Kontomatik is a read-only API to banks. Kontomatik is able to import personal data, account balances and full statements from any supported bank to your system. To do that, Kontomatik will need end user bank credentials (most often a bank login and password). To ask the end user for bank credentials, Kontomatik offers a widget which you can embed on your website as an iframe.

Pleasure to integrate

Kontomatik offers a clean and consistent API over HTTPS.

By default we host Kontomatik for you. We take care of updates, security and reliability (SaaS). You can also host Kontomatik yourself (on-premises).

The big picture:



Banking API - tutorial and reference for programmers on how to embed the widget, import data and use the high-level lending features.

Zero-integration solution - no IT resources? No problem! Just copy-paste our widget into your website, go to our Insight app and display the essential in the user’s profile: identification data, street view of his home address and financial health assessment.

PDF parsing API - workaround for banks in Poland who cannot use screen-scraping based banking APIs for regulatory reasons.

Kontomatik products and world coverage

Kontomatik Banking API supports major banks in many countries and we’re ready to add more. Additionally in Poland we also offer a PDF Parsing API. On top of that, both APIs come with extensions adding high-level analytics and transaction labels to the raw data extracted from online banks or the PDF statements. To help you get to know our full capabilities we’ve prepared a spreadsheet containing:

Go to Kontomatik Services & Coverage table »


What data can I get?

Kontomatik supports accessing:

How many months of transaction history can I access?

Kontomatik can access the whole transaction history available in an online bank. In practice, this translates to something between 10 years and 2 months depending on a bank.

Typically our clients import 3 months of history. This is a very good balance of speed, reliability and data.

Some clients import 6 months of history. This is also perfectly fine but you will have to wait a bit longer for data. It also very slightly increases the risk of a random error.

Most importantly, this is entirely under your control through the HTTP since parameter.

How long does it take to import the data?

This varies greatly between banks, users and kind of data you want to import. Some banks have very slow online platforms while others are blazing fast. Some users have few transactions while others have thousands.

Our worldwide median is 12 seconds for 3 months of transactions. This is a total session ‘runtime’ including signing-in.

If you are only after owners personal data (identity confirmation) then it will get down to 1-3 seconds on average.

Kontomatik is known for speed among competing solutions. Kontomatik is fast because we do not run a farm of headless browsers, we do not run any JavaScript and we do not download any assets. We reverse engineer how HTTP requests are put together and then we recreate them directly in Java with no overhead.

Does Kontomatik support importing credit cards, term deposits, mortgages, insurance policies, mutual funds, stocks and other assets?

Kontomatik supports importing personal data of account owner(s), current and saving accounts and transactions from those accounts.

As of today there is no support for importing any other data, except for Poland where we do support credit cards and term deposits.

If you need support for additional data then there is no technical limitation for us to develop it but we would need your close cooperation with regard to providing test bank accounts with those specific assets on your target market.

How does Kontomatik access bank data? Does Kontomatik have agreements with all supported banks?

Under the hood Kontomatik uses screen scraping to mimic a human using a web browser. By using the very same protocol as a web browser Kontomatik can potentially support any bank worldwide in a permissionless way. Kontomatik does not need agreements with all supported banks. Kontomatik exemplifies permissionless innovation.

When a bank introduces a change how long does it take for Kontomatik to catch up?

The fix takes between several hours and several days depending on the severity. Most issues are resolved very quickly.

By the way, most issues affect few users and do not impede the overall conversion rate in a meaningful way.

In the extreme case of a completely new online system it can take us 1-3 weeks to add support. However, banks often allow both systems to be used for some time before retiring the old one, which buys us more than enough time to switch seamlessly.

If support for some bank is temporarily broken we dynamically turn it off in the widget and API with zero action necessary on your side.

To sum up, we aim to create a “just works” experience for the API client. You are not expected to manage this in any way.

Does Kontomatik support hardware tokens, SMS codes, mobile OTPs, CAPTCHA-s, anti-phishing pictures?

Yes, Kontomatik natively supports hardware tokens, SMS codes, mobile-application-generated One-Time Passwords, CAPTCHA pictures and anti-phishing pictures.

Will Kontomatik API preserve its data guarantees under PSD2?

In December 2018 Kontomatik became a licensed Account Information Service Provider (AISP). Our model of operation is protected by the Payment Services Directive 2 (PSD2). Under the terms of the PSD2 agreement, banks are required to provide access to customer data via open banking API services or allow fintechs to use a fallback mechanism.

Kontomatik’s main objective is to preserve existing data guarantees while staying fully compliant. To this end, the plan is to gradually transition to Open Banking APIs as they become available, while also preserving our screen-scraping capabilities as an alternative solution for targets which provide a low quality interface.

Can I safely assume Kontomatik can add support for any online bank in the world?

Well, almost. Our track record is to give up on about 1 bank in 25 - not because it’s impossible but because it would be very ineffective cost-wise (for us) or usability-wise (for the end user). Contact us for more information.

Can I easily CSS-customize Kontomatik SignIn Widget?

Please carefully read the docs to learn to what extent this is currently possible.

How can I implement my own login front-end? I don’t want to use Kontomatik Widget. I need a full control.

We do have a fully-featured login API to potentially enable custom front-ends but we highly discourage this path.

Without Kontomatik Widget:

For the reasons outlined above we consider Kontomatik Widget obligatory part of our technology and offering.

If you strongly feel like developing your own frontend anyway, please let us know and we will reconsider your specific case.

Native mobile apps - how can I use Kontomatik there?

Kontomatik Widget sports a fully responsive design, ranging from iPhone 4 screen size.

In a mobile web app simply embed the widget as ususal. Don’t forget to make your web app’s design responsive.

In a mobile native app please use a webview component to embed the widget. Using just little a bit of JavaScript you can easily wire it up with your native app. The details are platform specific and do not have much to do with the widget itself. Please follow online webview tutorials for your platform.

Can I import data periodically in the background to update my application while end users are offline?

If you mean to import data from your own bank account(s) then yes. In this scenario you would not use the widget. Instead you would use our sign-in API directly, passing your own bank credentials every time. For example, this makes sense if you want to track incoming payments on your bank account to mark invoices as paid, or loans as repaid. Documentation for this (sign-in) part of the API is not available online. We will provide you with it once the contract is signed.

If you mean to import data from the bank accounts of a limited group of your trusted business contractors then yes. See the above answer. You would have to officially store the bank credentials of your contractors.

If you mean to import data from the bank accounts of your end users (for example into your PFM-like solution), then no. Kontomatik never stores end users’ bank credentials, and we strongly advise our clients to not store end users’ bank credentials either. However, there is a workaround which gives you most benefits without the risk. We advise you to store bank credentials encrypted in the web browser local storage. Your JavaScript code can optionally get these credentials from Kontomatik SignIn Widget right after the end user has successfully signed in. This way the end user still has to login to your app but does not need to provide bank credentials anymore, at least unless he wipes or changes the web browser. This functionality is only enabled on demand to selected clients.

Also, please see the chapter on security.

Can you add callbacks to Kontomatik API?

Kontomatik never calls your app. You poll for results of async commands. This is by design. We believe this is right. Please consider:

The only downside is that you will need some kind of a background job runner in your app. But having one is best practice anyway, except for the most trivial apps.

How long does a Kontomatik import session last?

We have no control over the session duration. Access to banking data via Kontomatik is the same as access via the browser - the bank server controls the session duration and inactive user sessions are terminated after 10 minutes or less. To sum up, the longer an API client delays submitting import commands after sign-in, the higher the risk of getting a session expired exception.

What IP address will be used to access bank systems?

In the SaaS model, this will be a Kontomatik-controlled IP. In the on-premises model, this will be an IP controlled by our customer.

Will I be charged every time an end user connects to his bank through the Widget?


If no import commands are submitted during a Kontomatik session or if an import command fails for any reason - including factors beyond our control, such as connection issues - that session will not be added to your bill.

We only charge for sessions where all import commands have executed successfully.

Can I have access to bank accounts maintained by Kontomatik for testing purposes?

Unfortunately no. Test accounts are a limited resource of critical importance for the company, entrusted to us by close collaborators and friends. For security and confidentiality reasons, we cannot share access with outside parties. Please note however that you can freely use our sandbox for testing purposes with either real or mock login credentials.


SaaS diagram

Kontomatik is securely hosted in our infrastructure so you can focus on your business. We take care of updates, security and reliability. This is a recommended option selected by most of our clients.


On-Premises diagram

Kontomatik API can be hosted in your own infrastructure. Kontomatik API has few dependencies and is very lightweight on resource usage.

Technical requirements:

Please note that webapp server is not necessary. The application embeds its own webapp server to ease deployment.

Kontomatik requires a minimum of 1 dedicated server (physical or virtualized).

For HA setup, we suggest 4 servers (2 x webapp + 2 x db) in a sticky-session setup.

The above are requirements for financial data import service (Kontomatik API).

This does not include the Kontomatik SignIn Widget, a front-end piece to facilitate login.

With on-premises hosting you should be aware of several things:


Reporting vulnerabilities (responsible disclosure)

Please kindly report any vulnerabilities to [email protected]. You can PGP-encrypt communication with Kontomatik public key available at https://get.kontomatik.com/keys/kontomatik.asc. We promise to credit you on this website for confirmed vulnerabilities.


Kontomatik servers store very little data. Bank passwords are never stored and financial data is removed ASAP.

Organizational security breakdown

Technical security breakdown