"merchant_token": "3c01abeb-b031-4fea-9f2d-c55c283cd78e",
  "issuer_id": "RABONL2U",
  "entrance_code": "string",
  "merchant_return_url": "string"


merchant_tokenA GUID string that is unique and private to you as a merchant. Do not share this key, keep it safe. Example 283b1550-ed02-4aee-8529-38a8ae90f10e
issuer_idAn identifier for the bank which the customer has chosen. /[A-Z]{6}[A-Z2-9][A-NP-Z0-9]([A-Z0-9]{3}){0,1}/.
entrance_codeThis is a token that will allow you to rejoin the user to his session when he returns. It can be a maximum of 40 characters and should only contain the characters a-z, A-Z and 0-9. It should only be valid once and needs to be random enough (best use a cryptographically secure random generator), to avoid the possibility of replay attacks.
merchant_return_urlThe place where the issuing bank should redirect the user to at the end of the flow. The bank will append two query parameters to this url when returning the user to you, trxid and ec. The latter will contain the value of entrance_code, trxid is the transaction_id that you will receive in this request.


  "transaction_id": "string",
  "issuer_authentication_url": "https://issuerserver/transaction",
  "merchant_reference": "string"


transaction_idA public token ID for this transaction. You should store this with your session data, so that at any point, you can make a callback to the CM API and retrieve the status and/or results. Note that it is not guaranteed that your user will return to you via your merchant_return_url. A connection might be dropped, a user might accidently close a window, or he might trigger the back button and return that way. This id is the only way you can retrieve any information in that case.
issuer_authentication_urlThe location with the issuing bank to which you should now forward the customer.
merchant_referenceA private reference ID for accounting purposes. Send this together with the transaction_id when making a status request.

Response codes

HTTP statusDescription
200Successful transaction
400Invalid request
403Authorization required