Documentation

BRIAPI is Application Programming Interfaces (APIs) developed by BRI that enables your application to integrate with BRI banking services easily and quickly. BRIAPI is helping your company to streamline any financial activities for your customers.

Simplify Your Business with BRIAPI

Watch the video and see how BRIAPI can make your business more efficient with non SNAP API services.

Authentication

BRIAPI uses the OAuth 2framework as an authorization process in determining third-party access rights. Before making an API request to a BRIAPI product, you must obtain a token by calling the Get Token endpoint.

As an additional security guard in every API request, BRIAPI uses a signature to ensure that the data in each request and response cannot be hijacked and copied by unauthorized users. This signature is generated using the SHA256-HMAC algorithm.

The parameters below must be included in the request header of every API call (except for the Get Token endpoint) :

Key	Value
`Authorization`	`Bearer {{TOKEN}}`
`BRI-Signature`	`{{SIGNATURE}}`
`BRI-Timestamp`	`{{TIMESTAMP}}`

Token

This endpoint is used to generate a token that must be included in every API call. Place this token in the Authorization attribute in the Header.

Token is valid for 50 hours from the creation date. In addition, you can get token as many as you like without invalidating the previous token, as long as it’s not expired (not more than 50 hours).

HTTP Request

POST https://sandbox.partner.api.bri.co.id/oauth/client_credential/accesstoken

grant_type=client_credentials

Request Header

Key	Value	Mandatory
`Content-Type`	`application/x-www-form-urlencoded`	`Yes`

Request Body

Field	Data Type	Mandatory	Description
`client_id`	`string`	`Yes`	`Consumer key`
`client_secret`	`string`	`Yes`	`Consumer secret`

Request Example


curl --location --request POST 'https://sandbox.partner.api.bri.co.id/
oauth/client_credential/accesstoken?grant_type=client_credentials' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=xxxxxxxxxxxxxxxxxxx7kuJAyQkWpt' \
--data-urlencode 'client_secret=123xxxxxxxxxxxxxOx'

Response Example

{
    "refresh_token_expires_in": "0",
    "api_product_list": "[inquiry-sandbox]",
    "api_product_list_json": [
        "inquiry-sandbox"
    ],
    "organization_name": "bri",
    "developer.email": "furkorsan.gantheng@xyz.com",
    "token_type": "BearerToken",
    "issued_at": "1557891212144",
    "client_id": "8E20dpP7KtakFkShw5tQHOFf7FFAU01o",
    "access_token": "R04XSUbnm1GXNmDiXx9ysWMpFWBr",
    "application_name": "317d0b2f-6536-4cac-a5f0-3bc9908815b3",
    "scope": "",
    "expires_in": "179999",
    "refresh_count": "0",
    "status": "approved"
}

Signature

Signature ensures that the transmitted data is authentic and cannot be refuted. The signature is generated by the service user and verified by the service receiver.

The signature is formed from the specified payload, by implementing the SHA256-HMAC algorithm with Consumer Secrets as the key. Then, encryption of this signature will be performed using Base64. The final result will be placed in the BRI-Signature attribute in the Header.

Payload

Payload consists of path, verb, token, timestamp, and body. Example payload:


path=/v1/inquiry/888801000157508&verb=GET&token=Bearer
R04XSUbnm1GXNmDiXx9ysWMpFWBr&timestamp=2019-01-02T13:1
4:15.678Z&body=

Details of each element inside the payload are explained below:

Payload	Description	Example
Path	The value for path is the URL after the hostname and port without the query parameters.	from `https://sandbox.partner.api.bri.co.id/v1/transfer/internal?noreferral=12345` to `/v1/transfer/internal`
Verb	HTTP method in uppercase	`GET, POST, PUT, PATCH, and DELETE.`
Token	Token used in Authorization header.	`Bearer R04XSUbnm1GXNmDiXx9ysWMpFWBr` Note: Don't forget to add Bearer before token.
Timestamp	Timestamp at the moment you call the API. The timestamp format must follow ISO8601 format (yyyy-MM-ddTHH:mm:ss.SSSZ). It has to be in the zero UTC offset.	`2019-01-02T13:14:15.678Z` Note: Timestamp must be in UTC or GMT +0 timezone.
Body	Request body sent for the API call	`&body={"hello":"world"}` If there is no request body, such as on the GET call, leave it empty. `&body=` Note: Be aware that you should input exactly the same body you sent. Because different case, space, and line can cause different signatures.