Authentication

BankLyra uses API keys for direct server-to-server authentication and OAuth 2.0 for the end-user consent authorisation flow. Both are required for a complete integration.

API keys

Every API call to BankLyra requires a secret API key in the Authorization header:

Authentication header
Authorization: Bearer sk_sandbox_abcdefgh1234567890

Key types

PrefixEnvironmentScope
sk_sandbox_SandboxAll endpoints; uses fictitious bank data
sk_live_ProductionAll endpoints; live bank connections

API keys must only be used server-side. Never include a secret key in client-side JavaScript, mobile apps, or public repositories. Rotate compromised keys immediately from the dashboard.

OAuth 2.0 consent flow

When you create a consent via POST /v1/consents, BankLyra returns an authorisation_url. This is the entry point to the PSD2-mandated OAuth 2.0 flow that the end user must complete to authorise data access.

Flow diagram:

  1. Your backend creates a consent → BankLyra returns authorisation_url
  2. You redirect the user to authorisation_url
  3. BankLyra redirects the user to the bank's SCA page (not your domain)
  4. User authenticates (biometric, SMS OTP, etc.) at their bank
  5. Bank redirects back to BankLyra; BankLyra redirects to your redirect_uri with ?code=…&consent_id=…
  6. Your backend calls POST /v1/consents/{id}/authorise with the code
  7. Consent becomes active (status: ACTV)

Your redirect_uri must be registered in the BankLyra dashboard under Settings → Redirect URIs before use. Sandbox accepts http://localhost:* without registration.

Production onboarding and eIDAS

Production API keys are issued after BankLyra completes a technical and regulatory onboarding review. The review typically takes 3–5 business days.

If your own product operates as a registered AISP or PISP under PSD2, you are required to present an eIDAS QWAC certificate when calling bank APIs directly. When using BankLyra, we present our own QWAC certificates on your behalf — you don't need to obtain your own eIDAS certificate to use BankLyra's API. This applies to both AIS and PIS flows.

If you operate your own FCA Authorised Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP) registration and wish to use BankLyra as technical infrastructure only (white-label ASPSP access), contact us at [email protected] to discuss the passthrough arrangement.

API Reference