Skip to content
/Credentials

Bermuda Commercial Bank RESTful Open Banking API Implementation (v1)

The Bermuda Commercial Bank (BCB) RESTful Open Banking API provides secure, programmatic access to BCB's banking services, enabling developers to integrate financial services into their applications.

Key Features

  • Account details retrieval
  • Internal transfers
  • Payments (Swift)
  • Virtual Accounts
  • Transaction information access
  • Robust security and compliance
  • Comprehensive documentation

Available Environments

UAT Environment

URL: https://api-uat.bcb.bm

Purpose: Testing and integration

Production Environment

URL: https://api.bcb.bm

Purpose: Live production use

Download OpenAPI description
open-banking-api.json
open-banking-api.yaml
Overview
URL
https://www.bcb.bm
Bermuda Commercial Bank Limited, 34 Bermudiana Road, Hamilton HM 11, Bermuda
enquiries@bcb.bm
Languages
Servers
Mock server
https://developers.bcb.bm/_mock/apis/open-banking-api/open-banking-api/
UAT Environment - Used for testing and integration purposes
https://api-uat.bcb.bm/
Production Environment - Live environment for production use
https://api.bcb.bm/

Accounts

Operations

Credentials

Operations

Create new API client credentials

Request

Creates new API client credentials based on an existing client's permissions and configuration. The new credentials will inherit the same roles and permissions as the specified existing client.

Key Features:

  • A new client ID (GUID) is generated automatically
  • A cryptographically secure password (22-30 characters) is generated automatically
  • A cryptographically secure message signing secret (32 bytes) is generated automatically for HMAC-SHA256 signing
  • All roles and direct permissions are copied from the existing client
  • The new credentials can have different IP restrictions if specified

Password Security:

  • Generated passwords are 22-30 characters long for enhanced security
  • Include uppercase letters, lowercase letters, digits, and special characters
  • The generated password is only returned once in the response

Message Signing Secret:

  • A 32-byte (256-bit) random key (Base64 encoded) is generated for signing API requests
  • This key will be used by the system to sign callback responses - notifications, background job webhooks
  • The secret is returned only once in the response

Access Control:

  • You can only create credentials based on clients you have access to
  • New client inherits exact role and permission set from source client
  • IP restrictions can be customized or inherited from source client

Base URL:

All API requests use the versioned base URL:

https://api.bcb.bm/v1/credentials

Idempotency

The API supports idempotency through the optional Idempotency-Key header:

  • If no idempotency key is provided, the request is processed normally (duplicates are possible)
  • If a valid UUID idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results
  • If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response
  • Idempotency keys are user-specific - different users with the same keys don't share cached responses
  • The idempotency key must be a valid UUID format (e.g., "123e4567-e89b-12d3-a456-426614174000").

Sample Request in JavaScript:

async function createCredentials() {
  try {
    const token = localStorage.getItem('jwt'); // Your JWT token from authentication
    
    const response = await fetch('https://api.bcb.bm/v1/credentials', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        'Authorization': `Bearer ${token}`
      },
      body: JSON.stringify({
        allowedIps: '192.168.1.100,10.0.0.0/24' // Optional: specify IP restrictions, or omit/'*' for all IPs
      })
    });
    
    if (!response.ok) {
      const errorData = await response.json();
      throw new Error(`Error: ${errorData.message || response.statusText}`);
    }
    
    const data = await response.json();
    console.log('New credentials created:', {
      clientId: data.clientId,
      clientSecret: data.clientSecret, // Save this securely - only shown once!
      messageSigningSecret: data.messageSigningSecret, // Save this securely - only shown once!
      isActive: data.isActive,
      allowedIps: data.allowedIps
    });
    
    // Store new credentials securely
    // WARNING: This is just an example - use secure storage in production
    localStorage.setItem('newClientId', data.clientId);
    localStorage.setItem('newClientSecret', data.clientSecret);
    localStorage.setItem('newMessageSigningSecret', data.messageSigningSecret);
    
  } catch (error) {
    console.error('Error creating credentials:', error);
  }
}

createCredentials();

Required Permission: manage-credentials

This endpoint requires the permission claim manage-credentials to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

Security
Authorization and Feature Permissions
Bodyapplication/json
allowedIpsstring or null[ 0 .. 1000 ] characters

Optional IP address restrictions for the new client credentials. If omitted (null/empty) or set to "*", all IP addresses will be allowed. Otherwise, specify a comma-separated list of allowed IP addresses and/or CIDR ranges.

Example: "192.168.1.1,10.0.0.0/24,2001:db8::/32"
curl -i -X POST \
  https://developers.bcb.bm/_mock/apis/open-banking-api/open-banking-api/v1/credentials \
  -H 'Authorization: Bearer <YOUR_jwt_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "allowedIps": "192.168.1.1,192.168.1.2"
  }'

Responses

Credentials created successfully

Bodyapplication/json
clientIdstringrequired

Unique client identifier (GUID) assigned by the authorization server. This identifier is used in conjunction with the client secret for API authentication.

clientSecretstringrequired

Client secret assigned by the authorization server.

isActivebooleanrequired

Value indicating whether the client credentials are currently active and can be used for authentication.

allowedIpsstring or null

IP address restrictions for the client credentials. Defines which IP addresses or IP ranges are allowed to use these credentials for authentication.

messageSigningSecretstringrequired

Base64-encoded 32-byte secret used to sign messages for authentication or integrity verification.

Response
application/json
{
  "clientId": "a1b2c3d4-e5f6-4789-b012-3456789abcde",
  "clientSecret": "Abc123XyzP9mN7kLAbc123XyzP95",
  "isActive": true,
  "allowedIps": "192.168.1.1,192.168.1.2",
  "messageSigningSecret": "HtYp2oJm5DwQ1xL8bSeRgUkN4vZc3PhYtLwSxV2N9Cs="
}

Rotate the client secret for an existing API client

Request

Rotates (changes) the client secret AND the message signing secret for an existing API client while preserving all other settings. This is useful for credential rotation policies, security incident response, or regular maintenance.

Key Features:

  • A new cryptographically secure password (22-30 characters) is generated automatically
  • A new cryptographically secure message signing secret (32 bytes) is generated automatically
  • The existing client's secrets are immediately replaced with the new ones
  • All roles, permissions, and other settings remain unchanged
  • The old secrets become invalid immediately after successful rotation
  • The new secrets are returned in the response (only shown once)

Password Security:

  • Generated passwords are 22-30 characters long for enhanced security
  • Include uppercase letters, lowercase letters, digits, and special characters
  • The new password is only returned once in the response

Access Control:

  • You can only rotate secrets for clients you have access to
  • The rotated client retains all existing roles and permissions

Important Security Notes:

  • The old secret stops working immediately after successful rotation
  • Any applications using the old secret will need to be updated with the new secret
  • Store the new secret securely as it won't be shown again

Base URL:

All API requests use the versioned base URL:

https://api.bcb.bm/v1/credentials/{clientId}

Idempotency

The API supports idempotency through the optional Idempotency-Key header:

  • If no idempotency key is provided, the request is processed normally (duplicates are possible)
  • If a valid UUID idempotency key is provided for a new transaction, the system stores the key and associates it with the transaction results
  • If the same idempotency key is received again for the same endpoint/action, the system returns the previously stored response
  • Idempotency keys are user-specific - different users with the same keys don't share cached responses
  • The idempotency key must be a valid UUID format (e.g., "123e4567-e89b-12d3-a456-426614174000").

Sample Request in JavaScript:

async function rotateClientSecret(clientId) {
  try {
    const token = localStorage.getItem('jwt'); // Your JWT token from authentication
    
    const response = await fetch(`https://api.bcb.bm/v1/credentials/${clientId}`, {
      method: 'PATCH',
      headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        'Authorization': `Bearer ${token}`
      }
    });
    
    if (!response.ok) {
      const errorData = await response.json();
      throw new Error(`Error: ${errorData.message || response.statusText}`);
    }
    
    const data = await response.json();
    console.log('Client secret rotated successfully:', {
      clientId: data.clientId,
      newClientSecret: data.clientSecret, // Save this securely - only shown once!
      newMessageSigningSecret: data.messageSigningSecret, // Save this securely - only shown once!
      isActive: data.isActive,
      allowedIps: data.allowedIps
    });
    
    // Update stored credentials securely
    // WARNING: This is just an example - use secure storage in production
    localStorage.setItem('clientSecret', data.clientSecret);
    localStorage.setItem('messageSigningSecret', data.messageSigningSecret);
    
    // Important: Update any applications using the old secret
    console.warn('IMPORTANT: Update all applications using this client with the new secret!');
    
  } catch (error) {
    console.error('Error rotating client secret:', error);
  }
}

// Example usage
rotateClientSecret('12345678-1234-1234-1234-123456789abc');

Required Permission: manage-credentials

This endpoint requires the permission claim manage-credentials to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

Security
Authorization and Feature Permissions
Path
clientIdstringrequired

The unique identifier of the client whose secret should be rotated

curl -i -X PATCH \
  'https://developers.bcb.bm/_mock/apis/open-banking-api/open-banking-api/v1/credentials/{clientId}' \
  -H 'Authorization: Bearer <YOUR_jwt_HERE>'

Responses

Secret rotated successfully

Bodyapplication/json
clientIdstringrequired

Unique client identifier (GUID) assigned by the authorization server. This identifier is used in conjunction with the client secret for API authentication.

clientSecretstringrequired

Client secret assigned by the authorization server.

isActivebooleanrequired

Value indicating whether the client credentials are currently active and can be used for authentication.

allowedIpsstring or null

IP address restrictions for the client credentials. Defines which IP addresses or IP ranges are allowed to use these credentials for authentication.

messageSigningSecretstringrequired

Base64-encoded 32-byte secret used to sign messages for authentication or integrity verification.

Response
application/json
{
  "clientId": "a1b2c3d4-e5f6-4789-b012-3456789abcde",
  "clientSecret": "Abc123XyzP9mN7kLAbc123XyzP95",
  "isActive": true,
  "allowedIps": "192.168.1.1,192.168.1.2",
  "messageSigningSecret": "HtYp2oJm5DwQ1xL8bSeRgUkN4vZc3PhYtLwSxV2N9Cs="
}

Disable an existing API client

Request

Disables an existing API client, immediately preventing any further authentication using that client ID and secret. This operation also revokes all active tokens associated with the client.

Key Features:

  • Disables the credentials instantly – all authentication requests will fail after this operation
  • Revokes all active tokens immediately for enhanced security
  • Idempotent: calling the endpoint on an already inactive client returns success

Security Considerations:

  • All active tokens are immediately invalidated and removed from the system
  • Any applications using the disabled client will lose access immediately
  • The client record is preserved for audit and compliance purposes

Access Control:

  • You can only disable clients that belong to your organization

Base URL:

All API requests use the versioned base URL:

https://api.bcb.bm/v1/credentials/{clientId}

Sample Request in JavaScript:

async function disableClient(clientId) {
  try {
    const token = localStorage.getItem('jwt'); // Your JWT token from authentication
    
    const response = await fetch(`https://api.bcb.bm/v1/credentials/${clientId}`, {
      method: 'DELETE',
      headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        'Authorization': `Bearer ${token}`
      }
    });
    
    if (!response.ok) {
      const errorData = await response.json();
      throw new Error(`Error: ${errorData.message || response.statusText}`);
    }
    
    const data = await response.json();
    console.log('Client disabled successfully:', {
      clientId: data.clientId,
      isActive: data.isActive, // Should be false
      allowedIps: data.allowedIps
    });
    
    // Important: Update any applications that were using this client
    console.warn('IMPORTANT: All applications using this client will lose access immediately!');
    
  } catch (error) {
    console.error('Error disabling client:', error);
  }
}

// Example usage
disableClient('12345678-1234-1234-1234-123456789abc');

Required Permission: manage-credentials

This endpoint requires the permission claim manage-credentials to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

Security
Authorization and Feature Permissions
Path
clientIdstringrequired

The unique identifier of the client to disable

curl -i -X DELETE \
  'https://developers.bcb.bm/_mock/apis/open-banking-api/open-banking-api/v1/credentials/{clientId}' \
  -H 'Authorization: Bearer <YOUR_jwt_HERE>'

Responses

Client disabled successfully

Bodyapplication/json
clientIdstringrequired

Unique client identifier (GUID) assigned by the authorization server. This identifier is used in conjunction with the client secret for API authentication.

clientSecretstringrequired

Client secret assigned by the authorization server.

isActivebooleanrequired

Value indicating whether the client credentials are currently active and can be used for authentication.

allowedIpsstring or null

IP address restrictions for the client credentials. Defines which IP addresses or IP ranges are allowed to use these credentials for authentication.

messageSigningSecretstringrequired

Base64-encoded 32-byte secret used to sign messages for authentication or integrity verification.

Response
application/json
{
  "clientId": "a1b2c3d4-e5f6-7890-abcd-123456789def",
  "clientSecret": "",
  "isActive": false,
  "allowedIps": "192.168.1.100,10.0.0.0/24",
  "messageSigningSecret": null
}

Get permissions for an existing API client

Request

Retrieves all permissions assigned to the specified API client. The response provides a comprehensive view of what features the client can access.

Key Features:

  • Returns all permissions assigned to the client
  • Results are sorted alphabetically by permission key for consistent ordering
  • Includes human-readable descriptions for each permission

Access Control:

  • You can only view permissions for clients that belong to your organization

Use Cases:

  • Audit client access capabilities
  • Troubleshoot authentication and authorization issues
  • Verify client configuration during security reviews
  • Document client permissions for compliance purposes

Base URL:

All API requests use the versioned base URL:

https://api.bcb.bm/v1/credentials/{clientId}/permissions

Sample Request in JavaScript:

async function getClientPermissions(clientId) {
  try {
    const token = localStorage.getItem('jwt'); // Your JWT token from authentication
    
    const response = await fetch(`https://api.bcb.bm/v1/credentials/${clientId}/permissions`, {
      method: 'GET',
      headers: {
        'Accept': 'application/json',
        'Authorization': `Bearer ${token}`
      }
    });
    
    if (!response.ok) {
      const errorData = await response.json();
      throw new Error(`Error: ${errorData.message || response.statusText}`);
    }
    
    const permissions = await response.json();
    console.log('Client permissions:', permissions);
    
    // Display permissions in a user-friendly format
    permissions.forEach(permission => {
      console.log(`- ${permission.key}: ${permission.description || 'No description available'}`);
    });
    
    return permissions;
    
  } catch (error) {
    console.error('Error retrieving client permissions:', error);
  }
}

// Example usage
getClientPermissions('12345678-1234-1234-1234-123456789abc');

Required Permission: manage-credentials

This endpoint requires the permission claim manage-credentials to be present in the JWT token. These permissions are embedded in the token during the authentication process and cannot be modified afterward. The token must be obtained with the appropriate permissions to access this endpoint.

Security
Authorization and Feature Permissions
Path
clientIdstringrequired

The unique identifier of the client to retrieve permissions for

curl -i -X GET \
  'https://developers.bcb.bm/_mock/apis/open-banking-api/open-banking-api/v1/credentials/{clientId}/permissions' \
  -H 'Authorization: Bearer <YOUR_jwt_HERE>'

Responses

Permissions retrieved successfully

Bodyapplication/jsonArray [
keystringrequired

Unique permission key that identifies the specific permission. Used in authorization checks and JWT token claims.

Example: "get-account"
descriptionstring or null

Human-readable description of what this permission allows. Provides context for administrators managing client permissions.

Example: "Allows access to account information endpoints"
]
Response
application/json
[
  {
    "key": "get-account",
    "description": "Allows access to retrieve individual account information"
  },
  {
    "key": "get-all-accounts",
    "description": "Allows access to retrieve all accounts for a customer"
  },
  {
    "key": "get-fx-quote",
    "description": "Allows access to foreign exchange quote endpoints"
  },
  {
    "key": "get-transactions",
    "description": "Allows access to transaction history endpoints"
  },
  {
    "key": "get-payment-status",
    "description": "Allows access to payment status tracking endpoints"
  },
  {
    "key": "make-internal-transfer",
    "description": "Allows execution of internal transfers between accounts"
  },
  {
    "key": "make-payment-swift",
    "description": "Allows execution of SWIFT payment transactions"
  },
  {
    "key": "manage-credentials",
    "description": "Allows management of API client credentials and permissions"
  }
]

Fx Quotes

Operations

Internal Transfers

Operations

Payments

Operations

Token

Operations

Transactions

Operations

Virtual Accounts

Operations

Notifications

Operations

Background Jobs

Operations

System

Operations