Skip to main content

Quickstart Guide

Get up and running with the Open Banking API in just a few minutes. This guide will walk you through registering your application, authenticating, and making your first API call.

Prerequisites

Before you begin, ensure you have:
  • Valid contact information (name, email address, phone number, and address)
  • A valid business email address
  • Basic knowledge of REST APIs and OAuth 2.0
  • A secure HTTPS redirect URL for OAuth 2.0 callbacks
  • A development environment ready

Quick Start

1

Register Application

First, Register your application using Dynamic Client Registration API and get your credentials (client id and secret)
curl -X POST ${AUTH_BASE_URL}/dcr \
  -d '{
    "username": "ciroma.chukwuma@adekunle.com",
    "password": "veryStrongPassword",
    "app_name": "Test Open Banking App",
    "app_description": "My Test Open Banking App",
    "app_developer_name": "Fantastic Fintech Ltd",
    "app_developer_address": "Plot 35, Okokomaiko Lane, Lagos",
    "app_developer_contact_email": "ciroma.chukwuma@adekunle",
    "app_developer_contact_phone": "04022404014",
    "redirect_url": "https://myapps.com/callback"
}'
In sandbox, you’ll receive credentials immediately whereas in production, the credential status will be PENDING_APPROVAL. Once approved by Sparkle team, you will be notified, you can call the GET /dcr API to retrieve your credentials.
2

Authenticate customer and get their authorisation to access their resoruces

Authenticate customer and get their approval to access their resources (e.g. Account information resources, Payment Initiation etc). There are 4 main method for authorisation, choose whichever is most applicable:
  • Device Code Authorisation - For dumb devices i.e. where customer does not have the capability to complete Sparkle authentication on a desktop computer or smart phone i.e. they can only authenticate via USSD or SMS
  • Authorisation code - For smart devices i.e. where customer has capability to complete Sparkle authentication on a desktop computer or smart phone
  • Authorisation code with PKCE - For smart (unsafe) devices e.g. Single Page Applications
  • Client Credentials - For API resources that does not require customer consent/approval e.g. Get Biller Categories
Sample code that shows how to implement OAuth 2 authorisation

// Authorisation via PKCE challenge
const generatePKCE = () => {
  const codeVerifier = crypto.randomUUID();
  const codeChallenge = btoa(codeVerifier);
  return { codeVerifier, codeChallenge };
};

// Step 1: Redirect user to authorization URL
const { codeVerifier, codeChallenge } = generatePKCE();
const authUrl = `${AUTH_BASE_URL}/oauth/authorize?` +
  `client_id=${credentials.client_id}&` +
  `redirect_uri=${encodeURIComponent(credentials.redirect_urls[0])}&` +
  `response_type=code&` +
  `scope=accounts payments&` +
  `code_challenge=${codeChallenge}&` +
  `code_challenge_method=S256`;

window.location.href = authUrl;

// Step 2: Exchange authorization code for access token
const exchangeCodeForToken = async (code) => {
  const response = await fetch('${AUTH_BASE_URL}/oauth/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: new URLSearchParams({
      grant_type: 'authorization_code',
      client_id: credentials.client_id,
      client_secret: credentials.client_secret,
      code: code,
      redirect_uri: credentials.redirect_urls[0],
      code_verifier: codeVerifier
    })
  });

  const tokenData = await response.json();
  return tokenData.access_token;
};
3

Make API call

Make your first API call to retrieve customer informationNow you can make API calls using your access token:
curl -X GET ${API_BASE_URL}/v1/openapi/accounts \
  -H "Authorization: Bearer ${YOUR_ACCESS_TOKEN}" \
  -H "idempotency_key: ${IDEMPOTENCY_KEY}" \
  -H "signature: ${SIGNATURE}"
4

Build your application

Build your application using our comprehensive APIs

Next Steps

Congratulations! You’ve successfully:
  1. ✅ Registered your application
  2. ✅ Implemented OAuth authentication
  3. ✅ Made your first API call
Now you can explore more features:
Remember to store your credentials securely and never expose them in client-side code.For Single Page Applications (SPA), use OAuth 2.0 with PKCE. Always use environment variables for sensitive information.