Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bloobank.com/llms.txt

Use this file to discover all available pages before exploring further.

We don’t use static strings such as API keys and access tokens to connect to our API. Those methods are easy to use, but make it easier for people to steal from your bank account. To make your account as safe as possible, we use the Elliptic Curve Digital Signature Algorithm (ECDSA) private/public key pairs.

How it works at a glance

1

You generate a key pair

A private key stays on your server. A public key is sent to Bloobank.
2

You sign each request

For every HTTP call, you sign the payload with your private key.
3

Bloobank verifies

We verify the signature using the public key on file. If it doesn’t match, the request is rejected.
Even if someone intercepts the signature in transit, they cannot forge a new one without your private key — and the private key never leaves your server.
All communication must go over HTTPS exclusively. Your private key must remain solely under your control — it must never be sent to Bloobank, exposed in client-side applications, committed to version control, or shared through insecure channels.

Environments

Access credentials and signing keys are tied to the environment in which they were issued — sandbox, staging, or production. Each environment must be kept fully isolated, with its own credentials, configurations, and signing keys. Before going live in production, validate all integration flows in a test or staging environment, ensuring that authentication, request signing, response handling, and error handling are correctly implemented.

Next

Date & Time

All dates are UTC ISO 8601.