3. Make your first API request
To make your first API request, complete the initial setup, following this high-level procedure:
- Upload your certificate to authorize your application to access your Revolut Business account via the Business API.
- Provide a client assertion JWT to obtain a signing key.
- Consent to the application on the Business Portal to obtain an authorization code.
- Exchange authorization code for access token to authenticate your requests to the Business API.
- Try your first API request to get a list of all your accounts.
- When the access token expires, request a new access token.
After you complete and validate the setup, you can make requests to the Business API.
1. Upload your certificate
Authorize your application to access your Revolut Business account via the Business API. To do this, first upload your certificate on the Business API settings page of the Revolut Business portal.
Generate a private and public certificate
Run the following commands in your preferred CLI to create a private and a public certificate:
openssl genrsa -out privatecert.pem 2048
openssl req -new -x509 -key privatecert.pem -out publiccert.cer -days 1825
You will be asked to enter some details about your organization for the certificate's "Distinguished Name". Enter each piece of information and press Enter, until you get back to the command prompt. You may also leave some fields blank.
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
How to upload your certificate
To upload the generated certificate, copy and paste the content of publiccert.cer into the required field:
- Log in to the Revolut Business portal, and go to Settings > Business API.
- Click Add certificate.
- Copy and paste the content of
publiccert.certo the X509 public key field. - Specify the OAuth redirect URI (in this example we use:
example.com). This is the URL where you are redirected after you consent the application to access your Revolut Business account. - Click Continue.
You are redirected to the API Certificate page with the parameters of your application. Copy the ClientID which will be needed in the following steps.
Optionally, provide a list of IP addresses for additional security. If provided, only traffic from these IP addresses will be allowed.
Single IP addresses as well as IP pools in CIDR notation are allowed.
2. Generate a client assertion
In order to grant the consent to your application you will need to generate a client-assertion JWT (JSON Web Token) which is cryptographically signed with your private certificate generated in step 1. This JWT will be used whenever a new access token needs to be requested and is composed of a header, a payload and signature.
JWT Header:
{
"alg": "RS256",
"typ": "JWT"
}
JWT Payload:
{
"iss": "<insert your_domain>",
"sub": "<insert ClientID>",
"aud": "https://revolut.com",
"exp": <insert expiry_date>
}
Ensure that the parameters meet the following format.
| Field | Description | Format | Required |
|---|---|---|---|
iss | Domain from redirect_url (without https://). | String | Yes |
sub | Your client_id | String | Yes |
aud | https://revolut.com | String | Yes |
exp | JWT expiration date, you can use this converter to provide the UNIX timestamp. Example for 90 days in the future: 1692904686. | Number, in UNIX timestamp format, given in seconds | Yes |
Do not provide the exp value as a string!
There are several libraries to generate a JWT. To manually generate the JWT, follow these steps:
- Save the JWT header into a file named
header.json. - Save the JWT payload into a file named
payload.json. - Copy the
privatecert.pemfile from step 1 in the same directory. - Open a CLI and navigate to the directory where you saved the files.
- Copy the following commands in the CLI and press Enter to ensure all lines are executed:
cat header.json | tr -d '\n' | tr -d '\r' | openssl enc -base64 -A | tr +/ -_ | tr -d '=' > client_assertion.txt
echo -n "." >> client_assertion.txt
cat payload.json | tr -d '\n' | tr -d '\r' | openssl enc -base64 -A | tr +/ -_ | tr -d '=' >> client_assertion.txt
cat client_assertion.txt | tr -d '\n' | tr -d '\r' | openssl dgst -sha256 -sign privatecert.pem | openssl enc -base64 -A | tr +/ -_ | tr -d '=' > sign.txt
echo -n "." >> client_assertion.txt
cat sign.txt >> client_assertion.txt
A client_assertion.txt file is created, containing the client assertion JWT.
3. Consent to the application
Log in to the Revolut Business portal, and go to the Business API settings.
Select the certificate you want to edit.
On the API Certificate page, get your client ID from the ClientID field.
Click Enable access. You are redirected to the
/app-confirmURL where you grant your application access to your account via the Business API. See an example below.https://business.revolut.com/app-confirm?client_id=<ClientID>&redirect_uri=https://example.com&response_type=code#authorisetipOptional: you can narrow down the security permissions of the consent by adding
&scope=and a comma separated list of the desired scopes defined in the API Reference. For example&scope=READ,WRITE.Click Authorise. This triggers a 2-factor authentication (2FA) process. On successful authorization, you are redirected to the
OAuth redirect URIthat you specified.Get the authorization code (
code) from the redirect URI.https://example.com?code=oa_prod_vYo3mAI9TmJuo2_ukYlHVZMh3OiszmfQdgVqk_gLSkUcautionThe
codeis only valid for two minutes.
4. Exchange authorization code for access token
To exchange the authorization_code for an access_token, you can use the following cURL call:
curl https://b2b.revolut.com/api/1.0/auth/token \
-H "Content-Type: application/x-www-form-urlencoded"\
--data "grant_type=authorization_code"\
--data "code=<insert authorization_code>"\
--data "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"\
--data "client_assertion=<insert JWT>"
Request fields (URL-encoded)
| Field | Description | Format | Required |
|---|---|---|---|
grant_type | The OAuth grant type: authorization_code. | String | Yes |
code | The authorization code obtained from the redirect URI in step 3. | String | Yes |
client_assertion_type | The type of the client assertion: urn:ietf:params:oauth:client-assertion-type:jwt-bearer. | String | Yes |
client_assertion | The JWT token that you generated in step 2. | String | Yes |
Sample response
{
"access_token": "oa_prod_rPo9OmbMAuguhQffR6RLR4nvmzpx4NJtpdyvGKkrS3U",
"token_type": "bearer",
"expires_in": 2399,
"refresh_token": "oa_prod_hQacSGnwx-luIfj3dlVByrytVV9rWAnyHkpJTwG_Tr8"
}
Every access_token is only valid for 40 minutes. After the access_token expires, you must request a new access_token, using the refresh_token and the JWT.
For more information, see: Refresh access token.
5. Try your first API request
To verify that everything is working, make a request to the /accounts endpoint to get a list of all your accounts using the access_token you obtained at the previous step:
curl https://b2b.revolut.com/api/1.0/accounts \
-H "Authorization: Bearer <your access_token>"
Example response:
[
{
"id": "2a0d4d03-e26c-4159-9de1-c6bf3adfd8a1",
"name": "Current GBP account",
"balance": 100.0,
"currency": "GBP",
"state": "active",
"public": false,
"updated_at": "2017-06-01T11:11:11.1Z",
"created_at": "2017-06-01T11:11:11.1Z"
},
{
"id": "df8d6b20-0725-482e-a29e-fb09631480cf",
"name": "EUR expenses account",
"balance": 1234.0,
"currency": "EUR",
"state": "active",
"public": false,
"created_at": "2017-06-01T11:11:11.1Z",
"updated_at": "2017-06-01T11:11:11.1Z"
}
]
Congratulations! You're ready to make requests to the Business API with an access token.
Refresh access token
When the access_token expires, you will first need to request a new one using the refresh_token returned in step 4 and the JWT obtained in step 2.
The JWT also has an expiration date specified when it is created. If it expires, you will need to generate a new one. The refresh_token is valid so there is no need to reauthorize the consent.
curl https://b2b.revolut.com/api/1.0/auth/token \
-H "Content-Type: application/x-www-form-urlencoded"\
--data "grant_type=refresh_token"\
--data "refresh_token=<insert refresh_token>"\
--data "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"\
--data "client_assertion=<insert JWT>"
Request fields (URL-encoded)
| Field | Description | Format | Required |
|---|---|---|---|
grant_type | The OAuth grant type: refresh_token. | String | Yes |
refresh_token | The refresh token. | String | Yes |
client_assertion_type | The type of the client assertion: urn:ietf:params:oauth:client-assertion-type:jwt-bearer. | String | Yes |
client_assertion | The JWT token that you generated in step 2. | String | Yes |
Sample response
{
"access_token": "oa_prod_rPo9OmbMAuguhQffR6RLR4nvmzpx4NJtpdyvGKkrS3U",
"token_type": "bearer",
"expires_in": 2399
}
The refresh_token has no expiration date. However, for businesses on the freelancer plan, the refresh_token is terminated every 90 days to ensure compliance to PSD2 SCA regulations.
Therefore, you must authorize the API to access your account once more and request a new access token.
What's next
- See the API Reference for full details on different endpoints of the Business API.
- See the tutorials for using various Business API endpoints.