API Security

Authentication and Authorization

For authentication we use certificates from our trusted provider, GlobalSign. The certificate contains a ThumbPrint that is used whenever an API session is requested.

The certificate file is used for requesting an access token - using a standard JWT OAuth 2.0 signed token. Our tokens contain the access rights of the user requesting access.

To receive an access token, you must send your certificate details, username and password encoded in Base64 using Basic Authentication scheme to our Authorization endpoint. Access tokens expire after five minutes.


All Banking Circle APIs enforce mutual TLS 1.2.

Web Application Firewall

We use a Web Application Firewall configured to OWASP standards to protect against vulnerabilities such as SQL injections, DDoS and XSS attacks.

Our WAF logs are under continuous security monitoring 365 days per year, using a dedicated Managed Detection & Response service.

Penetration Test

The Banking Circle web platform and all APIs are subject to penetration testing on a yearly-basis to uncover potential vulnerabilities. All penetration tests have been passed with no remarks.

Code Review

All software is code-reviewed to ensure quality assurance. Static code analysis is incorporated across our platforms.