API Security
Authentication and Authorization
For authentication we use certificates from our trusted provider, GlobalSign. The certificate contains a ThumbPrint that is used whenever an API session is requested.
The certificate file is used for requesting an access token - using a standard JWT OAuth 2.0 signed token. Our tokens contain the access rights of the user requesting access.
To receive an access token, you must send your certificate details, username and password encoded in Base64 using Basic Authentication scheme to our Authorization endpoint. Access tokens expire after five minutes.
Encryption
All Banking Circle APIs enforce mutual TLS 1.2.
Web Application Firewall
We use a Web Application Firewall configured to OWASP standards to protect against vulnerabilities such as SQL injections, DDoS and XSS attacks.
Our WAF logs are under continuous security monitoring 365 days per year, using a dedicated Managed Detection & Response service.
Penetration Test
The Banking Circle web platform and all APIs are subject to penetration testing on a yearly-basis to uncover potential vulnerabilities. All penetration tests have been passed with no remarks.
Code Review
All software is code-reviewed to ensure quality assurance. Static code analysis is incorporated across our platforms.