Frequently Asked Questions
Overview
What are BMO APIs?
APIs (Application Programming Interfaces) allow systems and apps to share information with each other.
BMO APIs let you connect your accounting, treasury management and other financial systems to your Online Banking for Business accounts. That connection gives you access to your real-time banking activity in the programs you use every day – without having to export data, upload files, or sign in to Online Banking for Business. You can also use our APIs to build your own apps. Our APIs make your banking data work for you
What can I use BMO APIs for?
BMO APIs let you access and use your account data however and wherever you want. Clients like you are using our APIs to:
- See real-time balances for all accounts
- Retrieve day-end, month-end and year-end balances for all accounts
- Pull transaction histories
- Review transactions based on a specific set of criteria
- Replace BAI files and other settlement reports and processes
- Retrieve images of deposited cheques and other items
What can I do in the BMO Developer Portal?
Once you create an account on the BMO Developer Portal, you can access our sandbox. Our sandbox is a secure environment where you can test our APIs. You can also get secure sandbox credentials so you can test safely in your own environment.
Who can use BMO APIs?
If you're an Online Banking for Business customer, you can use our APIs to connect your accounts to your accounting, treasury management and other financial systems.
How much does it cost to use BMO APIs?
You can safely experiment with our APIs and test your code in our sandbox at no cost. When you’re ready to launch your app, please contact us to discuss pricing.
What APIs are available?
Currently, you can use BMO APIs to pull your account information and images of deposited cheques from our database. We're working on APIs for initiating payments, reconciling accounts, opening accounts, forecasting cash flow and multiple third-party integrations.
My Account
How do I create an account on the BMO Developer Portal?
To access the Sandbox, you’ll need to apply for an organization account on the BMO Developer Portal. Just fill out the application form. Once we’ve reviewed and approved it, we’ll send you an email with details on how to set up your account.
What if I don’t receive the email to set up my account?
When you apply and are approved for an organization account, we'll send you two emails: one with setup details and one with a link to create a password. If you don't see these emails, please check your spam folder. If you still can't find them, please contact us.
How do I change my password?
You can reset your password by selecting the Reset link on the Sign In page and entering your registered email. If it matches our records, we'll email you a link to create a new password.
If you've changed your email or it doesn’t match what we have on file, please contact us.
Testing in the sandbox
What can I do in the Sandbox?
Our Sandbox is a safe environment to test your code with dummy data. You need a free account to access it.
If you're just looking to test basic API responses, you can use the sandbox area on this site without registering your app with us. This option is a good choice if you're still experimenting in the early phases of your build or are confident that you won't need real-life testing for your code.
If you want to test directly in your own app, you'll need to register your app with us and generate a sandbox API Key. How do I get a sandbox API key?
Testing in my app
How do I get a sandbox API key?
To start testing in your own app, you’ll first need to generate an API key. This key, along with the Client ID and Client Secret displayed under My Apps, can be used directly in your app. It will let your app communicate with our servers just as if it were live. The only difference is that we’ll send you dummy data instead of real account information.
This option is closest to a real-life test but requires you to register your app with us. Here’s how:
- In the BMO Developer Portal, select your username and choose My Apps from the dropdown.
- Select the Register New App button.
- Fill in the details and select Register New App.
Once you have your key, go to our sandbox and generate an Access Token. You can use this token to test any of your registered apps.
What is my API Key?
Your API Key is a credential we assign to you. It lets us verify your identity and see which test app you're using to request information. You'll use it, along with your Access Token and the Client ID and Client Secret, to test our APIs in your own systems.
What is an application, and how many can I register?
An application is a way for you to generate and manage an API key to use with your own app during testing. You can register an unlimited number of applications in your account.
Launching my app
How do I move my app into production?
When you're ready to launch your app, contact us. We'll work with you to determine pricing and switch your sandbox credentials to production ones.
Managing my live apps
How do I revoke an app’s access to my BMO accounts?
You can easily disconnect an app from your BMO API service and remove its access to all your accounts. How to modify an app's account access.
- In Online Banking for Business, select the Administration tab.
- Under "Settings", choose Company Profile.
- Select the Services tab.
- In the "Setup Needed" menu, choose BMO APIs.
- Under "Manage Connected Applications", next to the relevant app, select Disconnect Application.
- Confirm your choice by selecting Remove Access Now.
Success! The app has been disconnected and can no longer access your Online Banking for Business accounts. You can view your disconnected applications under "Manage Disconnected Applications".
Who can access the API service in Online Banking for Business?
If you're a Primary Customer Administrator (PCA), you can access the API service in Online Banking for Business. You can also entitle other PCA users to the service.
Authorize APIs
What authorization system do you use?
All our APIs use the standard OAuth 2.0 framework.
How do I get authorized to make calls?
To get authorized to make calls, please check our Authorize documentation. It contains all the information you’ll need to implement a two-legged or three-legged OAuth flow.
Why do I need an Access Token?
You need to generate and use an Access Token in our sandbox to authorize test calls against our demo server. You can see our sample requests and responses in the BMO Developer Portal.
You can also use an Access Token to make authorized calls directly from your in-house development applications.
What sign in credentials should I enter when I’m generating an Access Token?
What sign in credentials you use depends on whether you’re testing in the sandbox or launching your app.
Because they are for a mock scenario, all sign in credentials are pre-filled for you in the sandbox.
When you’re ready to launch your app and grant access to your accounts, use your existing Online Banking for Business credentials.
How do I resolve a 401 ‘Unauthorized’ response?
Here's what to do if you keep getting a 401 ‘Unauthorized’ response:
- Check that your client-id and secret are correctly matched against the application you created
- Verify your base-64 encoding has been correctly formatted per the authorization documentation
- Ensure that Basic is pre-fixed to the encoded client_id and client_secret while making your token call
- Make sure that your access token is not invalidated or expired
If you've tried all these and the issue persists, please contact us
Account Information APIs
Which bank account is associated with my BMO API account ID?
When you make a GET call to our system, specifically Search for Accounts, you'll be returned a list of authorized accounts. For security reasons, these accounts will be identified with a unique account ID that is different from the account number.
To see which account is associated with the account ID returned, check the account_number field in the body of the return.
What accounts will I be able to see when I connect an application in Production?
When you connect an application in production, you’ll be able to see the same accounts you’re entitled to in Online Banking for Business.
Can I choose which accounts I share with different applications?
As part of the authorization flow, you’ll be able to choose which accounts you’d like to grant access to.
Will new accounts that I add on OLBB be automatically shared with a connected application?
New qualifying accounts will not be automatically shared with a connected application. You can choose to automatically share all current and future accounts when going through the OAuth 2.0 flow.
Imaging APIs
Do I need additional APIs to retrieve my deposit images?
Apart from the Authorize API to give your application secure access to our servers, you’ll only need the Image Retrieval API to retrieve deposit images.
How do I search for and retrieve deposit images?
Once your application has been authenticated using the Authorize API, you can start your search for deposit images. Here's how it works:
- Get a list of your authorized Online Banking for Business accounts.
- Specify the account number, date range and item type. You can also add other search criteria.
- From the index of available images, choose the ones you want to retrieve.
Is the process different between Canadian and U.S. items?
The process is the same for Canadian and U.S. items.
How long can I access cheque images using the API?
You can request images of deposited items as far back as 7 years. To retain them even longer, you can use the API to automatically download and store them in your own archive.
Which format are the images in?
All images will be in TIFF format.
Account Validation API
Do I need additional APIs to verify account ownership?
Apart from the Account Validation API to verify account ownership, you’ll also need the Authorize API to give your account secure access to our servers and the Encryption API to protect sensitive information from end-to-end.
Which types of U.S. accounts are currently supported?
Currently, this API only supports U.S. savings and deposit accounts.
How many accounts can I validate per call?
Each call can validate up to 100 accounts. There’s no limit for the calls you submit.
Can I choose to check only account ownership or risk level?
You can choose if you want to check account ownership, risk level or both. Simply submit the details you want us to check.
What do the owner match and account risk scores mean?
Owner Match
This score shows how well the account owner information you provided matches what the other bank has on file. You can also review the results for each field.
To improve the confidence in the match, you can check additional owner details in your inquiry.
Account Risk
This score shows the risk of setting up a transaction involving this account. It considers a variety of factors such as:
- Is the account open and active?
- Does the account accept credits and debits?
- Is enough information available about the account?
- Is there a history of fraud, insufficient funds or recall requests?
| Risk | Possible Reasons |
| High | Account may be closed or has a history of fraud or insufficient funds. |
| Medium | Account is open but has limited available information or a history of a few unsuccessful transactions. |
| Low | Account is open and active with no recent negative history. |