To make your first API request, complete the initial setup, following this high-level procedure:
After you complete and validate the setup, you can make requests to the Business API.
Authorize your application to access your Revolut Business account via the Business API. To do this, first upload your certificate on the Business API settings page of the Revolut Business portal.
Run the following commands in your preferred CLI to create a private and a public certificate:
openssl genrsa -out privatecert.pem 2048
openssl req -new -x509 -key privatecert.pem -out publiccert.cer -days 1825
You will be asked to enter some details about your organization for the certificate's "Distinguished Name". Enter each piece of information and press Enter, until you get back to the command prompt. You may also leave some fields blank.
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
To upload the generated certificate, copy and paste the content of publiccert.cer
into the required field:
publiccert.cer
to the X509 public key field.example.com
). This is the URL where you are redirected after you consent the application to access your Revolut Business account.You are redirected to the API Certificate page with the parameters of your application. Copy the ClientID
which will be needed in the following steps.
Optionally, provide a list of IP addresses for additional security. If provided, only traffic from these IP addresses will be allowed.
Single IP addresses as well as IP pools in CIDR notation are allowed.
In order to grant the consent to your application you will need to generate a client-assertion JWT (JSON Web Token) which is cryptographically signed with your private certificate generated in step 1. This JWT will be used whenever a new access token needs to be requested and is composed of a header, a payload and signature.
JWT Header:
{
"alg": "RS256",
"typ": "JWT"
}
JWT Payload:
{
"iss": "<insert your_domain>",
"sub": "<insert ClientID>",
"aud": "https://revolut.com",
"exp": <insert expiry_date>
}
Ensure that the parameters meet the following format.
Field | Description | Format | Required |
---|---|---|---|
iss | Domain from redirect_url (without https:// ). | String | Yes |
sub | Your client_id | String | Yes |
aud | https://revolut.com | String | Yes |
exp | JWT expiration date, you can use this converter to provide the UNIX timestamp. Example for 90 days in the future: 1703671945. | Number, in UNIX timestamp format, given in seconds | Yes |
Do not provide the exp
value as a string!
There are several libraries to generate a JWT. To manually generate the JWT, follow these steps:
header.json
.payload.json
.privatecert.pem
file from step 1 in the same directory.cat header.json | tr -d '\n' | tr -d '\r' | openssl enc -base64 -A | tr +/ -_ | tr -d '=' > client_assertion.txt
echo -n "." >> client_assertion.txt
cat payload.json | tr -d '\n' | tr -d '\r' | openssl enc -base64 -A | tr +/ -_ | tr -d '=' >> client_assertion.txt
cat client_assertion.txt | tr -d '\n' | tr -d '\r' | openssl dgst -sha256 -sign privatecert.pem | openssl enc -base64 -A | tr +/ -_ | tr -d '=' > sign.txt
echo -n "." >> client_assertion.txt
cat sign.txt >> client_assertion.txt
A client_assertion.txt
file is created, containing the client assertion JWT.
Log in to the Revolut Business portal, and go to the Business API settings.
Select the certificate you want to edit.
On the API Certificate page, get your client ID from the ClientID field.
Click Enable access. You are redirected to the /app-confirm
URL where you grant your application access to your account via the Business API. See an example below.
https://business.revolut.com/app-confirm?client_id=<ClientID>&redirect_uri=https://example.com&response_type=code#authorise
Optional: you can narrow down the security permissions of the consent by adding &scope=
and a comma separated list of the desired scopes defined in the API Reference. For example &scope=READ,WRITE
.
Click Authorise. This triggers a 2-factor authentication (2FA) process. On successful authorization, you are redirected to the OAuth redirect URI
that you specified.
Get the authorization code (code
) from the redirect URI.
https://example.com?code=oa_prod_vYo3mAI9TmJuo2_ukYlHVZMh3OiszmfQdgVqk_gLSkU
The code
is only valid for two minutes.
To exchange the authorization_code
for an access_token
, you can use the following cURL call:
curl https://b2b.revolut.com/api/1.0/auth/token \
-H "Content-Type: application/x-www-form-urlencoded"\
--data "grant_type=authorization_code"\
--data "code=<insert authorization_code>"\
--data "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"\
--data "client_assertion=<insert JWT>"
Field | Description | Format | Required |
---|---|---|---|
grant_type | The OAuth grant type: authorization_code . | String | Yes |
code | The authorization code obtained from the redirect URI in step 3. | String | Yes |
client_assertion_type | The type of the client assertion: urn:ietf:params:oauth:client-assertion-type:jwt-bearer . | String | Yes |
client_assertion | The JWT token that you generated in step 2. | String | Yes |
{
"access_token": "oa_prod_rPo9OmbMAuguhQffR6RLR4nvmzpx4NJtpdyvGKkrS3U",
"token_type": "bearer",
"expires_in": 2399,
"refresh_token": "oa_prod_hQacSGnwx-luIfj3dlVByrytVV9rWAnyHkpJTwG_Tr8"
}
Every access_token
is only valid for 40 minutes. After the access_token
expires, you must request a new access_token
, using the refresh_token
and the JWT.
For more information, see: Refresh access token.
To verify that everything is working, make a request to the /accounts
endpoint to get a list of all your accounts using the access_token
you obtained at the previous step:
curl https://b2b.revolut.com/api/1.0/accounts \
-H "Authorization: Bearer <your access_token>"
Example response:
[
{
"id": "2a0d4d03-e26c-4159-9de1-c6bf3adfd8a1",
"name": "Current GBP account",
"balance": 100.0,
"currency": "GBP",
"state": "active",
"public": false,
"updated_at": "2017-06-01T11:11:11.1Z",
"created_at": "2017-06-01T11:11:11.1Z"
},
{
"id": "df8d6b20-0725-482e-a29e-fb09631480cf",
"name": "EUR expenses account",
"balance": 1234.0,
"currency": "EUR",
"state": "active",
"public": false,
"created_at": "2017-06-01T11:11:11.1Z",
"updated_at": "2017-06-01T11:11:11.1Z"
}
]
Congratulations! You're ready to make requests to the Business API with an access token.
When the access_token
expires, you will first need to request a new one using the refresh_token
returned in step 4 and the JWT obtained in step 2.
The JWT also has an expiration date specified when it is created. If it expires, you will need to generate a new one. The refresh_token
is valid so there is no need to reauthorize the consent.
curl https://b2b.revolut.com/api/1.0/auth/token \
-H "Content-Type: application/x-www-form-urlencoded"\
--data "grant_type=refresh_token"\
--data "refresh_token=<insert refresh_token>"\
--data "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"\
--data "client_assertion=<insert JWT>"
Field | Description | Format | Required |
---|---|---|---|
grant_type | The OAuth grant type: refresh_token . | String | Yes |
refresh_token | The refresh token. | String | Yes |
client_assertion_type | The type of the client assertion: urn:ietf:params:oauth:client-assertion-type:jwt-bearer . | String | Yes |
client_assertion | The JWT token that you generated in step 2. | String | Yes |
{
"access_token": "oa_prod_rPo9OmbMAuguhQffR6RLR4nvmzpx4NJtpdyvGKkrS3U",
"token_type": "bearer",
"expires_in": 2399
}
The refresh_token
has no expiration date. However, for businesses on the freelancer plan, the refresh_token
is terminated every 90 days to ensure compliance to PSD2 SCA regulations.
Therefore, you must authorize the API to access your account once more and request a new access token.