Noticed a couple of issues while implementing in Laravel.

1. Using php://input is problematic for tests, and generally fails in older versions of PHP.
2. If header is missing, hash_equals will throw an exception - better to use ?? '' to ensure variable is non-null.
3. Trailing , in header() call

Revised code to address these issues:

public function handleWebhookEvent(Request $request, $hook) {
    $received_signature = $request->header(
        'X-Up-Authenticity-Signature'
    ) ?? '';
    $raw_body = $request->getContent();
    $signature = hash_hmac('sha256', $raw_body, $hook->secret_key);
    if (!hash_equals($signature, $received_signature)) {
        abort(401);
    }
    // Process webhook event
}

Hey guys

Without doing more regex magic as I mentioned previously, perhaps a prettyValue key would be nice for transactions.

Currently I have setup to use $-1.00 however in app it uses -$1.00. An if and strip could obviously resolve this but, just for expansions sake?

https://upbank.netlify.app/activity

I assume you guys already have a roadmap of all the awesome endpoints you plan on adding to the API.

It would be cool if these were publicly visible (gotta build the hype), and even cooler if it was in a similar fashion to your current product tree.

Mad props to the Up Bank dev team for the spot on API docs. I can't wait to build and see what other developers build.

At the moment you can only add a tag after a payment has been processed (via the app or the API). Would be good if you could add a tag while doing a payment or setting up a scheduled payment. That way it would be very easy to filter automated transactions via the API.

For example I set up a reoccurring transaction to pay off a loan. I would like to tag it with 'Loan" so I can filter via the API and easily see how much I've paid. Currently I need to go through each scheduled transaction after it has been completed and tag it.

I think the Documentation needs to add some details on the Access Token Session Validity.

Hey team, absolutely loving the api being made available. Big up!

The transaction type field in the transactions csv downloadable through the UP app is super useful for categorising transactions but it's not currently available in the API response. Would love to have it available.

For reference, the below are some of the values I get in the csv export and can't see these anywhere in the api response:
Purchase
Deposit
Transfer
Osko Payment Received
Refund
Direct Credit

I also use the transaction categories in assigning my own categorisation rules but I see there's already another feature request for categories/tags.

A quick question: the description attribute of the transaction looks to match the Payee column of the csv export almost entirely, but some comparisons I've done of transactions returned from the API compared to an export from a month or so ago look to have different values. Is it the same field and the payee name has just changed since my export, or would Payee be a different field that could also be added to the api response?

I'm new to programming - trying to take baby steps to self learn. Thought Up API would be a good place to start. This is literally my first post on github, anywhere.

I'm going a little mad as I've googled and have attempted to modify the curl query with various variations found on stackoverflow because the default example was throwing an error for me. I followed various others curl guide and also found the same error so I'm quite at a lost.

It appears to be a problem with the query itself rather than an incorrect token as I don't even get to the part where I get a response. I've googled the error and the header itself and have gone through all the top 20 links on google for both without much success.

I've tried:

• including/excluding the $ sign with the token
• Various formats including declaring the header separately
• Using ' instead of " and vice versa

I'm on Windows 10, using Powershell.

I know the curl function works at the very least - giving me 401 not authorised as expected without the authorisation token

I'm hoping perhaps someone can steer me into the right direction on this. Many thanks in advance.

Hi team!

Love working with the new API, keep up the amazing job!

I've noticed the description for Remove tags from transaction is incorrect and seems to be a copy + paste from the removing webhook section

https://developer.up.com.au/#delete_transactions_transactionId_relationships_tags

Delete a specific webhook by providing its unique identifier. Once deleted, webhook events will no longer be sent to the configured URL.

As seen here https://github.com/up-banking/api/blob/master/v1/openapi.json#L1508

Hi,
Try get to get page 4 by doing the following:
Get links from : https://api.up.com.au/api/v1/accounts?page[size]=3
use the links "next" but I'm receiving Status 500 Internal Server Error.

works okay with : accounts/?AccountsID?/transactions?page%5Bafter%5D

This is a great api. I know there is another comment about roadmaps but is there a plan to actually create a payment through this API?

Hey there! 👋

We've seen users talking about using your OAS spec with Postman (cf twitter), and I was wondering if you were considering either:

• publishing your API to the API Network
• creating a Run in Postman button for your API documentation

Let me know if you'd like me to go into more details on the differences between the two and/or how to do it. 🙂

Would fire when category or tags for a transaction is added/removed/changed, or anything else that can be changed for a transaction down the line.

FEATURE REQUEST:

Currently, we can filter for transactions based on category and child category which is awesome. Sadly as far as I can tell, this only works for transactions in the primary spending account.

Any transactions that have been forwarded to a saver cannot be searched using https://api.up.com.au/api/v1/transactions/?filter%5Bcategory%5D=rent-and-mortgage.

It would be great to be able to fetch all transactions in savers purely to follow forwarded transactions.

I would like to automatically refunda PayId transaction that was made to my account. I suppose this is not possible at the moment. Is this something that you have planned on adding in the future?

Is it at all possibly to get Upcoming payments?

Is it Possible to just query the Unsettled or Pending transactions by Status?

        {
            "id": "1Removedf",
            "type": "transactions",
            "attributes": {
                "status": "SETTLED",
                "rawText": "GUZMAN Y GOMEZ, XXXXXXXXX",
                "description": "Guzman y Gomez",
                "message": null,

In the docs, query parameters are intentionally formatted to be human readable. In some cases (particularly with RFC3339 timestamps, which include the + character) this means copy & paste won't result in a valid query parameter. We need to explicitly call out in the docs that query parameters must be correctly URL encoded.

Probably add an intro section about this, along with a disclaimer alongside each query parameter example. Ideally we'll adjust our curl examples to include valid representations of these parameters in the example request.

Hey guys

Was curious if you could seperate these two into their own keys rather than concatenating them to one?

Would rather not have to work some regex magic to make this emoji bigger.. Legends!

https://upbank.netlify.app/

Hey,

So I don't seem to see any section in the documentation regarding Rate-limits (global nor per-endpoint)

As far as I can see, the only way to see what our rate-limit is via the X-RateLimit-Remaining header that is returned in the response from the API.
From what I understand, this rate-limit should be hourly but I feel that it would make it easier/more understandable to other people working with the API to have the rate-limits documented.

Hi,

I have generated the Access Token by following the steps https://api.up.com.au/getting_started here.

curl --location --request GET 'https://api.up.com.au/api/v1/util/ping'
--header 'Authorization: Bearer up:yeah:'

Getting HTTP 401 with Response

    "errors": [
        {
            "status": "401",
            "title": "Not Authorized",
            "detail": "The request was not authenticated because no valid credential was found in the Authorization header, or the Authorization header was not present."
        }
    ]
}

I am not sure if the token is incorrect or invalid or something else is wrong. I tried multiple times with other APIs as well.

Hi there! I'm loving this API documentation.

It looks like there is an error on the description field for the delete method on /transactions/{transactionId}/relationships/tags. The text of the description refers to webhooks, rather than tags. Possibly this was accidentally copied from another field.

The line in question is here: https://github.com/up-banking/api/blob/master/v1/openapi.json#L1508

I tried to import the OpenAPI definition into Azure API Management consumption plan and this failed
also tried https://apitools.dev/swagger-parser/online/ and it suggested an error in the OpenAPI

The error presented by Azure APIM was:

One or more fields contain incorrect values:
Parsing error(s): Data and type mismatch found. [#/paths/~1accounts/get/parameters/0/example] Data and type mismatch found. [#/paths/~1transactions/get/parameters/0/example] Data and type mismatch found. [#/paths/~1transactions/get/parameters/1/example] Data and type mismatch found. [#/paths/~1transactions/get/parameters/2/example] Data and type mismatch found. [#/paths/1accounts1{accountId}~1transactions/get/parameters/1/example] Data and type mismatch found. [#/paths/1accounts1{accountId}~1transactions/get/parameters/2/example] Data and type mismatch found. [#/paths/1accounts1{accountId}~1transactions/get/parameters/3/example] Data and type mismatch found. [#/paths/~1webhooks/get/parameters/0/example] Data and type mismatch found. [#/paths/1webhooks1{webhookId}~1logs/get/parameters/1/example]
Parsing error(s): The input OpenAPI file is not valid for the OpenAPI specification https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md (schema https://github.com/OAI/OpenAPI-Specification/blob/master/schemas/v3.0/schema.yaml).

Square brackets in URLs are non-standard so some HTTP client libraries don't play nice with them. Is it possible for the API to understand URL encoded square brackets (e.g. page%5Bsize%5D%3D1 in addition to page[size]=1)?

Even I put my bearer token, I can't achieve this.

Please help me out.

Hiya,

Love the API! Being on the roadmap was why I got an Up account in the first place, so it's great to see it delivered.

For public projects using the API, it would be great to have a "test user" PAT with non-sensitive account details & transactions so that you can provide a live demo.

Additionally, these keys & IDs could also be used for writing tests.

Cheers,
Will

Keep getting 403 Forbidden when trying to register a webhook.

Sending through Insomnia.

Method: POST
Body:

{
 "data": {
   "attributes": {
    "url": "https://ed4e932a465e.au.ngrok.io/up"
   }
 }
}

Headers:

Content-Type: application/json
Authorization: Bearer up:yeah:XXXXXXXXXXXXXXXX

Passing in the full token, created a new one in case the current one is not working, no luck.
Using the ping endpoint works as expected.

Hi All,

Just started testing out the api.

I keep running into "400 Bad Request" when using,

curl https://api.up.com.au/api/v1/accounts \
       -G \
       -H 'Authorization: Bearer up:yeah:mykey' \
       -d 'page[size]=1'

As mentioned in the the official docs

What's going on? I don't have any issues with https://api.up.com.au/api/v1/util/ping (I get a 200).

Is there a way to obtain the details of Savers that have closed/deleted? They appear in the transactions under relationships. However it is only the account.data.id
Is there a way to get displayName and accountType into relationships?

When joining the two calls in Power BI or Parabola, I had to build my own reference table based on transactions description of Transfer to "x".
X being the name of the saver.

When the saver has been closed, they no longer appear under /accounts

I'm sure others here would find that useful too.

Hey guys,

One more thing. I know you collocate the merchant's domain for use with an API like https://clearbit.com/logo, are you able to expose this in the API so I can replicate the functionality?

Thanks!

I was wondering if it’s possible to open the details page of a particular transaction in the iOS app by using the API to extract the transaction id for the transaction.

I’ve noticed that up:// opens the Up app, and that up://transactions/[transaction id] opens the Up app but errors with the “Transaction Not Found” page. Clearly, there must be some scheme to open a particular transaction, perhaps by transaction id. Can someone shed some light here?

Hi Team, I have been having a lot of fun with the API and with the assistance of other Upsider via this repo I've been able to dump all transactions into excel using power query.

However, when reconciling the accounts summary totals, vs the transactions totals, there is a variances. I can see when I check some transfers, they result in a negative balance or an 1.E15 error in excel.

My variance seems to be consistent at $4.11 and I've been monitoring it as I make more purchases/transfers as I use my account.

I would be happy to share my document with devs to debug if needed.

Thanks!

I've attempted to create a URL request endpoint in Azure Logic Apps but the URL generated is 229 characters long. When I attempt to create the webhook in the API I get an error that there is a limit of 120 characters.

When calling Ping url via Curl (as per example)

`curl https://api.up.com.au/api/v1/webhooks/316c2282-4b75-4539-9561-1893564d4dad/ping \

-XPOST
-H 'Authorization: Bearer up:yeah ...`

it returns with an error like:

`

411. That’s an error.

POST requests require a Content-length header. That’s all we know.`

Hey team,

It'd be great to be able to get the location from Up's merchant identification for my card transactions :)

Minor issue, but I generated a new auth token on api.up.com.au and opened the 'acceptable use policy' link in another tab. This landed me on an error page, but I didn't actually notice until I closed the original auth_granted page. Is the policy accessible after the fact or do I need to reauthorise?

Hi team!

Just a thought and feature request I had.

For any paginated resource, it would be great to know the opaque cursor for each item so we have specific control over how pagination works. This way we can choose any "edge" within a resource connection and start the page after/before that.

Right now for custom pagination logic, I'm having to perform regular expression/ split the links provided to attach additional params (custom page size etc). This can only be done on the start and end elements.

Using filters [since] and [until] returns "invalid date-time value (must be rfc-3339)"

Example as per RFC-3339

VERBOSE: GET https://api.up.com.au/api/v1/transactions?filter[since]=2020-07-27T09:07:54+10:00z with 0-byte payload
VERBOSE: received -byte response of content type application/json
Get-UpBankTransactions: {"errors":[{"status":"400","title":"Invalid Parameter","detail":"invalid date-time value (must be rfc-3339)","source":{"parameter":"filter[since]"}}]}

Example omitting Z from datetime value

VERBOSE: GET https://api.up.com.au/api/v1/transactions?filter[until]=2020-07-27T09:07:54+10:00 with 0-byte payload
VERBOSE: received -byte response of content type application/json
Get-UpBankTransactions: {"errors":[{"status":"400","title":"Invalid Parameter","detail":"invalid date-time value (must be rfc-3339)","source":{"parameter":"filter[until]"}}]}

I think it would be cool if there was a folder in this repo, let's call it /examples where there are community submitted examples of how the API is being leveraged.

e.g

/examples
 /JS-android-widget-shortcut
 /RUBY-google-assistant-announcement

Thoughts?

Happy to start it off by providing a PR.

Is there a way to have the tags for transactions to appear as a comma separated value rather than a list then records for each?
Multiple Tags generate multiple lines for the same transactions.
I've done a manual work around via PowerQuery & Excel, but it's messy 😬

Just noticed that when fetching a either a list of all accounts or a single account, if certain emojis are used for the Saver, then the displayName is returned with no emoji included.

Haven't tested exhaustively so don't know how widespread this is but after choosing 10 emojis at random, found that both 🤖 (robot) and 🧑‍🔧 (mechanic) don't work,

The API documentation only provides happy path samples. It would be great if the "Error Response" section included samples of real error responses that might be encountered. This would make writing tests for API clients that wish to parse error responses much easier ­— since it's often not straightforward to generate and capture a real one by hand.

Hi, I have discovered an issue with calling on the API and only pulling the most recent batch of transactions. If an attribute has not been used, it does not exist in that specific call.

Example. Boost Round Ups are switched off within app. attributes.roundUp.boostPortion.currencyCode, attributes.roundUp.boostPortion.value, attributes.roundUp.boostPortion.valueInBaseUnits are all missing.
This is not limited to just boostPortion. Any attribute that is not present in the call is not within the JSON strings.

This causes issues with matching columns to a full history. I am reworking a flow in Parabola and pulling in the full history from a Google Sheet and matching to updated transactions from a single 100page call. If the columns don't exist, I cannot match them up.

Can all attributes be present even if null? The result would just be blank, but column header would be present.

Our documentation for the two MoneyObject values beneath roundUp on TransactionResource is not very clear. The amount includes any boostPortion, but the docs do not make this clear.

The documentation for amount probably needs to change to say something along the lines of:

The total amount of this Round Up, including any boosts, represented as negative value.

Great to see an AU bank get out in front of OpenBanking. 👍

Is it possible to get an endpoint added to allow statement retrieval?

Hi All,

I cant seem to get filter queries to work. I'm simply working with,

curl https://api.up.com.au/api/v1/transactions -G -H "Authorization: Bearer up:yeah:mypat" -d "filter[since]=2020-01-01T01:02:03+10:00"

And I keep getting,

{"errors":[{"status":"400","title":"Invalid Parameter","detail":"invalid date-time value (must be rfc-3339)","source":{"parameter":"filter[since]"}}]}

I've double checked the date time value and different variations (this is taken directly from the examples on the api site)! Is there something else I'm doing wrong? 😕

Accounts with type SAVER only show the amount of money currently stored in it, with no money goal available (if one has been set).

🚀 Changelog

Welcome to the Up API Changelog. This is where we'll provide updates to the community about the changes we make to the Up API. If you want to receive all updates to this changelog, click the "Subscribe" button in the Github sidebar.

This issue will remain locked, but if you have questions or feedback about any of the changes—or if you're encountering an issue—please go ahead and create a new issue and we'll do our best to help.

Hi,

I'm really keen to be able to see a spending breakdown over the year by Categories or Tags. Anyway to see the tags I've allocated to my transactions?

https://api.up.com.au/getting_started is not showing a QR code, only an animated Up logo. Is this an intentional thing to limit the beta, or a problem with the getting started page? Could this also be the beginning of a quest to include more animated gifs?

Please.