Sandbox overview

The PSD2 sandbox environment contains dummy data about customer accounts and transactions. The sandbox allows developers to freely use our APIs as if they were connected to the Live environment. From a developer point of view, the API behaviour, parameters, and headers are identical to the Live APIs, so once the API has been implemented and tested through the sandbox, the developer can simply change the API URI to that of the Live environment to perform real payments and access real data from Arab Bank.

The APIs which are currently on the sandbox environment are account information and payment APIs, which require explicit end-user consent. All other APIs in our API products are on the Live environment.

 

Sample data

Sandbox is preloaded with customer accounts and all account-related information such as account number, balance, transactions, direct debits, and so on...

At some point during the oAuth flow, the user will need to authenticate through an Arab Bank login and consent app redirect. the authentication is actually the customer's credentials for Arabi Online, which is the Internet banking credentials. In case of the sandbox, the below username and password must be entered to simulate the three-legged oAuth flow and access the sandbox account information.

 

Customer Login Username

Password

user123 Qwerty123
ramez Qwerty123

 

All APIs can be tried and tested through our Interactive documentation or by browsing through the API Explorer on the left.

 

Procedure to simulate the oAuth flow

 

Step 1) Initiate authorization

Each API is provided with a section under API explorer where you can run the API and see the results. When an API is configured to have authorization completed (i.e. to present an access token), you will see a button titled "OAuth 2.0 Set." Clicking on this button will start the OAuth flow and consent app flow.

 

Step 2) Enter credentials

Enter the customer number and password from the table above.

 

Step 3) Give consent on the account ID

At this time all account IDs that this customer owns with the bank will be presented. You will need to choose one of them. Consent will be given only for account access or payment.
After the completion of this flow you will see the button "OAuth 2.0 Set" turn into "OAuth 2.0 Authenticated." This means the API explorer has the access token that it will present when you fire the APIs. To remove the authentication click on the "x" on this button. 

 

Step 4) Enter the one-time-password

Enter the OTP (any random number for sandbox, wait for sms verification for Live) . Once the above steps are completed, you will be presented with an authorization code returned through the app's callback url in the form of a query parameter. This code will be exchanged to an access token through the token endpoint in the oauth API, which will grant access to the bank's resources and data.

 

Summary of PSD2 API calls

In order to access banking resources which require explicit consent from the bank's customer, five consecutive API calls need to be called before successfully retrieving information or performing payments. 

  • Order in which the Account Information APIs need to be called:
  1. oAuth API: POST /token --- for client_credentials grant.
  2. Account Information APIPOST /account-requests --- to send third party permissions to accessing the bank customer's data on behalf of the customer.
  3. oAuth APIGET /authorize --- for redirect to Arab Bank's login and consent app.
  4. oAuth APIPOST /token --- for authorization_code grant (same parameters as in 1, but include "code" body param which was obtained from 3).
  5. Account Information APIGET /accounts or any other resource --- Access the customer's bank account information
  • Order in which the Payment APIs need to be called:
  1. oAuth APIPOST /token --- for client_credentials grant.
  2. Payment Initiation APIPOST /payments --- to send payment info and third party permissions to access the bank customer's data and do payments on behalf of the customer.
  3. oAuth APIGET /authorize --- for redirect to Arab Bank's login and consent app.
  4. oAuth APIPOST /token --- for authorization_code grant (same parameters as in 1, but include "code" body param which was obtained from 3).
  5. Payment Submission APIPOST /payment-submissions or GET /payment-submissions --- Submit a payment or retrieve information about a payment

 

More Information about each API endpoint can be viewed through the interactive API documentation.