Maintenance Sunday 6th October

On Sunday 6th October from 06:00-09:00 CET, Handelsbanken online services, including our PSD2 APIs, for Sweden and Finland, will experience issues with card information during that time period, purchases will still be able to be executed during the maintenance period.

Error message FAQs

Why do I receive a 401 HTTP error message stating "Invalid token grant type"?

If you receive an error message like this:

{"httpCode": "401","httpMessage": "Unauthorized","moreInformation": "Invalid token grant type."}

This means that you (the TPP) are using a token incorrectly. For example, using a CCG token where an ACG or DG token should be used instead. Please refer to the SCA Redirect - Authorization flow chart or the SCA Decoupled - Authorisation flow chart

Why do I receive an error stating "unsupported_grant_type"?

There are a number of reasons why you can receive this error, such as having incorrect values for the grant_type. However, one of the most common reasons is because an incorrect URL has been used. Below we've listed the different URLs for the Authorization APIs, depending on which environment you're working with.

Authorization Code Grant API - Sandbox environment
(initate authorization) https://sandbox.handelsbanken.com/openbanking/redirect/oauth2/authorize…
(request token) https://sandbox.handelsbanken.com/openbanking/redirect/oauth2/token/1.0
(refresh token*) https://sandbox.handelsbanken.com/openbanking/refresh/oauth2/token/1.0

Authorization Code Grant API - Live environment
(initate authorization) https://secure.handelsbanken.com/bb/gls5/oauth2/authorize/1.0
(request token) https://api.handelsbanken.com/bb/gls5/oauth2/token/1.0
(refresh token*) https://api.handelsbanken.com/bb/gls5/oauth2/token/1.0

Decoupled Grant Mobile BankID API - Sandbox environment
(initate authorization) https://sandbox.handelsbanken.com/openbanking/decoupled/mbid/initAuthori...
(request token) https://sandbox.handelsbanken.com/openbanking/decoupled/mbid/token/1.0
(refresh token*) https://sandbox.handelsbanken.com/openbanking/refresh/oauth2/token/1.0

Decoupled Grant Mobile BankID API - Live environment
(initate authorization) https://api.handelsbanken.com/bb/gls5/decoupled/mbid/initAuthorization/…
(request token) https://api.handelsbanken.com/bb/gls5/decoupled/mbid/token/1.0
(refresh token*) https://api.handelsbanken.com/bb/gls5/oauth2/token/1.0

*the refresh token is only applicable to the Accounts API and Card Accounts API.

Why do I receive a 401 HTTP error message stating "Not registered to plan"?

If you get this error message it means that you have not subscribed to the API(s).

In the Sandbox environment, you do this by pressing the "Subscribe" button on the API product pages e.g. Consents API

In Live, you register your apps and subscribe to our APIs by calling the Subscriptions API, see Step 3 Register your app and subscribe to our APIs on our Live Data Enrollment page.

You can find a list of the ENUM values of our available products under "ApiSubscription" > "product" on the Subscriptions API

Please note that if you have subscribed to the Accounts API or the Card Accounts API, you must also subscribe to the Consents API, otherwise you will receive the error "Not registered to plan".

Why do I receive "not_shb_approved" for Swedish customers?

This response means that the end user / PSU (Payment Service User) does not have the correct permissions, or (in rare cases), they don't have a Handelsbanken Online Banking service agreement.

For the end user / agent (PSU) to be able to access the Corporate customer's account information or make payments, they need to have the appropriate permissions as per the Corporate mandate, as well as the "Additional service API Corporate". An end user's permissions can be updated by the Corporate customer's administrator in the Handelsbanken online services by going to “Administration” and then “Mandates”, or by contacting their local branch.
For an end user / agent (PSU) to be able to access a Sub-account (underkonto), a mandate from the owner of the Main-account (huvudkonto) is needed.

Why do I receive "not_shb_approved" for British customers?

This response means that the end user / PSU (Payment Service User) does not have the correct permissions, or (in rare cases), they don't have a Handelsbanken Online Banking service agreement.
For the end user / agent (PSU) to be able to access the Corporate customer's account information or make payments, they need to have the appropriate permissions as per the Corporate mandate. An end user's permissions can be updated by the Corporate customer's administrator in the Handelsbanken Online Banking services (e.g. under "Profile", then "Permission administration"). They then need to select "Permission by person" and select the name of the user.
For our Account Information API, the user needs to have the "View account information" permission.
For our Payment Initiation API, the user needs to have the "Input" permission and if they need to execute payments, then they will need to be an authorised signatory.
Providing the user has the correct permission(s), they will be able to view the account and make payments in the Handelsbanken Online Banking services, as well as the Third Party Provider's services. If a PSU is unsure about their permissions, they need to contact their local branch.

Why do I receive "not_shb_approved" for Finnish customers?

This response means that the end user / PSU (Payment Service User) does not have the correct permissions, or (in rare cases), they don't have a Handelsbanken Online Banking service agreement.
For the end user / agent (PSU) to be able to access the Corporate customer's account information or make payments, they need to have the appropriate permissions as per the Corporate Internet bank agreement. An end user's permissions can be updated by contacting their local branch.

Why do I receive "not_shb_approved" for Dutch customers?

This response means that the end user / PSU (Payment Service User) does not have the correct permissions, or (in rare cases), they don't have a Handelsbanken Online Banking service agreement.
For the end user / agent (PSU) to be able to access the Corporate customer's account information or make payments, they need to have the appropriate permissions as per the Corporate mandate. An end user's permissions can be updated by the Corporate customer's administrator in the Handelsbanken online services or by contacting their local branch.

Why do I receive "mbid_not_shb_activated" for Swedish customers?

This is an error message specific to Swedish customers and is received when the customer tries to use Mobile BankID that wasn't issued by Handelsbanken (i.e. another bank issued it) and it needs to be activated before it can be used. This is achieved by the end user (PSU) logging into the Handelsbanken online services (for the first time).

Why do I receive an "mbid_error" response for Swedish customers?

This is an error between you (the TPP) and Mobile BankID, which means we cannot provide technical support regarding this. There are a number of reasons why you can get this error, but below we've listed some characteristics / rules that we think you should be aware of. For further help, please refer to BankID's technical support page

1 - BankID has a 30-second timeout if the client has not scanned the QR code.
2 - The polling request against the authorization server must not be made more often than the sleep_time specifies, as of today - every 2 seconds.
3 - The maximum number of calls is 30, then the transaction is cancelled against BankID and an error is sent.
4 - Only 1 session/connection per PSU, against the authorization server is allowed. If several sessions are started, you'll get an error.

Why do I receive "mbid_max_polling" for Swedish customers?

This is an error message specific to Swedish customers and is received when the max number of token requests has been reached and the order has been cancelled in BankID. After you receive this error message, you can try the initiation again, but avoid automatically initiating it.

Why do I receive a 400 HTTP error message stating "Invalid account", with an accountId that has worked before?

If the accountId has worked before and you receive an error message like this:

{"httpCode":"400","httpMessage":"Bad Request","moreInformation":"Invalid account"}

This means that the GUID for the accountId has changed due to a new Consent being issued. The same error can also occur if the account is closed, because the accountId has been terminated.

Why do I receive an error message stating "access_denied"?

A TPP will receive an "access_denied" error message when the PSU (customer) has cancelled the operation / approval.

Why do I receive a 401 HTTP error message stating "Bearer error=invalid_token"?

If you receive an error message like this:

{"httpCode": "401","httpMessage": "Unauthorized","moreInformation": "Bearer error='invalid_token"}
This is a general error message meaning that the authorization token or client Id used is wrong.

Why do I receive a 401 HTTP error message stating "Invalid client id or secret"?

If you receive an error message like this:

{"httpCode": "401","httpMessage": "Unauthorized","moreInformation": "Invalid client id or secret."}.
The clientId used in the request is wrong.

Why do I receive a 401 HTTP error message stating "Cannot find valid subscription for the incoming API request."?

If you receive an error message like this:

{"httpCode": "401","httpMessage": "Unauthorized","moreInformation": "Cannot find valid subscription for the incoming API request."}.
The clientId is exists but there is no subscirption on the API that you are using, i.e you need to subscribe to the API wou want to use.