TOM Bank Hadi API integration & OpenBanking Türkiye

OpenData · OpenFinance · OpenBanking · Protocol analysis · BKM ÖHVPS 2.0

Connect TOM Bank Hadi accounts, payments, and participation finance products to your stack — safely

TOM Bank Hadi is the mobile app of T.O.M. Katılım Bankası A.Ş., a fully digital participation bank supervised by the Central Bank of the Republic of Türkiye (TCMB) and the Banking Regulation and Supervision Agency (BDDK). It already serves more than 11.5 million users and ships interest-free banking products through a single app. We deliver compliant protocol analysis, account login flows, balance and statement APIs, Hadi Black credit card statement exports, free 24/7 EFT/Havale transfer endpoints, FX and gold trade pulls, and term participation account positions in TL, USD and EUR.

Account login & session APIs — Mirror the app authorization (mTLS, device binding, OTP, biometric step-up). Useful for accounting platforms that need to keep a user-bound session without storing raw credentials.

Statement & transaction history APIs — Pull EFT, FAST, Havale and card transactions with paging, date filters and category tags; export to JSON, CSV, Excel or signed PDF for reconciliation, expense management, or tax filing in Türkiye.

Hadi Black credit card data — Statements, cashback ledger (up to 3,000 TL/month), cash-advance utilisation, deferred-payment plans for education, health and insurance categories.

Investments & FX — Term (participation) account positions, Mega Daily Account profit-sharing accruals, gold and currency conversions for TL/USD/EUR, plus Hadi Gold cashback at A101, English Home and Eve.

What we deliver

Deliverables checklist

OpenAPI 3.1 / Swagger specification for every TOM Bank Hadi endpoint we expose
Protocol & auth flow report (mTLS pinning, device-id, OTP, biometric step-up, refresh tokens)
Runnable source for login, statement, transfer and Hadi Black card APIs (Python & Node.js)
Postman collection, automated tests and a small sandbox harness
Compliance brief: BDDK IT, KVKK (Turkish data protection), BKM ÖHVPS 2.0 mapping, retention policy
Migration guide if you later want to plug into the official BKM/CBRT open banking gateway

Why teams pick this stack

Turkish banking apps look simple on the surface but carry a heavy authentication chain — KKB-derived device binding, MASAK anti-money-laundering checks, multiple OTP channels, and BKM-issued certificates for inter-bank routing. We have already mapped these for participation banks (faizsiz bankacılık) and extend the same playbook to TOM Bank Hadi so engineering teams do not spend a quarter reinventing it.

Output is a clean API gateway your existing ERP, accounting tool or CRM can call. We also add per-user consent records aligned with the BKM Open Banking Gateway (GATE) certification programme so the same code path can later be re-pointed at official channels with minimal rework.

Data available for integration (OpenData inventory)

Below is the structured data TOM Bank Hadi holds behind its app screens. Each row is a real surface we map into a versioned REST resource, with paging, ETag-based caching and webhook deltas where the data changes frequently. Use it to scope a project before signing off.

Data type	Source screen / feature	Granularity	Typical use
Account balance & profit-sharing accruals	Mega Daily Account, current account dashboard	Per account, daily snapshot + intraday delta	Cash-position dashboards, treasury reporting
Transaction history (EFT/FAST/Havale, card, bills)	"Hesap hareketleri" / statement view	Per transaction, with category, counterparty IBAN, channel	Accounting sync, expense management, reconciliation
Hadi Black credit card data	Card detail, cashback ledger, cash advance	Per card, per cycle, per cashback bucket (grocery, A101, etc.)	Reward analytics, spend categorisation, P&L
Term & participation account positions	Vadeli (Katılım) Hesap, gold accounts	Per deposit, per currency (TL/USD/EUR), maturity dates	Wealth dashboards, profit-sharing tax workflows
Hadi Installment & Deferred Payment Credit	A101, English Home, Eve in-app payments	Per loan, per instalment, per merchant tier	Risk control, NPL monitoring, dunning
FX & gold trades	Döviz / Altın al-sat module	Per trade, with rate, channel, fee	Treasury, hedging analytics, audit trails
Bill payment instructions & auto-pay	Fatura ödeme, otomatik talimat	Per biller, per recurrence rule	SaaS billing platforms, BPM integrations
A101 cash in/out events	"A101'de para çek/yatır"	Per event, per A101 store, per limit bucket	Branchless cash-management analytics

Typical integration scenarios

Below are end-to-end scenarios we have implemented for Turkish and EU clients on neighbouring participation- and conventional-banking apps. Each scenario names the concrete data feeds and how they map to OpenBanking primitives so you can copy-paste it into a sprint plan.

SME accounting auto-sync. Business context: a Turkish e-invoice (e-Fatura) platform needs to pull TOM Bank Hadi transactions every 15 minutes for SME owners who pay suppliers via Hadi Installment Credit. Data/API: POST /v1/tom-hadi/auth/login + GET /v1/tom-hadi/transactions?cursor=… with category tags, plus a webhook on EFT settlements. OpenBanking mapping: equivalent to PSD2 AIS (account information service), exposed as a per-user consent grant aligned with the CBRT Data Sharing Guideline.
Hadi Black cashback reconciliation. Business context: a fintech offers a "card optimiser" that tells users which Turkish card returns the most cashback per category. Data/API: monthly GET /v1/tom-hadi/cards/{id}/cashback for grocery / A101 / education / health buckets and the 3,000 TL monthly cap. Mapping: OpenData read-only view derived from authenticated card statements, no payment initiation.
Wealth dashboard with gold & FX. Business context: a Turkish wealthtech app aggregates participation accounts and gold balances across Ziraat Katılım, Kuveyt Türk, and TOM Bank Hadi. Data/API: GET /v1/tom-hadi/term-accounts and GET /v1/tom-hadi/gold-positions, normalised into a multi-bank schema. Mapping: AISP-style aggregation; profit-sharing rates returned as APR-equivalent for unified UX.
Compliance & AML transaction monitoring. Business context: a corporate-treasury team must screen TOM Bank Hadi flows against MASAK lists and travel-rule thresholds. Data/API: streamed transaction webhook, FX/gold trade feed, plus structured counterparty fields (IBAN, name, channel). Mapping: feeds into a transaction-monitoring engine with audit-grade JSON Lines storage.
Cross-border payroll for Turkish remote workers. Business context: an EU employer pays a Turkish contractor via SWIFT into a TOM Bank Hadi account and needs proof-of-arrival per pay run. Data/API: GET /v1/tom-hadi/transactions filtered by counterparty BIC and amount, plus a GET /v1/tom-hadi/statements/{cycle}/pdf signed export. Mapping: AIS read with consent, no PIS — keeps the integration low-risk under BDDK rules.

API example: authenticated login (pseudocode)

// Step 1: bind device + initiate session (mirrors app behaviour)
POST /api/v1/tom-hadi/auth/login
Content-Type: application/json
X-Device-Id: <hashed device fingerprint>
User-Agent: TomHadi-Integration/1.0

{
  "msisdn": "+9053xxxxxxxx",
  "password": "<client-encrypted>",
  "otp_channel": "sms"
}

// Step 2: confirm OTP, receive short-lived access + refresh token
POST /api/v1/tom-hadi/auth/otp
{ "otp": "######", "session_id": "..." }

→ 200 OK
{
  "access_token": "...",          // 15 min TTL
  "refresh_token": "...",         // rotating, mTLS-bound
  "consent_id": "...",            // stored against BDDK consent record
  "scopes": ["accounts.read","cards.read","transfers.write"]
}

API example: statement export (pseudocode)

POST /api/v1/tom-hadi/statement
Content-Type: application/json
Authorization: Bearer <ACCESS_TOKEN>

{
  "account_id": "TR98-0021-...-001",
  "from_date": "2026-04-01",
  "to_date":   "2026-04-30",
  "channels":  ["EFT","FAST","CARD","BILL"],
  "format":    "json",            // or "csv","xlsx","pdf"
  "currency":  "TRY"
}

Response (truncated):
{
  "page": 1,
  "next_cursor": "eyJvZmZzZXQiOjEwMH0",
  "items": [{
    "id": "txn_018f...",
    "ts": "2026-04-12T09:14:22+03:00",
    "amount": -245.90,
    "currency": "TRY",
    "channel": "FAST",
    "counterparty": { "iban": "TR..", "name": "A101 Yeni Mağaz." },
    "category": "groceries",
    "cashback": { "amount": 24.59, "bucket": "hadi_black_grocery" }
  }]
}

API example: transfer webhook (pseudocode)

// Webhook delivered to your endpoint when a 24/7 EFT/Havale settles
POST https://your-app.example/webhooks/tom-hadi
X-OFL-Signature: sha256=...
Idempotency-Key: 8f...

{
  "event": "transfer.settled",
  "transfer_id": "tr_01J7...",
  "from_account": "TR98-0021-...-001",
  "to_account":   "TR12-0067-...-902",
  "amount": 1500.00,
  "currency": "TRY",
  "channel": "FAST",
  "settled_at": "2026-04-30T22:11:04+03:00",
  "consent_id": "..."
}

// Errors follow RFC 7807 Problem+JSON
{ "type": "https://errors.openfinance-lab.com/tom-hadi/limit-exceeded",
  "title": "Daily FAST limit exceeded",
  "status": 422,
  "detail": "Account capped at 30,000 TRY/day for FAST." }

Compliance & privacy

Every TOM Bank Hadi integration we ship is anchored to Turkish law. The CBRT published the "Guideline on Data Sharing Services in Payment Services" on 30 December 2022, defining API standards and security measures for open banking. Banks must complete BKM ÖHVPS 2.0 certification through the BKM GATE server, with the compliance window most recently extended to 31 December 2025. The Banking Regulation and Supervision Agency (BDDK) supervises IT and operational risk, while KVKK (Law No. 6698) governs personal data. Cross-border deployments additionally align with EU PSD2/PSD3 expectations and GDPR.

On top of this, Law No. 7545 (effective March 2025) layered new cybersecurity duties for regulated institutions. We map each TOM Bank Hadi endpoint to these regimes: explicit consent capture, scoped tokens, audit logs that survive 10 years, MASAK transaction screening hooks, and data-minimisation defaults so screen-derived fields never leak beyond the agreed scope.

Typical modules

Account login, OTP, biometric step-up & refresh-token rotation
Balance, transaction and statement export (JSON/CSV/XLSX/PDF)
Hadi Black card statements, cashback ledger, cash advance utilisation
EFT / FAST / Havale transfer initiation with idempotency keys
Term participation accounts, Mega Daily Account, FX and gold trades
Bill payment instructions, A101 cash in/out events, consent & audit log API

Data flow / architecture

The reference pipeline is intentionally short so it is easy to audit:

Client app / partner backend → starts a consent flow and obtains a scoped token from our gateway.
OpenFinance Lab gateway → handles TOM Bank Hadi protocol negotiation (mTLS, device-id, OTP), enforces rate limits, and signs each upstream call.
Storage / event bus → encrypted Postgres for normalised transactions, S3-compatible object store for signed PDF statements, Kafka topic for webhook events.
Analytics / API output → REST + GraphQL to your apps, plus pre-built BI views for finance, risk and CX teams.

The same architecture supports point-in-time replay, GDPR/KVKK erasure requests, and a "consent kill switch" that revokes all downstream tokens within seconds.

Market positioning & user profile

TOM Bank Hadi is mainly a B2C retail bank serving Turkish residents who want a fully digital, interest-free banking experience. Its 11.5 million-user base skews towards mobile-first urban consumers and A101 grocery shoppers, with strong appeal among customers who value the Hadi Black cashback proposition and Hadi Installment Credit at A101, English Home and Eve. The app is available on Android and iOS only — there is no web banking equivalent — which makes mobile-protocol-aware integration the natural path for partners who want machine-readable data. From a regional perspective, the core market is Türkiye, but cross-border use cases (EU employers paying Turkish contractors, GCC remitters topping up family accounts) are common and shape integration requirements such as multi-currency export and counterparty-name normalisation.

Screenshots

Click any thumbnail to enlarge. Screenshots are sourced from the official TOM Bank Hadi listing and illustrate the surfaces we can integrate against.

Similar apps & integration landscape

Customers integrating TOM Bank Hadi often also work with the apps below. We list them to clarify the broader Turkish digital-banking ecosystem so a single integration can later be extended without re-architecting. We do not rank or criticise these apps — each one holds different data and serves different user segments.

Enpara — QNB Finansbank's branchless brand. Transactional accounts, card statements and FX trades; teams aggregating Turkish current accounts often pair Enpara feeds with TOM Bank Hadi for full retail coverage.
Papara — Popular e-money wallet with prepaid Mastercard, bill payments and cashback. Frequently bridged with TOM Bank Hadi for users who keep daily spend on Papara but salaries on Hadi.
Tosla — Akbank's youth-focused digital wallet. Holds peer-to-peer transfers and a virtual card; integrators normalise its export format alongside Hadi statements for unified Gen-Z dashboards.
Akbank Mobile — One of Türkiye's largest banks, named "World's Best Digital Bank" by Euromoney. Holds investment, mortgage and SME data that complements Hadi's participation product set.
İşCep (Türkiye İş Bankası) — Long-running mobile banking app from İş Bankası; teams aggregating cross-bank transaction history routinely consume İşCep statements alongside Hadi.
Ziraat Mobile — Public-bank mobile app and the country's most-used finance app. Useful when a partner needs both state-bank and challenger-bank data in one normalised feed.
Ziraat Katılım — Participation-banking sibling to Ziraat Mobile, directly comparable to TOM Bank Hadi for interest-free product lines (faizsiz bankacılık).
Kuveyt Türk — Established participation bank with public API banking documentation; often referenced as the conventional benchmark for Hadi-style integrations.
Wise — Multi-currency account used by Turkish freelancers earning in EUR/USD; pairs naturally with Hadi for FX rollups.
Bilder — Newer neobank with cashback cards and Apple Pay / Google Pay support; partners frequently compare its merchant-tier data against Hadi Black cashback feeds.

About us

OpenFinance Lab is an independent studio focused on fintech and open-data API integration. Our team includes engineers from banks, payment gateways, mobile protocol analysis, and cloud platforms. We have shipped end-to-end integrations on participation banks, conventional banks, BNPL, and e-money wallets across Türkiye, the EU and the Gulf, and we know how BDDK IT, BKM ÖHVPS 2.0, KVKK, PSD2 and GDPR interact in practice.

Payments, digital banking, participation finance and cross-border clearing
Enterprise API gateways, mTLS, device binding and security reviews
Custom Python / Node.js / Go SDKs and test harnesses
Full pipeline: protocol analysis → build → validation → compliance review
Source code delivery from $300 — runnable code and full documentation; pay after delivery upon satisfaction
Pay-per-call API billing — call our hosted endpoints, no upfront fee, ideal for usage-based pricing

Contact

For quotes or to submit your TOM Bank Hadi requirements (consent scope, regions, expected call volume), open our contact page:

Contact page

Working under NDA is standard. We can sign Turkish-language NDAs and accept payment in TRY, USD or EUR.

Engagement workflow

Scope confirmation: consent scope, target endpoints (login, transactions, Hadi Black, term accounts, transfers).
Protocol analysis & API design (2–5 business days, complexity-dependent).
Build & internal validation against a test Hadi account (3–8 business days).
Documentation, samples and test cases (1–2 business days).
Typical first delivery: 5–15 business days; BDDK-aligned audits or BKM GATE alignment may extend timelines.

FAQ

Which TOM Bank Hadi data can you actually expose through an API?

Authenticated user data behind the app screens: account balances and the Mega Daily participation account, term (participation) account positions in TL/USD/EUR, transaction and statement history, Hadi Black credit card statements and cashback, money transfer instructions, FX and gold trades, A101 cashback and bill-payment records. We expose these as REST endpoints with paging, date filters and JSON/CSV/PDF export.

Is this compliant with Turkish open banking and BDDK rules?

Yes. We work under explicit customer authorization or against published, authorized APIs and follow the CBRT "Guideline on Data Sharing Services in Payment Services" published 30 December 2022, the Banking Regulation and Supervision Agency (BDDK) IT regulations, BKM ÖHVPS 2.0 transition expectations and Law No. 7545 (March 2025) cybersecurity requirements. Consent records, audit logs and data minimisation are baked in by default.

How long does delivery take?

Usually 5–12 business days for the first API drop covering login, balance, transactions and statement export. Adding Hadi Black card statements, FX/gold trades, term accounts and webhooks for bill-payment instructions adds a few days. Realtime, multi-tenant or enterprise SSO stacks may take longer.

Source code or hosted API — which engagement model fits best?

From $300 we can hand over runnable source code (Python, Node.js or Go) plus OpenAPI documentation and tests; you pay after delivery upon satisfaction. Alternatively, you can call our hosted endpoints and pay per call with no upfront fee — a better fit for teams that prefer usage-based pricing or that need to scale TOM Bank Hadi data into many internal tools at once.

📱 Original app overview (appendix)

TOM Bank Hadi is the consumer mobile app of T.O.M. Katılım Bankası A.Ş. ("TOM Bank"), part of the Turgut Aydın Holding Group and authorised and supervised by the Central Bank of the Republic of Türkiye. Marketed as Türkiye's largest digital bank by credit-card count, it serves more than 11.5 million users with a fully interest-free, participation-banking product set delivered through a single app — there is no branch network and no web banking equivalent.

Core proposition — Hadi Black is a paid credit card with up to 3,000 TL/month in cashback (up to 1,000 TL on groceries and a further 1,000 TL on A101 purchases), monthly perks at A101 (e.g. Lipton Yellow Label 48-pack tea on the bank, valid until 31 March 2026), and the ability to defer education, health and insurance expenses up to 12 months.

Lending — Hadi Installment Credit lets users buy at A101, English Home, Eve, A101 Kapıda and A101 Ekstra in instalments up to 24 months, and across many sectors from fuel to health. Hadi Deferred Payment lets users pay in two months. Memorial hospitals (Şişli, Bahçelievler, Ataşehir, Ankara, Göztepe, Bodrum) are explicitly supported for healthcare deferrals.

Savings & investments — Mega Daily Account pays profit-sharing every day rather than only at maturity; Term (Participation) Accounts can hold TL, USD and EUR; Hadi Gold gives up to 10% cashback at A101, English Home and Eve and supports a recurring "Gold Savings Account" funded from the Hadi Black card.

Payments & cash management — Free 24/7 domestic EFT/FAST money transfers with no IBAN required between Hadi users, automatic bill-payment instructions from cards or accounts, and free cash deposit/withdrawal at A101 stores within published limits. The bank has been broadening its product set throughout 2024–2025, layering Hadi Gold and gold-savings products on top of the original credit-card-led proposition.