Connect to any financial institution in Latin America with Belvo.

Build fintech innovations on top of any banking, fiscal and gig institutions in Latam.


Get started

Handling 2-Factor Authentication

Belvo supports the connection to institutions where a 2FA or OTP (One Time Password) is needed.
There are two possible scenarios.

2FA token given upfront:
If you already know the institution will require a token to access the account, you can pass this token as a parameter to any of our endpoint connecting to the institution: Register Links, Retrieve Accounts, Retrieve Transactions, Retrieve Owners.

In this scenario, we will use the token while connecting to the institution and we will handle the 2FA process automatically.

2FA asked while connecting:
In some situations, a token will be asked while we try to connect to the institution.
In this case, you will receive a 428 HTTP status error from us with the following content:

{
"detail": "Token Required",
"session": "2675b703b9d4451f8d4861a3eee54449",
"expiry": 9600,
"link": "30cb4806-6e00-48a4-91c9-ca55968576c8"
}

After getting this response, you can prompt your user to generate the token and share it with you.

As soon as you get the token, you use the link and the session from the response above to send a new PATCH request to the Resume endpoint:

curl -X PATCH \
  https://api.belvo.co/api/links/ \
  -H 'Content-Type: application/json' \
  -H 'Host: api.belvo.co' \
  -H 'cache-control: no-cache' \
  -d '{
    "session": "2675b703b9d4451f8d4861a3eee54449",
    "token": "12345",
    "link": "30cb4806-6e00-48a4-91c9-ca55968576c8"
}' \
  -u [Secret Key ID]:[Secret Key PASSWORD]

📘

Handling 2FA/OTP with Connect Widget

We strongly recommend to handle the link creation using Belvo’s Connect Widget..
Connect Widget is ready to automatically handle for you the entire link creation process, including all MFA token scenarios handling.

Updated 8 days ago


Handling 2-Factor Authentication


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.