Fondo's API is designed for secure, efficient integration by both technical and business teams. It follows standard REST conventions and provides predictable, resource-oriented URLs, JSON-encoded requests and responses, and well-defined authentication. All requests require server-to-server OAuth 2.0 client credentials.
All requests require a valid access token, obtained via POST https://api.fondo.se/v2/partner/auth/token.
Separate sandbox and production environments let you test thoroughly before going live. Every call is made over secure HTTPS. Requests can be sent to:
- Sandbox – safe testing with no impact on live data.
- NPC – use test-bankid for authentication in web-onboarding user journeys.
- Production – the live environment.
- Content type: application/json
- HTTP methods:
- GET fetches data
- POST creates resources
- PATCH updates
- DELETE removes
- Idempotency: GET and DELETE are idempotent.
All endpoints are served over HTTPS and return JSON in UTF-8. Dates and times follow ISO-8601 in UTC (YYYY-MM-DDTHH:MM:SS.sssZ).
Standard HTTP status codes are used:
- 2xx – success
- 4xx – client errors such as validation issues or unauthorized requests
- 5xx – unexpected server errors
Error responses include a JSON body with details about the issue.
For near real-time updates, use:
- WebSocket subscriptions – keep a persistent connection to receive live events such as new orders or settlements.
- Webhooks (web journey statuses only) – Fondo sends POST callbacks to your system when objects are created, updated or deleted.