To make testing and developing with Lean quick and easy, a set of sandboxed API endpoints are provided at
sandbox.leantech.me. While using the Sandbox you will not need to set up certificate authentication with the services you are using and you can test the retrieval and display of each of the endpoints with mock data.
When you are ready to go into production or start testing with live data, you will need to activate your application for production use and set up mTLS (see below), and switch your api calls to
Was this section helpful?
We make an application for you when you first register with Lean. By default we use your organisation name for your application name but feel free to change it by going to the "Settings" tab on the left, along with the logo and description.
The application token serves as an identifier to all communications your software makes with Lean. You'll find your application token in the Authentication tab on the left. You should store the value of your application token in your codebase as an environment variable.
You will need to pass this along with every call you make to our API in the request’s Header as the
lean-app-token, and every call you make to the Web and Mobile SDKs as the
Most calls using Lean’s API are asynchronous. To allow for a secure transmission of data and to prevent your application from waiting for long periods of time while we process data returned from the bank, we instead send a
POST request to a Webhook URL you provide here with the data in the body to update your backend data.
It is extremely important that you set up your webhook receiver to explicitly respond to all webhooks sent from Lean with a
200to confirm receipt. Failing to do so will delay the receipt of subsequent webhooks from Lean.
If you don't want to set up a webhook receiver in your backend before you start testing with Lean, we suggest you use a website like Request Catcher which is a very easy way to look at incoming webhooks and http requests.
Along with your application token, your certificates are the second half of your authentication mechanism with Lean's servers. When you generate a set of certificates, you will be given two files to download corresponding to the private and public key. These will be used to authenticate your server calls to Lean's back end. Make sure to save these files and not lose them upon generating a new certificate since you will not be able to download them again and will need to generate a new set of certificates if you lose track of them.
You will also be able to download Lean's certificate chain, which can be used by your servers to authenticate all calls being made from Lean.
Was this section helpful?
Calls from your backend to Lean are required to be made over mTLS. If you'd like to learn more about what mTLS does and how it works you can learn more here.
When you create application at dev.leantech.me you will be able to download two files from the
authentication section of the developer portal. By clicking 'generate new certificate' a zip folder containing my_app_private_key.pem file and a my_app_cert.crt file will be downloaded.
Within the UI on dev.leantech.me you should also download the Lean certificate chain. To do this click the button labelled 'Certificate chain'. This should trigger a further download of a zipped folder containing lean_public_cert_chain.pem.
With the above complete you should now have three files.
The below is tailored to setting up a Java environment, but most of the steps are similar regardless of technology.
truststore using the lean_public_cert_chain.pem file downloaded from the developer portal.
keytool -import -trustcacerts -keystore [yourApp]-trustStore.jks -storepass [yourApp]TruststorePassword -alias Root -file lean_public_cert_chain.pem
Next create a
keystore using the private key and app certificate, you will be prompted to enter a password, e.g. myAppKeystorePassword
openssl pkcs12 -export -out myApp-keyStore.p12 -inkey my_app_private_key.pem -in my_app_cert.crt
keystore into a location that can be accessed by your application such as in the
Finally use the truststore and keystore to create an SSLContext and inject this into your rest client.
Was this section helpful?
// RestTemplate client exampleSSLContext sslContext =SSLContextBuilder.create().loadKeyMaterial(keyStoreUrl, keyStorePassword.toCharArray(), privateKeyPassword.toCharArray()).loadTrustMaterial(trustStoreUrl, trustStorePassword.toCharArray()).setProtocol("TLSv1.3").build();HttpClient httpClient = HttpClientBuilder.create().setSSLContext(sslContext).build();ClientHttpRequestFactory clientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);restTemplate.setRequestFactory(clientHttpRequestFactory);
// WebClient client exampleSSLContext sslContext =SSLContextBuilder.create().loadKeyMaterial(keyStoreUrl, keyStorePassword.toCharArray(), privateKeyPassword.toCharArray()).loadTrustMaterial(trustStoreUrl, trustStorePassword.toCharArray()).setProtocol("TLSv1.3").build();HttpClient httpClient = HttpClient.create().secure(sslSpec -> sslSpec.sslContext(sslContext));WebClient webClient = WebClient.builder().clientConnector(new ReactorClientHttpConnector(httpClient)).build();