Skip to main content
The daily balance export is a scheduled report Tesouro generates for you: one CSV per day listing the end-of-day balance of every active bank account across your whole organization tree, delivered as an encrypted file. Each run covers one as-of date and produces one file. Every row is a single bank account’s balance on that date, so a business customer with three accounts contributes three rows.
There’s no self-service setup for this report. To turn it on for your organization, contact your Tesouro representative. Setup includes exchanging PGP keys (below) and agreeing on where files are delivered.

Getting set up

Because the file carries full account numbers, it’s always PGP-encrypted in transit and at rest. Setup is a one-time key exchange, coordinated through your Tesouro representative:
  1. You provide your PGP public key. Tesouro encrypts every file destined for you with this key, so only you can decrypt it. Send the armored public key to your Tesouro representative.
  2. Tesouro provides its PGP public key. Every file is also signed with Tesouro’s private key. You verify that signature with Tesouro’s public key to confirm the file genuinely came from Tesouro and wasn’t altered. Your representative supplies this key during onboarding.
Keep your PGP private key secret, it’s the only thing that can decrypt your reports. If it’s ever lost or rotated, contact your representative to register the new public key.

Delivery and cadence

The report runs once daily. Exact timing and the delivery location are agreed with your Tesouro representative during setup.
  • One file per as-of date. Each successful run delivers a single encrypted file named bank_account_balance_{asOfDate}.csv.pgp, where asOfDate is YYYY-MM-DD; for example, bank_account_balance_2024-06-15.csv.pgp.
  • Encrypted and signed. The file is OpenPGP (RFC 4880), encrypted to your public key and signed with Tesouro’s private key.
  • Empty days still deliver. If no active accounts have a balance for the as-of date, you still receive a file with a header row and nothing else. Treat it as “no balances that day,” not as a failure.

Decrypting and verifying

Decrypt with your private key and verify the signature against Tesouro’s public key in one step. With GnuPG, after importing both keys:
gpg writes the plaintext CSV to the output file and reports the signature status on stderr. Treat a file whose signature doesn’t verify against Tesouro’s public key as untrusted, and don’t ingest it.
The decrypted CSV contains full account numbers. Decrypt only within your secure environment, avoid writing the plaintext to shared or long-lived storage, and delete it once it’s been ingested.

File format

The CSV is UTF-8 with a header row. Columns are always in this order:
Rows are ordered by organization, then by account, so all of an organization’s accounts appear together.