Documentation
BRIAPI is Application Programming Interfaces (APIs) developed by BRI that enables your application to integrate with BRI banking services easily and quickly. BRIAPI is helping your company to streamline any financial activities for your customers.

Authentication
BRIAPI uses the OAuth 2 Authorization Framework to grant a third-party access to user accounts on an HTTP service. Before requesting our API, you have to retrieve a token by calling the Get Token endpoint.
To ensure API request safety, BRIAPI generates signaturesto assure that the request or response cannot be intercepted and imitated by unauthorized users. This signature is generated using the SHA256-HMAC algorithm.
These request headers must be included in every API call, except the Get Token endpoint:
Key | Value |
---|---|
Authorization |
Bearer {{TOKEN}} |
BRI-Signature |
{{SIGNATURE}} |
BRI-Timestamp |
{{TIMESTAMP}} |
Token
This endpoint is used to generate a token and is required for every API call. Enter this token in the Authorization header.
Token is valid for 50 hours from the creation date. In addition, you can get token as many as you like without invalidating the previous token, as long as it’s not expired (not more than 50 hours).
HTTP Request
POST https://sandbox.partner.api.bri.co.id/oauth/client_credential/accesstoken
grant_type=client_credentials
Request Header
Key | Value | Mandatory |
---|---|---|
Content-Type |
application/x-www-form-urlencoded |
Yes |
Request Body
Field | Data Type | Mandatory | Description |
---|---|---|---|
client_id |
string |
Yes |
Consumer key |
client_secret |
string |
Yes |
Consumer secret |
Request Example
curl --location --request POST 'https://sandbox.partner.api.bri.co.id/ oauth/client_credential/accesstoken?grant_type=client_credentials' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_id=xxxxxxxxxxxxxxxxxxx7kuJAyQkWpt' \ --data-urlencode 'client_secret=123xxxxxxxxxxxxxOx'
Response Example
{ "refresh_token_expires_in": "0", "api_product_list": "[inquiry-sandbox]", "api_product_list_json": [ "inquiry-sandbox" ], "organization_name": "bri", "developer.email": "furkorsan.gantheng@xyz.com", "token_type": "BearerToken", "issued_at": "1557891212144", "client_id": "8E20dpP7KtakFkShw5tQHOFf7FFAU01o", "access_token": "R04XSUbnm1GXNmDiXx9ysWMpFWBr", "application_name": "317d0b2f-6536-4cac-a5f0-3bc9908815b3", "scope": "", "expires_in": "179999", "refresh_count": "0", "status": "approved" }
Signature
Digital signature ensures the reliability and anti-repudiation of data transmission. Signature is generated by the service requestor, and verified by the service recipient.
The payload data will be signed with the SHA256-HMAC algorithm using your Consumer Secret. The signature is formed by the specified payload. The signature value is also then encoded with Base64 and filled into API request header BRI-Signature.
Payload
Payload consists of path, verb, token, timestamp, and body. Example payload:
path=/v1/inquiry/888801000157508&verb=GET&token=Bearer R04XSUbnm1GXNmDiXx9ysWMpFWBr×tamp=2019-01-02T13:1 4:15.678Z&body=
Details of each element inside the payload are explained below:
Payload | Description | Example |
---|---|---|
Path | The value for path is the URL after the hostname and port without the query parameters. |
from to
|
Verb | HTTP method in uppercase | GET, POST, PUT, PATCH, and DELETE. |
Token | Token used in Authorization header. | Bearer R04XSUbnm1GXNmDiXx9ysWMpFWBr Note: Don't forget to add Bearer before token. |
Timestamp | Timestamp at the moment you call the API. The timestamp format must follow ISO8601 format (yyyy-MM-ddTHH:mm:ss.SSSZ). It has to be in the zero UTC offset. | 2019-01-02T13:14:15.678Z Note: Timestamp must be in UTC or GMT +0 timezone. |
Body | Request body sent for the API call | &body={"hello":"world"} If there is no request body, such as on the GET call, leave it empty. &body= Note: Be aware that you should input exactly the same body you sent. Because different case, space, and line can cause different signatures. |