BBVA Business Mexico API integration services (SPEI / CoDi / B Negocios)

Built for Mexican SMBs

BBVA is the largest bank in Mexico by deposits and loans, and B Negocios (internal codename GEMA) is its dedicated mobile product for merchants, MicroBusinesses and corporates. With roughly 87 million active mobile-banking accounts transacting in Mexico as of Q1 2024, a large share of corporate cash flow now originates from apps like this one — making server-side access to that data a strategic requirement for ERP, accounting, lending and risk workflows.

Rich server-side state

Behind the app there is a structured backend: multi-currency accounts, business cards, affiliate POS terminals, CoDi charge history, promissory-note investments and loan contracts. Every screen in the app (executive summary, movements, POS summary, loans) maps to a clearly identifiable server resource that can be exposed as a REST endpoint once the B Negocios authentication chain is understood.

Complementary to BBVA API Market

BBVA already publishes partner-only APIs such as Business Payments and Business Collections on bbvaapimarket.com, but those require a direct commercial onboarding with the bank and do not cover all data a user can see in the app. Our protocol-analysis track fills the gaps: read-only statement and POS data, loan status, and automation flows that the official partner APIs do not expose to all clients.

Account & card movements API

Statement queries for BBVA checking, dollar and euro accounts, plus business debit and credit cards. Supports date-range, transaction-type and income/expense filters, paginated cursors, and stable transaction IDs suitable for idempotent downstream writes. Typical use: nightly import into an accounting ledger or ERP.

SPEI transfer automation

Programmatic third-party transfers by CLABE or debit card number, including own-account transfers and multi-currency flows (MXN / USD / EUR). Each call returns the SPEI tracking key (clave de rastreo) so that your back office can reconcile against Banxico SPEI receipts.

CoDi QR charges

Generate a CoDi charge QR and collect settlement events without a physical POS. Endpoints cover QR creation, expiration, status polling and webhook callbacks so that e-commerce checkouts or kiosks can confirm payment in under a second.

POS terminal reconciliation

Daily and monthly POS sales summaries per affiliation (afiliación), with commissions, gross amount and net settlement. Ideal for merchant accounting or for calculating effective acquiring cost across terminals and card brands.

Instant loan & promissory-note feed

Read BBVA's POS-advance instant loans (the offer shown inside the app as a reward for good terminal usage), outstanding credit lines, and promissory-note investment positions. Useful for treasury dashboards and for credit-limit monitoring services.

Security & token handling

Wrapped handling of the B Negocios mobile token, biometric approval and Cronto visual challenge so that automations do not break when the bank rotates OTP logic. Token lifetimes, CVV-dynamic flows and step-up approvals are abstracted behind a single authorize() call.

1. Nightly accounting sync

Context: A retailer with 12 BBVA accounts across MXN / USD wants every BBVA movement in its accounting tool by 07:00.

Data / API: GET /bbva/accounts to enumerate, then POST /bbva/statement with from_date / to_date; each row is normalized into a ledger entry keyed by the SPEI clave de rastreo or BBVA internal ID.

OpenFinance mapping: This is the canonical transactional data tier in Mexico's Fintech Law — consent-driven, per-account, per-period — the same shape that Article 76 envisioned for standardized bank APIs.

2. CoDi checkout for an e-commerce site

Context: A Mexican Shopify-style storefront wants to accept CoDi without buying a physical POS.

Data / API: POST /bbva/codi/charge returns a QR payload and a charge_id; a webhook charge.settled fires once the payer confirms on their bank app. The merchant backend marks the order as paid and triggers fulfillment.

OpenFinance mapping: A Payment Initiation pattern, equivalent to PSD2 PIS in Europe, using Mexico's domestic CoDi rails instead of SEPA.

3. POS reconciliation across affiliations

Context: A restaurant group with 40 POS terminals wants to know, per branch, yesterday's gross sales, commission and net deposit.

Data / API: GET /bbva/pos/summary?day=2026-04-19 returns a list keyed by affiliation_id with gross, commissions, net and expected settlement date; the net figure is matched against the movement in the checking account.

OpenFinance mapping: Acquirer-reporting API, complementary to CNBV's transactional-data tier.

4. SMB credit-risk scoring

Context: A fintech lender pre-approves BBVA Business clients for working-capital loans based on 12 months of inflows.

Data / API: With explicit user consent, the lender pulls statements via POST /bbva/statement plus POS summaries; inflow stability, seasonality and existing BBVA loan balances feed into the scoring model.

OpenFinance mapping: Account Information Services (AIS) pattern — exactly the use case Banxico's open-finance pilot with the Open Bank Project was designed to support.

5. Automated supplier payouts

Context: An ERP batches 500 supplier payments and needs to execute SPEI transfers with full audit trail.

Data / API: POST /bbva/spei per beneficiary with CLABE, amount and concept; response contains SPEI tracking_key, which is later reconciled against the account statement using the same field.

OpenFinance mapping: Bulk Payment Initiation, routed through SPEI rather than raw wire instructions.

Deliverables checklist

• OpenAPI 3.1 specification for all BBVA Business endpoints shipped
• B Negocios protocol and authentication report (mobile token, Cronto, biometric approval)
• Runnable source code (Python / Node.js / Go) for login, statements, SPEI and CoDi
• Dockerfile and sample docker-compose.yml for self-hosted deployment
• Automated tests, Postman collection and OpenAPI-generated docs site
• Compliance note referencing Mexico's Ley Fintech (Article 76) and CNBV guidance
• Source code delivery from $300 — pay after delivery upon satisfaction
• Pay-per-call option — use our hosted endpoints and pay only per successful call

Example 1 — B Negocios login & token

// Step 1: establish session with user credentials
POST /api/v1/bbva-mx/auth/login
Content-Type: application/json

{
  "document_type": "RFC",
  "document_number": "XAXX010101000",
  "password": "<plain>",
  "device_id": "a7c9...e4"
}

// Step 2: confirm mobile-token challenge
POST /api/v1/bbva-mx/auth/token/confirm
Authorization: Bearer <SESSION_TOKEN>

{
  "otp": "847213",
  "cronto_signature": "<base64-signed-image>"
}

Response:
{
  "access_token": "eyJhbGciOi...",
  "expires_in": 900,
  "scope": ["statement", "spei", "codi", "pos"]
}

Example 2 — Statement query

POST /api/v1/bbva-mx/statement
Authorization: Bearer <ACCESS_TOKEN>
Content-Type: application/json

{
  "account_id": "014180655012345678",
  "currency": "MXN",
  "from_date": "2026-03-01",
  "to_date":   "2026-03-31",
  "type": "ALL",
  "page": 1,
  "page_size": 100
}

// 200 OK
{
  "account_id": "014180655012345678",
  "opening_balance": 152304.55,
  "closing_balance": 184902.10,
  "currency": "MXN",
  "items": [
    {
      "tx_id": "BBVA-2026-03-02-0001",
      "posted_at": "2026-03-02T10:22:11-06:00",
      "concept": "SPEI RECIBIDO CLIENTE ABC",
      "amount": 18450.00,
      "direction": "IN",
      "tracking_key": "CR1400000012023030210221100001",
      "counterpart": { "clabe": "012180001234567890", "name": "CLIENTE ABC SA" }
    }
  ],
  "has_next": true,
  "next_cursor": "eyJwYWdlIjoyfQ=="
}

Example 3 — CoDi webhook

// Generate a CoDi charge
POST /api/v1/bbva-mx/codi/charge
Authorization: Bearer <ACCESS_TOKEN>

{
  "amount": 349.00,
  "currency": "MXN",
  "concept": "Order #A-1029",
  "reference": "A-1029",
  "expires_in": 600
}

// Webhook callback (merchant backend)
POST https://merchant.example.com/webhooks/bbva-codi
X-Signature: sha256=9e0a...

{
  "event": "charge.settled",
  "charge_id": "codi_01HFQ9Z...",
  "reference": "A-1029",
  "amount": 349.00,
  "status": "SETTLED",
  "settled_at": "2026-04-19T14:05:32-06:00",
  "payer_masked_clabe": "********7890"
}

// Error cases: EXPIRED, CANCELLED_BY_PAYER, RISK_BLOCKED
// Each returns a stable error_code for retry/alert logic.

Mexican regulatory context

Mexico's Ley para Regular las Instituciones de Tecnología Financiera (Ley Fintech, 2018) is the foundational open-banking framework. Article 76 requires banks, fintechs, money transmitters and credit bureaus to share financial data through standardized APIs across three tiers: open data (product catalogs, ATM locations — already regulated), aggregated data and transactional data. The CNBV and Banxico supervise these obligations.

As of 2025 the secondary regulations for transactional and aggregated data have still not been published in binding form, so BBVA's published APIs (Business Payments, Business Collections on bbvaapimarket.com) remain contract-based rather than right-based. Our integrations operate strictly under the customer's authenticated session or under documented public / partner APIs.

Privacy & data handling

We align with Mexico's federal data-protection law LFPDPPP (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) and, for clients operating internationally, with GDPR principles: purpose limitation, data minimization, retention windows and right to erasure. Nothing is stored that the client does not explicitly need; PII fields (RFC, CLABE, account holder name) can be tokenized at the adapter layer. NDAs and DPAs are standard.

About us

We are an independent studio focused on App interface integration, protocol analysis and OpenData/OpenFinance delivery. Our engineers come from banks, payment processors, mobile protocol-analysis labs and cloud platforms. We ship end-to-end financial APIs under strict security and regulatory constraints, with a track record across Latin America, Europe and Asia.

• Payments, digital banking, insurtech and cross-border clearing
• Mobile protocol analysis: Android / iOS, including SSL pinning, obfuscated clients, mobile token flows and Cronto-style visual challenges
• Custom Python / Node.js / Go SDKs and test harnesses
• Full pipeline: protocol analysis → build → validation → compliance sign-off
• Source-code delivery from $300, pay after satisfaction; pay-per-call option on our hosted endpoints

Contact

Send us the target app name plus your requirements — e.g. "BBVA Business Mexico statement export + POS reconciliation for 20 terminals" — and we will return scope, timeline and price.

Contact page

Two engagement models:

• Source code delivery from $300 — runnable API source code and documentation; payment after delivery on satisfaction.
• Pay-per-call API billing — access our hosted endpoints and pay only per successful call, no upfront fee.

Engagement workflow

1. Scope confirmation. We align on the exact BBVA Business data you need (statements, POS, CoDi, SPEI, loans) and on the consent model.
2. Protocol analysis & API design — 2–5 business days depending on depth of the B Negocios token and Cronto flow.
3. Build & internal validation — 3–8 business days, with unit tests and a sandbox environment.
4. Docs, samples, test cases — OpenAPI spec, Postman collection, runnable examples.
5. Delivery. First drop typically 5–15 business days; bank-side approvals or SPEI settlement testing may extend timelines.

FAQ

What do you need from me?

How long does delivery take?

How do you handle compliance?

Do you also cover iOS?