BBankConnectorDeveloper Docs

Going Live

Audience: πŸ”Œ Integration Client (with πŸ—οΈ operator notes where the two meet)

Moving from sandbox to real payments involves a few steps that are not driven by your API key β€” they're one-time human and operator actions. Plan for them.

The path to production

1. A bank connection must exist and be active (human/UI step)

Payments to a host-to-host bank require an active host-to-host connection. There is no automatic fall-back to file-return β€” without the connection, submission fails 422.

Setting up and activating a connection is a session-Admin action in the web UI (your API key gets 403 on these routes, by design). Depending on the bank it involves channel-specific steps β€” SFTP credentials, PGP keys, or the EBICS key-exchange sequence (params β†’ generate-keys β†’ send-ini β†’ letter β†’ fetch-hpb) β€” followed by activation. A human at your company does this once per bank.

Sequence your onboarding accordingly: connection first (UI), then your API-key integration drives payments.

2. Approvers configured, if you use maker-checker (human/UI step)

If an approval policy applies, approvers must be set on the connection, and each approver needs 2FA enrolled (and, in some flows, an identity enrollment). Approvals happen in the UI or via approver session calls β€” again, not your API key. Decide your policy (e.g. the default dual-approval) before go-live.

3. Connection environment vs deployment posture β€” and the real money boundary

Each connection carries environment: test | production, independent of the deployment's posture. Two guard-rails to know:

4. Bank IP allow-listing / static egress

Banks typically allow-list the IPs that may connect to them. The BankConnector deployment must therefore present a static egress IP (via NAT / Elastic IP). For most customers on the hosted bankconnector.com platform, this is handled by the operator β€” confirm your egress IP with support before your first live send, and notify your bank at least 5 business days before any egress IP change. If your company runs an on-premises deployment instead, this is your own responsibility.

5. Production credentials

Your production API key is separate from your sandbox key. Because keys don't expire, establish a rotation runbook now: create-new β†’ cut-over β†’ revoke-old, performed by a workspace admin. Store the key in a secrets manager, never in source.

Production behaviour differences to expect

AspectSandboxProduction
Real-money sendspermitted unless your company is sandboxOnly β€” see aboveon
Demo bankavailabledisabled (demo_bank_disabled_in_production)
Docs surface (/docs, /openapi.*) on that instanceavailable404
Rate limitingtypically offon (300/60 s per platform for API keys)
Authclosedclosed

Because the docs surface is 404 in production, don't have your client fetch the spec at runtime from a production instance. This documentation site vendors the spec at build time instead, so it stays available regardless.

Operational readiness (πŸ—οΈ / shared)

A few deployment facts worth confirming with your operator, since they affect you:

Final go-live checklist