 2.StringYes

Sample response

{
"access_token": "oa_prod_rPo9OmbMAuguhQffR6RLR4nvmzpx4NJtpdyvGKkrS3U",
"token_type": "bearer",
"expires_in": 2399,
"refresh_token": "oa_prod_hQacSGnwx-luIfj3dlVByrytVV9rWAnyHkpJTwG_Tr8"
}
note

Every access_token is only valid for 40 minutes. After the access_token expires, you must request a new access_token, using the refresh_token and the JWT. For more information, see: Refresh access token.

5. Try your first API request

To verify that everything is working, make a request to the /accounts endpoint to get a list of all your accounts using the access_token you obtained at the previous step:

curl https://b2b.revolut.com/api/1.0/accounts \
-H "Authorization: Bearer <your access_token>"

Example response:

[
{
"id": "2a0d4d03-e26c-4159-9de1-c6bf3adfd8a1",
"name": "Current GBP account",
"balance": 100.0,
"currency": "GBP",
"state": "active",
"public": false,
"updated_at": "2017-06-01T11:11:11.1Z",
"created_at": "2017-06-01T11:11:11.1Z"
},
{
"id": "df8d6b20-0725-482e-a29e-fb09631480cf",
"name": "EUR expenses account",
"balance": 1234.0,
"currency": "EUR",
"state": "active",
"public": false,
"created_at": "2017-06-01T11:11:11.1Z",
"updated_at": "2017-06-01T11:11:11.1Z"
}
]
SUCCESS

Congratulations! You're ready to make requests to the Business API with an access token.

Refresh access token

When the access_token expires, you will first need to request a new one using the refresh_token returned in step 4 and the JWT obtained in step 2.

JWT expiration

The JWT also has an expiration date specified when it is created. If it expires, you will need to generate a new one. The refresh_token is valid so there is no need to reauthorize the consent.

curl https://b2b.revolut.com/api/1.0/auth/token \
-H "Content-Type: application/x-www-form-urlencoded"\
--data "grant_type=refresh_token"\
--data "refresh_token=<insert refresh_token>"\
--data "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"\
--data "client_assertion=<insert JWT>"

Request fields (URL-encoded)

FieldDescriptionFormatRequired
grant_typeThe OAuth grant type: refresh_token.StringYes
refresh_tokenThe refresh token.StringYes
client_assertion_typeThe type of the client assertion: urn:ietf:params:oauth:client-assertion-type:jwt-bearer.StringYes
client_assertionThe JWT token that you generated in step 2.StringYes

Sample response

{
"access_token": "oa_prod_rPo9OmbMAuguhQffR6RLR4nvmzpx4NJtpdyvGKkrS3U",
"token_type": "bearer",
"expires_in": 2399
}
note

The refresh_token has no expiration date. However, for businesses on the freelancer plan, the refresh_token is terminated every 90 days to ensure compliance to PSD2 SCA regulations. Therefore, you must authorize the API to access your account once more and request a new access token.

What's next

  • See the API Reference for full details on different endpoints of the Business API.
  • See the tutorials for using various Business API endpoints.
Was this page helpful?