Codego Developers · BaaS · IBAN Accounts · v1.0

BAAS IBAN API Reference

Open IBAN accounts under your brand. Onboard account holders with KYC/KYB, open multi-currency wallets, issue dedicated IBANs, receive and send money over SEPA & SWIFT, convert currencies, and receive HMAC-signed webhooks on every event — one unified API for individuals and businesses.

Sandbox https://baas-sandbox.codegotech.com/api/v1
Live https://baas.codegotech.com/api/v1

Auth API key (X-Api-Key) · Body application/json

This reference covers the API integration for the BAAS IBAN programme. If your programme runs in "Core banking Included" mode (a fully managed, branded accounts portal that Codego hosts for you) there is nothing to integrate here — your customers use the portal directly and you manage everything from your whitelabel console.

Quickstart — Sandbox onboarding

Self-serve sandbox access in two steps. You'll get a whitelabel id and a sandbox API key (bk_sbx_…) instantly — on screen and by email. Sandbox is fully isolated — your test calls never touch live money.

1 · Sign up — get your sandbox API key

Open apikey-baas-sandbox.codegotech.com and submit your name, company and email. You instantly receive:

Your whitelabel id
Your API key in the form bk_sbx_… — shown only once, store it safely
The base URL https://baas-sandbox.codegotech.com/api/v1 and a ready-to-paste curl snippet

Provisioning is automated and instant — no approval needed. Verify your key works:

curl https://baas-sandbox.codegotech.com/api/v1/pricing \
  -H 'X-Api-Key: bk_sbx_your_key'

2 · Create your first account holder, wallet & IBAN

Create an account holder, open a currency wallet for them, then issue an IBAN. (A USER_OWNED IBAN in the holder's name requires identity verification — use COLLECTION to receive without it, or run KYC first; see Start identity verification.)

# 1) create an individual account holder
curl -X POST …/api/v1/users \
  -H 'X-Api-Key: bk_sbx_your_key' -H 'Content-Type: application/json' \
  -d '{ "type":"individual","firstName":"Maria","lastName":"Rossi",
        "email":"[email protected]","birthday":"1990-05-10",
        "nationality":"IT","countryOfResidence":"IT",
        "address":{"line1":"Via Roma 10","city":"Milano","postalCode":"20100","country":"IT"},
        "externalId":"user_001" }'
# → { "id": 15, ... }

# 2) open a EUR wallet for that holder
curl -X POST …/api/v1/users/15/wallets \
  -H 'X-Api-Key: bk_sbx_your_key' -H 'Content-Type: application/json' \
  -d '{ "currency":"EUR" }'
# → { "id": 13, "currency":"EUR", "balance":{"amount":0,"currency":"EUR"} }

# 3) issue a collection IBAN on that wallet
curl -X POST …/api/v1/wallets/13/ibans \
  -H 'X-Api-Key: bk_sbx_your_key' -H 'Content-Type: application/json' \
  -d '{ "purpose":"COLLECTION" }'
# → { "iban":"LU03…0754", "bic":"EMIBLULLXXX", "status":"active" }

That's a full account: holder → wallet → IBAN. Inspect everything you create from your whitelabel console at baas-whitelabel.codegotech.com (where you also set your customer prices, branding and webhook URL).

Integration flow

A complete integration follows these sequential steps. The endpoints in the left navigation are grouped accordingly. Identity verification is hosted by design: your end-user captures their ID and selfie on a Codego-hosted page — you never receive, store or forward identity documents, which keeps you out of the regulated data-processor scope. You receive only the final structured result via webhook.

step	What happens	Endpoints involved
1 · Onboard	Create the account holder — an individual or a business with a legal representative. Keep your own `externalId` as the correlation key.	`POST /users` · `GET /users/{id}`
2 · Verify (KYC/KYB)	Start a hosted verification session and redirect the holder to the returned `url`. For a business the same flow collects company docs and beneficial owners. Outcome arrives via the `user.updated` webhook; verification is required for an IBAN in the holder's name and for payouts.	`POST /users/{id}/kyc/sessions`
3 · Accounts	Open a currency wallet, then issue a dedicated IBAN against it (`USER_OWNED` in the holder's name, or `COLLECTION`).	`POST /users/{id}/wallets` · `POST /wallets/{id}/ibans`
4 · Receive	Money sent to the holder's IBAN credits the wallet automatically. Or generate pre-declared wire instructions to share with a sender.	`POST /wallets/{id}/payins/bankwire`
5 · Send	Add a beneficiary, then send a SEPA / SEPA-Instant / SWIFT payout. Move money between the holder's own wallets with a transfer.	`POST /users/{id}/recipients` · `POST /payouts` · `POST /transfers`
6 · FX & transactions	Convert between currencies and list the full transaction ledger.	`GET /fx/rate/{from}/{to}` · `POST /fx/convert` · `GET /transactions`
7 · Webhooks	Receive real-time notifications for every state change — KYC outcome, IBAN activation, payins, payouts, transfers.	Configured in your whitelabel console. HMAC-signed deliveries.

Sandbox parity: every endpoint, request shape, response shape, error code and webhook event is identical between sandbox and live. To promote your integration, change only the base URL host and the API key prefix.

Regulatory notice: account opening, IBAN issuance and KYC are subject to the rules of the underlying banking programme and applicable AML/CTF regulation. Sandbox is for technical integration only — no real funds and no real identity verification.

Authentication

Every request is authenticated with your whitelabel API key in the X-Api-Key header. Keys look like bk_sbx_… (sandbox) or bk_live_… (production) and are issued at signup. Keep the key server-side — never expose it in client code.

Each key is scoped to one whitelabel tenant; all resources you create or read are isolated to it. Sandbox and live are fully separated. To rotate a key, use your whitelabel console or contact [email protected].

Resources are scoped to your key. Every account holder, wallet, IBAN and transaction belongs to the tenant whose key created it. Operating on a resource that belongs to a different key returns 404 (not found), and list endpoints only ever return resources owned by the calling key.

All monetary amounts in requests and responses are in minor units (cents) — e.g. 25000 = €250.00.

Environments — sandbox & live

environment	Base URL	Key prefix	Notes
Sandbox	https://baas-sandbox.codegotech.com/api/v1	`bk_sbx_…`	Isolated environment, simulated balances, hosted KYC auto-resolves. Get a key →
Live	https://baas.codegotech.com/api/v1	`bk_live_…`	Real IBANs, real SEPA/SWIFT rails, real KYC. Authorisation required — contact [email protected] to enable.

Both environments share the same endpoint paths, request and response shapes — the same code works in both. Switch hosts, switch keys, and you're done. Webhooks are configured separately per environment.

Going live: when your sandbox integration is ready, email [email protected] with your whitelabel id. We'll complete the compliance setup and issue your bk_live_… key. To activate: switch the base URL to the live host, swap the sandbox key for your live key, and reconfigure your webhook URL for the live environment.

Identity verification & webhooks

Hosted KYC/KYB. Start a verification session for an account holder with POST /users/{id}/kyc/sessions; you get back a one-time url. Redirect (or pop up) the holder to it — they capture their ID and a selfie on a Codego-hosted page; for a business the same flow collects company documents and beneficial owners. Documents never touch your servers. The outcome syncs back via the user.updated webhook, after which GET /users/{id} shows kycLevel: "verified" and you can issue a USER_OWNED IBAN and send payouts.

Sandbox shortcut: hosted verification auto-resolves in sandbox so you can exercise the full lifecycle without waiting for human review.

Webhooks — configuration & verification

Set your receiving URL in your whitelabel console at baas-whitelabel.codegotech.com → API & Webhooks. Every delivery is a POST with header Signature: sha256=HMAC_SHA256(rawBody, secret) and an Idempotency-Key header. Verify the signature against the raw body before trusting the event, and de-duplicate on the idempotency key.

// Verify a delivery (Node)
const crypto = require('crypto');
const expected = 'sha256=' + crypto.createHmac('sha256', WEBHOOK_SECRET)
  .update(rawBody)            // the raw request body, not re-serialised JSON
  .digest('hex');
if (req.headers['signature'] !== expected) return res.status(401).end();

Example user.updated payload (delivered to your configured webhook URL):

{
  "type": "user.updated",
  "body": {
    "id": 15,                       // ← the account holder id
    "externalId": "user_001",       // ← the value you sent to POST /users
    "kycLevel": "verified",
    "status": "active"
  }
}

Map body.id → your record keyed by body.externalId, then continue: open a wallet, issue the IBAN, and start receiving and sending money. See Webhook events below for the full event list.

Errors

The API uses standard HTTP status codes. 2xx = success; 4xx = client error with a JSON { error, message } body; 5xx = transient — retry with backoff.

code	Meaning
200 / 201	Success
400	Validation failed — see `message`
401	Missing or invalid API key
404	Resource not found
429	Rate limit exceeded — honour `X-RateLimit-Reset`