POST /embedded-banking/v1/bank-account-applications
Create Request
Response (201 Created)
clientSecret is returned on every create response, but you only need it if a browser is going to finish the application. If your backend is going to drive the entire flow with its bearer token — the server-to-server integration shape — ignore the field and keep calling per-application endpoints with Authorization: Bearer. The secret carries no extra capability the bearer doesn’t already have.
When a browser does need it: hand it directly to that browser context once, and do not log or persist it server-side. The plaintext is not recoverable from a later GET; the service stores only a hash. Token shape, header, and PII-masking rules are covered in Application client secret.
Pre-filling fields is optional — you can also create an empty application and PATCH everything in afterward, whether the PATCH calls come from your backend or a browser.
Acting on behalf of a child organization
Platform-level callers (a bank, ISO, platform partner, or fintech partner) can create an application for a specific child organization in their hierarchy by setting theX-Organization-ID header on the create request:
Targeting a child org
X-Organization-ID is accepted only on this endpoint. After creation, the application is addressed by its id and the organization is fixed.