# Bermuda Commercial Bank RESTful Open Banking API Implementation

The Bermuda Commercial Bank (BCB) RESTful Open Banking API provides secure, programmatic access to BCB's banking services, enabling developers to integrate financial services into their applications.

### Key Features
- Account details retrieval
- Internal transfers
- Payments (Swift)
- Virtual Accounts
- Transaction information access
- Robust security and compliance
- Comprehensive documentation
### Available Environments
**UAT Environment**

**URL:** https://api-uat.bcb.bm

**Purpose:** Testing and integration

**Production Environment**

**URL:** https://api.bcb.bm

**Purpose:** Live production use



Version: v1

## Servers

UAT Environment - Used for testing and integration purposes
```
https://api-uat.bcb.bm
```

Production Environment - Live environment for production use
```
https://api.bcb.bm
```

## Security

### Authorization

Access token

Type: http
In: header
Scheme: bearer
Bearer Format: jwt

### Feature Permissions

Feature-based permissions are claims contained in the JWT token. The token must include the specified permission claim to access the endpoint. These permissions are validated during token validation.

Type: http
In: header
Scheme: bearer
Bearer Format: jwt

## Download OpenAPI description

[Bermuda Commercial Bank RESTful Open Banking API Implementation](https://developers.bcb.bm/_spec/apis/open-banking-api/open-banking-api.yaml)

## Accounts

### Account Details

 - [GET /v1/accounts/{accountNumber}](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/accounts/accounts_get.md): Retrieves the account details and balance. This endpoint requires authentication and returns comprehensive information for the specified account. The returned data includes:

- : The human-readable account number assigned by the bank.
- : A label provided by the account owner.
- : The list of users who own this account.
- : The type of account.
- : The account's balance including currency and amount.
- : Additional account information specific to Bermuda Commercial Bank.
            
### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default).
- Set  for CSV responses.
If the Accept header is omitted,  is assumed.
            
### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/accounts

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### List User Accounts

 - [GET /v1/accounts](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/accounts/accounts_getall.md): Retrieves a list of all accounts associated with the authenticated user's profile. This endpoint:

- Uses the customer account number from the authenticated user's session to fetch all associated accounts.
- Requires valid authentication.
- Supports both JSON and CSV response formats based on the Accept header.
- Returns a summary version of account information (AccountSummary) containing only essential fields
-  for efficient handling of large account lists.

### Pagination
This endpoint uses cursor-based pagination with server-side result-set management:
- : Optionally specify  (default: 100, max: 1000). The server creates a cursor and returns a .
- : Use the  from previous responses with  to navigate pages.
- : Contains encoded pagination context including page_size, so don't specify  in subsequent requests.
- : Calculate using  from the response metadata.

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default).
- Set  for CSV responses.
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/accounts

### Sample Request in JavaScript



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### List payment statuses for an account

 - [GET /v1/accounts/{accountNumber}/payments](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/accounts/transactionstatus_getaccounttransactionstatuses.md): Retrieves status information for all payments associated with a specific account. This endpoint:
            
- Provides comprehensive payment status details including type, status, transaction ID, external reference, remittance information, amounts, value date, and exchange rate.
- Supports both JSON and CSV response formats based on the Accept header.
-  for efficient handling of large payment status datasets.

### Pagination
This endpoint uses cursor-based pagination with server-side result-set management:
- : Optionally specify  (default: 100, max: 1000). The server creates a cursor and returns a .
- : Use the  from previous responses with  to navigate pages.
- : Contains encoded pagination context including pageSize, so don't specify  in subsequent requests.
- : Calculate using  from the response metadata.

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/accounts/{accountNumber}/payments

### Sample Request in JavaScript



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### List payment statuses for an account

 - [GET /v1/accounts/{accountNumber}/payments](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/payments/transactionstatus_getaccounttransactionstatuses.md): Retrieves status information for all payments associated with a specific account. This endpoint:
            
- Provides comprehensive payment status details including type, status, transaction ID, external reference, remittance information, amounts, value date, and exchange rate.
- Supports both JSON and CSV response formats based on the Accept header.
-  for efficient handling of large payment status datasets.

### Pagination
This endpoint uses cursor-based pagination with server-side result-set management:
- : Optionally specify  (default: 100, max: 1000). The server creates a cursor and returns a .
- : Use the  from previous responses with  to navigate pages.
- : Contains encoded pagination context including pageSize, so don't specify  in subsequent requests.
- : Calculate using  from the response metadata.

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/accounts/{accountNumber}/payments

### Sample Request in JavaScript



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

## Payments

### List payment statuses for an account

 - [GET /v1/accounts/{accountNumber}/payments](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/accounts/transactionstatus_getaccounttransactionstatuses.md): Retrieves status information for all payments associated with a specific account. This endpoint:
            
- Provides comprehensive payment status details including type, status, transaction ID, external reference, remittance information, amounts, value date, and exchange rate.
- Supports both JSON and CSV response formats based on the Accept header.
-  for efficient handling of large payment status datasets.

### Pagination
This endpoint uses cursor-based pagination with server-side result-set management:
- : Optionally specify  (default: 100, max: 1000). The server creates a cursor and returns a .
- : Use the  from previous responses with  to navigate pages.
- : Contains encoded pagination context including pageSize, so don't specify  in subsequent requests.
- : Calculate using  from the response metadata.

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/accounts/{accountNumber}/payments

### Sample Request in JavaScript



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### SWIFT Payment

 - [POST /v1/payments/swift](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/payments/payments_post.md): Initiates a SWIFT payment transfer. The request must include all required payment details including:
- Source and destination account information
- Payment amount and currency
- Beneficiary details
- Payment purpose and reference information
            
### Key Features:
- Supports international wire transfers via SWIFT network
- Implements idempotency to prevent duplicate transactions
- Validates payment requests before processing
- Supports both JSON and CSV response formats

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/payments/swift
### Idempotency
The API supports idempotency through the optional  header:
- If no idempotency key is provided, the request is processed normally (duplicates are possible)
- If a valid UUID idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results
- If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response
- Idempotency keys are user-specific - different users don't share cached responses
- The idempotency key must be a valid UUID format (e.g., "123e4567-e89b-12d3-a456-426614174000")

### Sample Request in JavaScript:



### Response Structure

| Field | Type | Description |
|-------|------|-------------|
| id | string | Unique identifier for the payment |
| status | string | Payment status ( or ) |
| transactionStatus | string | Detailed transaction status |
| uniqueIdentifier | string | Unique identifier for tracking |
| details | object | Payment details object |
| linkedActivities | array | Related financial activities |

 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### List payment statuses for an account

 - [GET /v1/accounts/{accountNumber}/payments](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/payments/transactionstatus_getaccounttransactionstatuses.md): Retrieves status information for all payments associated with a specific account. This endpoint:
            
- Provides comprehensive payment status details including type, status, transaction ID, external reference, remittance information, amounts, value date, and exchange rate.
- Supports both JSON and CSV response formats based on the Accept header.
-  for efficient handling of large payment status datasets.

### Pagination
This endpoint uses cursor-based pagination with server-side result-set management:
- : Optionally specify  (default: 100, max: 1000). The server creates a cursor and returns a .
- : Use the  from previous responses with  to navigate pages.
- : Contains encoded pagination context including pageSize, so don't specify  in subsequent requests.
- : Calculate using  from the response metadata.

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/accounts/{accountNumber}/payments

### Sample Request in JavaScript



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Get payment status

 - [GET /v1/payments/{paymentId}/status](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/payments/transactionstatus_gettransactionstatus.md): Retrieves detailed status information for a specific payment identified by its payment ID (also known as transaction ID). This endpoint provides comprehensive status details including:

- : The type of payment (e.g., "Outward Swift Payment MT103 API")
- : Current status of the payment (e.g., "Pending", "Completed", "Failed")
- : Unique payment identifier (or Transaction Id)
- : External reference number for the payment
- : Free-text information about the purpose of the payment
- : The amount debited from the account, including currency code
- : The amount credited to the account, including currency code
- : The date when the payment was/will be processed
- : The exchange rate applied to the payment

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/payments/{paymentId}/status

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

## Credentials

### Create new API client credentials

 - [POST /v1/credentials](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/credentials/credentials_post.md): Creates new API client credentials based on an existing client's permissions and configuration.
The new credentials will inherit the same roles and permissions as the specified existing client.

 :
- A new client ID (GUID) is generated automatically
- A cryptographically secure password (22-30 characters) is generated automatically
- All roles and direct permissions are copied from the existing client
- The new credentials can have different IP restrictions if specified


- Generated passwords are 22-30 characters long for enhanced security
- Include uppercase letters, lowercase letters, digits, and special characters
- The generated password is only returned once in the response


- You can only create credentials based on clients you have access to
- New client inherits exact role and permission set from source client
- IP restrictions can be customized or inherited from source client
            
### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/credentials

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Rotate the client secret for an existing API client

 - [PATCH /v1/credentials/{clientId}](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/credentials/credentials_patch.md): Rotates (changes) the client secret for an existing API client while preserving all other settings.
This is useful for credential rotation policies, security incident response, or regular maintenance.

 :
- A new cryptographically secure password (22-30 characters) is generated automatically
- The existing client's secret is immediately replaced with the new one
- All roles, permissions, and other settings remain unchanged
- The old secret becomes invalid immediately after successful rotation
- The new secret is returned in the response (only shown once)


- Generated passwords are 22-30 characters long for enhanced security
- Include uppercase letters, lowercase letters, digits, and special characters
- The new password is only returned once in the response


- You can only rotate secrets for clients you have access to
- The rotated client retains all existing roles and permissions


- The old secret stops working immediately after successful rotation
- Any applications using the old secret will need to be updated with the new secret
- Store the new secret securely as it won't be shown again
            
### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/credentials/{clientId}

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Disable an existing API client

 - [DELETE /v1/credentials/{clientId}](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/credentials/credentials_delete.md): Disables an existing API client, immediately preventing any further authentication using that client ID and secret.
This operation also revokes all active tokens associated with the client.

 :
- Disables the credentials instantly – all authentication requests will fail after this operation
- Revokes all active tokens immediately for enhanced security
- Idempotent: calling the endpoint on an already inactive client returns success


- All active tokens are immediately invalidated and removed from the system
- Any applications using the disabled client will lose access immediately
- The client record is preserved for audit and compliance purposes


- You can only disable clients that belong to your organization
            
### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/credentials/{clientId}

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Get permissions for an existing API client

 - [GET /v1/credentials/{clientId}/permissions](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/credentials/credentials_getpermissions.md): Retrieves all permissions assigned to the specified API client. The response provides a comprehensive view of
what features the client can access.

 :
- Returns all permissions assigned to the client
- Results are sorted alphabetically by permission key for consistent ordering
- Includes human-readable descriptions for each permission


- You can only view permissions for clients that belong to your organization


- Audit client access capabilities
- Troubleshoot authentication and authorization issues
- Verify client configuration during security reviews
- Document client permissions for compliance purposes
            
### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/credentials/{clientId}/permissions

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

## Fx Quotes

### Get FX Quote

 - [GET /v1/fx-quotes](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/fx-quotes/fxquotes_get.md): Retrieves a foreign exchange quote for converting between currencies (for the requested pair and amount).
The same quote will be automatically applied by the system to any internal transfer or payment involving two different currencies, provided it is used within its expiry time.
            
### High-Value Exchange Requests (> 100 000 BMD)
If the requested exchange amount exceeds , the system will  in the  response.  
Instead, the request is routed for  to secure the most competitive rate available.

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/fx-quotes

### Validation Rules
- Currencies must be valid three-letter ISO 4217 codes
- Unit currency and currency of transfer must be different
- Instructed amount must be a valid decimal number with up to 2 decimal places

### Sample Request in JavaScript:


 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

## Internal Transfers

### Internal Transfer

 - [POST /v1/internal-transfers](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/internal-transfers/internaltransfers_post.md): Initiates an internal funds transfer between two accounts within the institution. 
The request must include source and destination account details, along with the amount and currency to be transferred. 
Optionally, clients may provide a transaction reference and remittance information describing the purpose of the payment.

- debitAccountNumber: The account number from which funds will be debited.
- debitAmountCurrency: The currency code for the debit amount. Must match the credit account currency.
- creditAccountNumber: The account number to be credited.
- creditAmountCurrency: The currency code for the credit amount. Must match the debit account currency.
- debitAmount: The amount to be transferred.
- endToEndIdentification: (Optional) A unique reference provided by the client to identify the transaction end-to-end.
- remittanceInformation: (Optional) Free-text remittance information describing the purpose of the transaction.
            
### Important Notes:
- Transfers between accounts with different currencies are not allowed. The debit and credit account currencies must match.
- Ensure all inputs are validated and the source account has sufficient funds before making the request.
            
### High-Value Exchange Requests (> 100 000 BMD)
If the requested exchange amount exceeds , the  endpoint will . 
Instead, the request is routed for  to secure the most competitive rate available.

### Idempotency
The API supports idempotency through the optional  header:
- If no idempotency key is provided, the request is processed normally (duplicates are possible).
- If a valid UUID idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results.
- If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response.
- Idempotency keys are user-specific - different users don't share cached responses.
- The idempotency key must be a valid UUID format (e.g., "123e4567-e89b-12d3-a456-426614174000").
            
### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default).
- Set  for CSV responses.
If the Accept header is omitted,  is assumed.
            
### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/internal-transfers
            
### Sample Request in JavaScript:
            


 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

## Token

### Generate Token

 - [POST /auth/token](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/token/token_generatetoken.md): Generates a JWT access token based on provided client credentials. Use this POST endpoint to authenticate using your  and  and receive a JWT token.

 40 minutes from the time of issuance.

 


- 
- 

### Sample Request in JavaScript:



## Transactions

### Account Transactions

 - [GET /v1/accounts/{accountNumber}/transactions](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/transactions/transactions_get.md): Retrieves transaction details for the specified account and date range. This endpoint:

- Validates the provided date parameters. The accepted date formats are  or .
- Maximum date range is one year.
- Supports both JSON and CSV response formats based on the Accept header.
-  for efficient handling of large transaction datasets.

### Transaction ID Uniqueness
: Transaction IDs are globally unique across the entire banking system. For internal transfers, the same transaction ID appears on both accounts (debit and credit entries) with only the transaction type differing. When fees apply, multiple entries may share the same transaction ID.

📖 : https://developers.bcb.bm/guides/transaction-id-uniqueness-guide

### Pagination
This endpoint uses cursor-based pagination with server-side result-set management:
- : Optionally specify  (default: 100, max: 1000). The server creates a cursor and returns a .
- : Use the  from previous responses with  to navigate pages.
- : Contains encoded pagination context including pageSize, so don't specify  in subsequent requests.
- : Calculate using  from the response metadata.

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/accounts/{accountNumber}/transactions

### Sample Request in JavaScript
            


 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

## Virtual Accounts

### Create Virtual Account

 - [POST /v1/virtual-accounts](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccounts_post.md): Creates a new virtual (sub) account for a corporate client. Virtual accounts allow funds to be segregated and tracked independently while remaining linked to a single settlement account.
            

- : ISO-4217 currency code for the virtual account (e.g., USD, BMD).
- : Human-readable label for the virtual account.
- : Official account title that will appear on statements.
            

- : External reference provided by the client to aid reconciliation (max 35 characters).
            
### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts

### Idempotency
The API supports idempotency through the optional  header:
- If no idempotency key is provided, the request is processed normally (duplicates are possible)
- If a idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results
- If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response
- Idempotency keys are user-specific - different users with the same keys don't share cached responses
            
### Sample Request (JavaScript)


 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Get All Virtual Accounts

 - [GET /v1/virtual-accounts](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccounts_getall.md): Retrieves all virtual accounts for the authenticated corporate client. This endpoint:

- Returns a paginated list of virtual accounts for the client
- Response contains the client’s real (non-virtual) accounts as well:
-  – the primary clearing account used for cash movements. Account category: "CMS Settlement".
-  – the parent account under which all virtual accounts are organised. Account category: "CMS Parent Cate".
-  have the category "CMS Sub Acct".
- Supports optional currency filtering to return only accounts in a specific currency
-  for efficient handling of large account datasets

### Filtering
Use the optional  query parameter to filter results:
- Must be a valid 3-letter ISO currency code (e.g., USD, BMD, EUR)
- If omitted, accounts in all currencies are returned

### Pagination
This endpoint uses cursor-based pagination with server-side result-set management:
- : Optionally specify  (default: 100, max: 1000). The server creates a cursor and returns a .
- : Use the  from previous responses with  to navigate pages.
- : Contains encoded pagination context including pageSize, so don't specify  in subsequent requests.
- : Calculate using  from the response metadata.

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts

### Sample Request in JavaScript
            


 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Update Virtual Account

 - [PATCH /v1/virtual-accounts/{virtualAccountNumber}](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccounts_patch.md): Updates an existing virtual (sub) account for a corporate client. Only the fields provided in the request body will be updated.
            

- : Human-readable label for the virtual account.
- : Official account title that will appear on statements.
- : External reference provided by the client to aid reconciliation (max 35 characters).
            
### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts

### Sample Request (JavaScript)


 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Get Virtual Account Details

 - [GET /v1/virtual-accounts/{virtualAccountNumber}](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccounts_getdetails.md): Retrieves comprehensive information about a specific virtual account, including all its sub-accounts, parent account details, and settlement account information. This endpoint:

- Returns the virtual account details as a single object
- Includes parent account information (the account this virtual account is derived from)
- Provides settlement account details (the account used for settlement operations)

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/{accountNumber}

### Sample Request in JavaScript
            


 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Virtual Account Transactions

 - [GET /v1/virtual-accounts/{virtualAccountNumber}/transactions](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccountstransactions_get.md): Retrieves transaction entries for a specific virtual (sub) account within a given date range.
This endpoint:

- Validates the provided date parameters. Accepted formats:  or .
- Supports a maximum date range of one year.
- Supports both JSON and CSV response formats based on the Accept header.
- Uses cursor-based pagination with server-side result-set management.

### Pagination
This endpoint uses cursor-based pagination with server-side result-set management:
- : Optionally specify  (default: 100, max: 1000). The server creates a cursor and returns a .
- : Use the  from previous responses with  to navigate pages.
- : Contains encoded pagination context including page_size, so don't specify  in subsequent requests.
- : Calculate using  from the response metadata.      

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/{virtualAccountNumber}/transactions

### Sample Request in JavaScript


 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Virtual Account Transaction Details

 - [GET /v1/virtual-accounts/transactions/{transactionId}](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccountstransactions_getdetails.md): Retrieves detailed information for a specific virtual-account transaction identified by its globally unique transaction ID. This endpoint:

- Returns a single transaction detail object with full context (accounts, amounts, value date, narrative, attributes)
- Supports both JSON and CSV response formats based on the Accept header

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/transactions/{transactionId}

### Sample Request in JavaScript



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Reverse Virtual Account Transaction

 - [DELETE /v1/virtual-accounts/transactions/{transactionId}](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccountstransactions_reverse.md): Reverses a specific virtual-account transaction identified by its globally unique transaction ID. This endpoint:

- Reverses the specified transaction and returns the reversal details
- Supports both JSON and CSV response formats based on the Accept header
- Requires appropriate permissions to perform transaction reversals

### Important Business Rules
- : The current development design allows only to reverse records created on the same day
- : The transaction status must have "Live" status to be eligible for reversal

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Idempotency
This endpoint supports idempotency through the  header. When provided:
- : Multiple requests with the same idempotency key will not create duplicate reversals
- : The same response will be returned for identical requests within the idempotency window
- : Always include a unique idempotency key for production requests to ensure safe retry behavior

Example: 

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/transactions/{transactionId}

### Sample Request in JavaScript



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Get Virtual Account Deposits

 - [GET /v1/virtual-accounts/{virtualAccountNumber}/deposits](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccountstransactions_getdeposits.md): Retrieves deposit transaction entries for a specific virtual (sub) account.
This endpoint:     
- Returns detailed deposit transaction information including account numbers, amounts, and transaction status.
- Supports both JSON and CSV response formats based on the Accept header.
- Uses cursor-based pagination with server-side result-set management.

### Pagination
This endpoint uses cursor-based pagination with server-side result-set management:
- : Optionally specify  (default: 100, max: 1000). The server creates a cursor and returns a .
- : Use the  from previous responses with  to navigate pages.
- : Contains encoded pagination context including page_size, so don't specify  in subsequent requests.
- : Calculate using  from the response metadata.      

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/{virtualAccountNumber}/deposits

### Sample Request in JavaScript


 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Credit Virtual Account

 - [POST /v1/virtual-accounts/{accountNumber}/transfers/credit](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccountstransfers_credit.md): Credits funds to a virtual account from a parent account. This endpoint allows clients to transfer funds 
into a virtual account.

The request must include source account details, the amount to be credited, and currency information. 
The virtual account number is specified in the route parameter, and the credit account number in the 
request body (optional) must match the route parameter.

### Key Features:
- Transfers funds from a source account to a virtual account
- Supports idempotency to prevent duplicate transactions
- Validates account numbers and currency matching
- Supports both JSON and CSV response formats
- Automatic account number validation and matching

### Important Notes:
- The creditAccountNumber in the request body must match the accountNumber in the route parameter
- If creditAccountNumber is not provided in the request body, it will automatically use the accountNumber from the route
- Transfers between accounts with different currencies are not allowed
- Ensure the source account has sufficient funds before making the request
- Virtual accounts must be in an active state to receive credits


Virtual accounts are sub-accounts linked to a parent account:

When crediting a virtual account, funds flow from the parent account to the virtual account.

### Idempotency
The API supports idempotency through the optional  header:
- If no idempotency key is provided, the request is processed normally (duplicates are possible)
- If a idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results
- If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response
- Idempotency keys are user-specific - different users don't share cached responses

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/{accountNumber}/transfers/credit

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Debit Virtual Account

 - [POST /v1/virtual-accounts/{accountNumber}/transfers/debit](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccountstransfers_debit.md): Initiates a debit transfer from a virtual (sub) account to transfer funds to the parent account and ultimately to the settlement account. 
This endpoint allows corporate clients to withdraw funds from their virtual accounts for settlement purposes.
            
: As a corporate client, I want to debit a sub account to transfer funds to the parent account and ultimately to the settlement account.
            
### Key Features:
- Transfers funds from a virtual account to a main account
- Supports idempotency to prevent duplicate transactions
- Validates account numbers and currency matching
- Supports both JSON and CSV response formats
- Automatic account number validation and matching

### Important Notes:
- The debitAccountNumber in the request body must match the accountNumber in the route parameter
- If debitAccountNumber is not provided in the request body, it will automatically use the accountNumber from the route
- Transfers between accounts with different currencies are not allowed
- Ensure the source account has sufficient funds before making the request
            

Virtual accounts are sub-accounts linked to a parent account:

When debiting a virtual account, funds flow from the virtual account to the parent account.
            
### Idempotency
The API supports idempotency through the optional  header:
- If no idempotency key is provided, the request is processed normally (duplicates are possible)
- If a idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results
- If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response
- Idempotency keys are user-specific - different users don't share cached responses
            
### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/{accountNumber}/transfers/debit
    
### Sample Request in JavaScript:
            


 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Counter-party Settlement Transfer (Internal)

 - [POST /v1/virtual-accounts/{settlementAccountNumber}/settlements/internal](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccountstransferssettlement_settlementinternal.md): Corporate Client initiates Settlement request to BCB to debit Settlement Account and credit to Counterparty Account.
This endpoint allows clients to transfer funds from a settlement account to an internal counterparty account.

### Key Features:
- Transfers funds from a settlement account to an internal counterparty account
- Supports idempotency to prevent duplicate transactions
- Validates account numbers and currency matching
- Supports both JSON and CSV response formats
- Automatic settlement account number validation

### Important Notes:
- The settlementAccountNumber in the route parameter identifies the source settlement account
- The creditAccountNumber in the request body specifies the destination counterparty account
- Transfers between accounts with different currencies are not allowed
- Ensure the settlement account has sufficient funds before making the request
- Settlement accounts must be in an active state to process transfers

### Settlement Account Structure
Settlement accounts are special accounts used for counterparty transactions:

When processing a settlement transfer, funds flow from the settlement account to the counterparty account.

### Idempotency
The API supports idempotency through the optional  header:
- If no idempotency key is provided, the request is processed normally (duplicates are possible)
- If a idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results
- If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response
- Idempotency keys are user-specific - different users don't share cached responses

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/{settlementAccountNumber}/settlements/internal

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Counter-party Settlement Transfer (External)

 - [POST /v1/virtual-accounts/{settlementAccountNumber}/settlements/external](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccountstransferssettlement_settlementexternal.md): Corporate Client initiates External Settlement request to BCB to debit Settlement Account and credit to External Counterparty Account.
This endpoint allows clients to transfer funds from a settlement account to an external counterparty account.

### Key Features:
- Transfers funds from a settlement account to an external counterparty account
- Supports idempotency to prevent duplicate transactions
- Supports both JSON and CSV response formats
- Automatic settlement account number validation
- Includes beneficiary and ordering customer information for external transfers

### Important Notes:
- The settlementAccountNumber in the route parameter identifies the source settlement account
- The creditAccountNumber in the request body specifies the destination external counterparty account
- Transfers between accounts with different currencies are not allowed
- Ensure the settlement account has sufficient funds before making the request
- Settlement accounts must be in an active state to process transfers
- External transfers require additional beneficiary information for compliance

### Settlement Account Structure
Settlement accounts are special accounts used for counterparty transactions:

When processing an external settlement transfer, funds flow from the settlement account to the external counterparty account.

### External Transfer Requirements
External transfers require additional information for regulatory compliance:
- : Identifier or reference for the beneficiary
- : Information about the party initiating the transfer
- : The external account number receiving the funds

### Idempotency
The API supports idempotency through the optional  header:
- If no idempotency key is provided, the request is processed normally (duplicates are possible)
- If a idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results
- If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response
- Idempotency keys are user-specific - different users don't share cached responses

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/{settlementAccountNumber}/settlements/external

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Withdraw funds (Internal)

 - [POST /v1/virtual-accounts/{virtualAccountId}/withdrawals/internal](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccountstransferswithdrawal_withdrawalinternal.md): Initiates an internal withdrawal transfer from a virtual account to an internal destination account.
This endpoint allows clients to withdraw funds from a virtual account to an internal account within the institution.

### Key Features:
- Withdraws funds from a virtual account to an internal destination account
- Supports idempotency to prevent duplicate transactions
- Validates account numbers and currency matching
- Supports both JSON and CSV response formats
- Automatic virtual account number validation

### Important Notes:
- The virtualAccountId in the route parameter identifies the source virtual account
- The creditAccountNumber in the request body specifies the destination internal account
- Transfers between accounts with different currencies are not allowed
- Ensure the virtual account has sufficient funds before making the request
- Virtual accounts must be in an active state to process withdrawals

### Virtual Account Withdrawal Structure
Virtual account withdrawals transfer funds from virtual accounts to internal accounts:

When processing a withdrawal transfer, funds flow from the virtual account to the internal destination account.

### Idempotency
The API supports idempotency through the optional  header:
- If no idempotency key is provided, the request is processed normally (duplicates are possible)
- If a idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results
- If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response
- Idempotency keys are user-specific - different users don't share cached responses

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/{virtualAccountId}/withdrawals/internal

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

### Withdraw funds (External)

 - [POST /v1/virtual-accounts/{virtualAccountId}/withdrawals/external](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/virtual-accounts/virtualaccountstransferswithdrawal_withdrawalexternal.md): Initiates an external withdrawal transfer from a virtual account to an external destination account.
This endpoint allows clients to withdraw funds from a virtual account to an external account outside the institution.

### Key Features:
- Withdraws funds from a virtual account to an external destination account
- Supports idempotency to prevent duplicate transactions
- Supports both JSON and CSV response formats
- Automatic virtual account number validation
- Includes beneficiary customer information for external transfers

### Important Notes:
- The virtualAccountId in the route parameter identifies the source virtual account
- The creditAccountNumber in the request body specifies the destination external account
- Transfers between accounts with different currencies are not allowed
- Ensure the virtual account has sufficient funds before making the request
- Virtual accounts must be in an active state to process withdrawals
- External transfers require additional beneficiary information for compliance

### Virtual Account Withdrawal Structure
Virtual account withdrawals transfer funds from virtual accounts to external accounts:

When processing an external withdrawal transfer, funds flow from the virtual account to the external destination account.

### External Transfer Requirements
External transfers require additional information for regulatory compliance:
- : Identifier or reference for the beneficiary receiving the funds
- : The external account number receiving the funds
- : The debit currency must match the credit amount currency

### Idempotency
The API supports idempotency through the optional  header:
- If no idempotency key is provided, the request is processed normally (duplicates are possible)
- If a idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results
- If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response
- Idempotency keys are user-specific - different users don't share cached responses

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
- Set  for CSV responses
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/virtual-accounts/{virtualAccountId}/withdrawals/external

### Sample Request in JavaScript:



 

This endpoint requires the permission claim  to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

## System

### Get system time

 - [GET /v1/system/time](https://developers.bcb.bm/apis/open-banking-api/open-banking-api/system/system_getsystemtime.md): Returns the current server date and time in ISO-8601 format. 
This endpoint helps integrators synchronize with the server clock and craft valid date/time windows for other API requests.

The response contains :
1. timestamp – Current Bermuda local time in ISO-8601 format with the correct offset (e.g., 2025-01-07T14:30:15-04:00).
2. timeZone  – Display name of the time zone currently in effect ("Atlantic Daylight Time" or "Atlantic Standard Time").
            
This allows clients to know both the precise instant and whether Daylight-Saving Time is observed.

### Content Negotiation
Clients must use the HTTP Accept header to indicate the desired response format:
- Set  for JSON responses (default)
If the Accept header is omitted,  is assumed.

### Base URL:
All API requests use the versioned base URL:

    https://api.bcb.bm/v1/system/time

### Sample Request in JavaScript: