1. Generate a private and a public certificate​
If at any point during this process you get something wrong during the following process enter the following command into your terminal window

Ctrl + c - Kills operation
Ctrl + l - clears the screen
ls - list directory
rm * - remove files in directory

1. In your console, create a directory and change the directory 

   
   mkdir revolut
   cd revolut

2. To create a private and a public certificate, paste this command in your console and press Enter.

openssl genrsa -out privatecert.pem 2048
openssl req -new -x509 -key privatecert.pem -out publiccert.cer -days 1825

You will be asked to enter details about your organization for the certificate's "Distinguished Name". The prompts below will appear line by line.

Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:    - needs to be accountinglinks.io 
Email Address []:        -secure email address?

Enter each piece of information and press Enter until you get back to the command prompt.

You can optionally leave some fields blank. However, to generate the public certificate successfully, you must enter at least one piece of information, such as the Country Name.

2. Upload your certificate​

1. Go to the API settings.

In your Revolut account, click on your account name and photo in the top left corner. Then, go to APIs → Business API.

2. Click Add API certificate to add your first certificate in the API Certificates section. If you already have other certificates added, click Add new.

3. Give your certificate a meaningful title. It will help you distinguish it from other certificates later.

4. Specify the OAuth redirect URI 

For sandbox: https://sandbox.accountinglinks.io/revolut/callback
For prod: https://console.accountinglinks.io/revolut/callback

5. Copy and paste the content of publiccert.cer to the X509 public key field.

   
   To find your certificate type in ls into the console, then enter cat publiccert.cer

Paste in the text that looks like this into the x509 public key field:

-----BEGIN CERTIFICATE-----
MIIDmDCCAoACCQDiGMIhXqIUdzANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMC
R0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMQ4wDAYDVQQKDAVC
bG90dDEQMA4GA1UECwwHRmluYW5jZTEbMBkGA1UEAwwSYWNjb3VudGluZ2xpbmtz
LmlvMR0wGwYJKoZIhvcNAQkBFg5zaGFuZUBibG90dC5pbzAeFw0yNDEwMTAwODQ3
NDRaFw0yOTEwMDkwODQ3NDRaMIGNMQswCQYDVQQGEwJHQjEPMA0GA1UECAwGTG9u
ZG9uMQ8wDQYDVQQHDAZMb25kb24xDjAMBgNVBAoMBUJsb3R0MRAwDgYDVQQLDAdG
aW5hbmNlMRswGQYDVQQDDBJhY2NvdW50aW5nbGlua3MuaW8xHTAbBgkqhkiG9w0B
CQEWDnNoYW5lQGJsb3R0LmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAxDziwwTmefQ2M0FObc3vA73lv3VeKjb72wnpvqvKzt8SwhnE7r11VDcb0VOm
l3o0pthJbgBCv4SigDZSrt0fvoS5xJHv/moFqy5hxLTWDy28/o4rdApcsEO+28R0
Ai515FzQ3HB/5eABfhR0EqJzjOlWKjfQs52migUJ0ACO5nDgeCDcRYmHC5AiZ6YS
JSVaNEAtknTx/YaQB+rPs8hhweRIVOBFKyporEL7S/4jMbkalkt4tOiupgQ5218L
sHBh5/NbS15XrE6x/0ojDWcPeZM05inoJMCN/bRcIltsNttYYp5F9CqFO/xWpmp6
YLNOilxdF/dbuP2qlFviIwG2WQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCbxGyQ
Ub+Iy+JVstd9A4Rlx6v9kEvKqXj3434B3Y6XzyWxzduhj7IT1vuXn4ZFfnJRP7UKO0
5ZNBXBw8VY+PTGvnXOH/Vr154DUM676jwCji38FBt2mlyRzoeA6ffh3z/0foyH/a
sX3789Zr8Z3j+QWRUUaFaOeHG1hxceK0MwgNhstrIrBe4jNscHp7lALM8+eH1Bi/
yFDahE2F/Hm/cng49TpdkGeDZva4YFvbhuWVBeoja+WjtzW4T7CfT0jMIzgKYnW4
+7K+hLExUTHFjvQ28q4mf0KdzkFNb2OPYYG5x6jWNvG7bVBx3YTCFdVv6z0Gz/9h
LWAA7pO9T1sGn6I+
-----END CERTIFICATE-----

6. Click Continue. This takes you to the API Certificate page with the parameters of your application.

7. Copy the ClientID which will be needed in the following steps.

3. Generate a client assertion​

1. Go back to your console.

Ensure you are in the same directory where you saved your privatecert.pem file from step 1.1. If you want to use a different directory, make sure that you copy the private certificate there.

2. Prepare the JWT header and save it as header.json.

Paste this command into your CLI and press Enter.
cat <<EOF > header.json
{
 "alg": "RS256",
 "typ": "JWT"
}

EOF

3. Prepare the JWT payload and save it as payload.json. Replace the placeholders in angle brackets (<>) with your own values. Also, make sure that the exp value is a number, not a string.

iis for sandbox: sandbox.accountinglinks.io
iis for Prod: console.accountinglinks.io

cat <<EOF > payload.json
{
 "iss": "sandbox.accountinglinks.io",
 "sub": "sufAirzxoSTtoiK_K4hM3rIN4qPuXu_x-OMagaEFQlE",
 "aud": "https://revolut.com",
 "exp": 1924905600
}

EOF

4. Generate the signed JWT and save it as client_assertion.txt.

Run this set of commands in your CLI. Remember to press Enter after pasting, otherwise it might not run fully, resulting in the signature missing.

# Add encoded and normalised header

cat header.json | tr -d '\n' | tr -d '\r' | openssl enc -base64 -A | tr +/ -_ | tr -d '=' > client_assertion.txt

echo -n "." >> client_assertion.txt

# Add encoded and normalised payload

cat payload.json | tr -d '\n' | tr -d '\r' | openssl enc -base64 -A | tr +/ -_ | tr -d '=' >> client_assertion.txt

# Generate signature

cat client_assertion.txt | tr -d '\n' | tr -d '\r' | openssl dgst -sha256 -sign privatecert.pem | openssl enc -base64 -A | tr +/ -_ | tr -d '=' > sign.txt

echo -n "." >> client_assertion.txt

# Add signature

cat sign.txt >> client_assertion.txt

A client_assertion.txt file containing the client assertion JWT is created in your chosen directory.

To display the contents of your JWT in the CLI, run:

cat client_assertion.txt

4. Consent to the application​

1. Go back to the API settings in Revolut.

2. Select the certificate you want to use.

3. Click Enable access.

4. Click Authorise. This triggers a 2-factor authentication (2FA) process.

5. After 2FA, the page will redirect to Accounting Links(make sure you are logged in to Accounting Links). Add “client_assertion” retrieved from the previous step.