Lean helps you connect to the data contained inside your users’ bank accounts and initiate payments.
When you connect to a user’s bank account, you connect to their bank entity, which contains their accounts with that bank.
Lean refers to this as an entity throughout this documentation to avoid confusion, as a connected entity may contain several accounts, such as a checking and a savings account.
Entities also hold data such as identity as well as the accounts themselves. Each individual account contains data such as balance and transaction history.
To make testing and developing with Lean quick and easy, a set of sandboxed API endpoints are provided at
sandbox.leantech.me. While using the Sandbox you will not need to set up certificate authentication with the services you are using and you can test the retrieval and display of each of the endpoints with mock data.
When you are ready to go into production or start testing with live data, you will need to activate your application for production use and set up mTLS (see below), and switch your api calls to
We make an application for you when you first register with Lean. By default we use your organisation name for your application name but feel free to change it by going to the "Settings" tab on the left, along with the logo and description.
The application token serves as an identifier to all communications your software makes with Lean. You'll find your application token in the Authentication tab on the left. You should store the value of your application token in your codebase as an environment variable.
You will need to pass this along with every call you make to our API in the request’s Header as the
lean-app-token, and every call you make to the Web and Mobile SDKs as the
Most calls using Lean’s API are asynchronous. To allow for a secure transmission of data and to prevent your application from waiting for long periods of time while we process data returned from the bank, we instead send a
POST request to a Webhook URL you provide here with the data in the body to update your backend data.
It is extremely important that you set up your webhook receiver to explicitly respond to all webhooks sent from Lean with a
200to confirm receipt. Failing to do so will delay the receipt of subsequent webhooks from Lean.
If you don't want to set up a webhook receiver in your backend before you start testing with Lean, we suggest you use a website like Request Catcher which is a very easy way to look at incoming webhooks and http requests.
Along with your application token, your certificates are the second half of your authentication mechanism with Lean's servers. When you generate a set of certificates, you will be given two files to download corresponding to the private and public key. These will be used to authenticate your server calls to Lean's back end. Make sure to save these files and not lose them upon generating a new certificate since you will not be able to download them again and will need to generate a new set of certificates if you lose track of them.
You will also be able to download Lean's certificate chain, which can be used by your servers to authenticate all calls being made from Lean.