VakıfBank API integration & Turkey OpenBanking services

OpenData · OpenFinance · BDDK Open Banking · Protocol analysis · FAST & Investment APIs

Connect VakıfBank Mobil Bankacılık to your back office, ERP and analytics stack

VakıfBank is the second largest bank in Türkiye with around a 13.4% market share and roughly 15 million customers, operating more than 900 branches plus international desks in New York, Erbil, Doha and Bahrain. Its mobile app concentrates transaction history, FAST instant transfers, card management, investments (stocks, funds, eurobonds, treasury bills, bonds), bill and tax payments, and multi-bank aggregation into one channel. That makes the app a natural OpenData source for accounting, treasury, risk and fintech use cases.

Statement & transaction export — Pull TRY, USD and EUR account history with paging, date filters and channel attribution (FAST, EFT, SWIFT, card, QR), then push to ledger, ERP or a data warehouse.

FAST instant transfer APIs — Initiate and reconcile FAST (Fonların Anlık ve Sürekli Transferi) payments, including TR barcode, address-based transfers and money transfer requests originated from the login screens.

Card & installment data — Credit and debit card movements, installment splits, statement closing dates, application status and password lifecycle events via the card-settings surface.

Investment portfolio sync — Read holdings, orders and valuations across the investment menu (stocks, mutual funds, eurobonds, bills, bonds) for portfolio dashboards and audit.

What we deliver

Deliverables checklist

OpenAPI / Swagger specification mapped to VakıfBank API Portal scopes
Protocol and auth flow report (OAuth 2.0 Authorization Code, token refresh, redirect handling)
Runnable source code for login, statement query, FAST initiation and card data (Python, Node.js, Go)
Automated regression tests, Postman collection and sandbox data fixtures
BDDK and Law No. 6493 compliance notes plus a consent and retention guide

Engagement models

Source code delivery from $300 — Runnable API source code plus full documentation; pay after delivery upon satisfaction.
Pay-per-call hosted API — Access our managed VakıfBank endpoints and pay only for calls you make, no upfront cost.
Hybrid — Hosted login and consent layer combined with on-prem statement and FAST adapters for clients with stricter data residency needs.

Data available for integration

The table below summarises the data surfaces that the VakıfBank Mobil Bankacılık app exposes and how each one is typically consumed by downstream systems. We focus on regulated, customer-authorised flows in line with the BDDK Regulation on Information Systems of Banks.

Data type	Source (app surface)	Granularity	Typical use
Account balance & metadata	Accounts dashboard, statements menu	Per IBAN, real-time	Treasury, cash positioning, ERP daily close
Transaction history	Statements, "Find from Past Transactions"	Per movement, up to 1 year retrievable	Reconciliation, AML monitoring, analytics
FAST & EFT transfers	Money transfer flows, TR barcode	Per payment, status callbacks	Payouts, settlement, refund automation
Card movements	Credit/debit card menu, installments	Per authorisation and posting	Expense management, fraud signals
Investment portfolio	Investment menu (stocks, funds, eurobonds, T-bills, bonds)	Per instrument and order	Wealth dashboards, regulatory reporting
Bill, tax & MTV payments	"Benim Yerim", payments menu	Per biller, per cycle	Property and fleet cost control
Multi-bank account view	"All Transactions" cross-bank screen	Per linked bank/account	Aggregated treasury, PFM analytics
Commercial approvals	Approval Transactions menu	Per pending request, per authoriser	Corporate workflow, dual control

Typical integration scenarios

1. ERP reconciliation for SMEs

A small business that runs Logo, Mikro or Netsis ERP pulls daily VakıfBank statements via the statement API. We map narrative, counterparty IBAN and FAST reference fields to ledger keys, then post matched entries automatically. Unmatched items are pushed to an exceptions queue. This is a classic OpenData AIS use case.

2. Marketplace payouts over FAST

An e-commerce platform initiates FAST payouts to sellers using the payment initiation API (PIS). Each payout payload includes order ID and split-share metadata so the "Share Payment" reconciliation logic stays consistent. Webhooks return final status to the marketplace ledger.

3. Multi-bank treasury dashboard

A mid-cap CFO aggregates balances and movements across VakıfBank, Ziraat, Garanti and İş Bankası through the "All Transactions" surface. We expose a normalised JSON model so treasury teams see consolidated TRY, USD and EUR positions and can trigger FAST sweeps between accounts.

4. Investment portfolio reporting

A wealth manager reads VakıfBank investment account holdings (stocks, funds, eurobonds, treasury bills, bonds) on a daily schedule, computes risk and concentration metrics, and feeds the output to a client portal. Order events from the investment menu are streamed in near real time for audit.

5. Corporate approvals workflow

Commercial customers use the Approval Transactions menu to route pending transfers and tax payments through a multi-level authorisation chain. We connect this to corporate SSO so approvers see the same queue in Microsoft Teams or a custom workflow tool, while VakıfBank retains the legal authorisation record.

Technical implementation

VakıfBank publishes an official developer portal at apiportal.vakifbank.com.tr with two OAuth 2.0 flows: Authorization Code for customer-consented APIs and Client Credentials for institution-to-institution flows. Apps move from Pending Approval to Active after review and receive an API Key, then graduate from sandbox to production by switching API Plans. The snippets below illustrate request shapes; production code uses signed payloads, retry-with-jitter and idempotency keys.

Authorization Code exchange

POST /oauth2/token HTTP/1.1
Host: apiportal.vakifbank.com.tr
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <BASE64(client_id:client_secret)>

grant_type=authorization_code
&code=AUTH_CODE_FROM_REDIRECT
&redirect_uri=https://app.example.com/cb
&scope=accounts statements payments

200 OK
{
  "access_token": "...",
  "token_type": "Bearer",
  "expires_in": 1800,
  "refresh_token": "...",
  "scope": "accounts statements payments"
}

Statement query (AIS)

POST /api/v1/vakifbank/statement
Authorization: Bearer <ACCESS_TOKEN>
Content-Type: application/json

{
  "iban": "TR320001500158007292XXXXXX",
  "from_date": "2026-04-01",
  "to_date":   "2026-04-30",
  "channels": ["FAST", "EFT", "CARD"],
  "page": 1,
  "page_size": 100
}

200 OK
{
  "iban": "TR32...",
  "currency": "TRY",
  "opening_balance": 184350.22,
  "closing_balance": 207912.05,
  "movements": [
    {"id":"mv_001","ts":"2026-04-03T09:14:21+03:00","amount":-1250.00,
     "channel":"FAST","ref":"FAST20260403-77a","counterparty_iban":"TR55..."}
  ],
  "next_page": 2
}

FAST payment initiation (PIS) + webhook

POST /api/v1/vakifbank/fast/initiate
Authorization: Bearer <ACCESS_TOKEN>
Idempotency-Key: order-998877

{
  "debtor_iban": "TR32...",
  "creditor_iban": "TR55...",
  "amount": 749.90,
  "currency": "TRY",
  "description": "Order #998877",
  "consent_id": "cnst_8c2a"
}

202 Accepted
{ "payment_id": "pay_4f1e", "status": "PENDING" }

# webhook -> https://app.example.com/hooks/fast
{
  "payment_id": "pay_4f1e",
  "status": "EXECUTED",
  "settled_at": "2026-05-02T10:31:08+03:00",
  "bank_ref": "VKFB-FAST-2026050210311101"
}

Compliance & privacy

Turkish Open Banking framework

Our integrations follow the BDDK "Regulation on Information Systems of Banks and Electronic Banking Services" (published 15 March 2020, effective 1 July 2020) and the amendments to Law No. 6493 on Payment Services that define account information services (AIS) and payment initiation services (PIS). For data protection we map controls to KVKK and, where customers operate cross-border, to GDPR. Consent records, audit logs and data-minimisation defaults are part of every drop.

Practical safeguards

Short-lived OAuth tokens with refresh rotation
mTLS or signed JWT for high-value FAST PIS calls
Consent registry mirroring VakıfBank scopes
PII scrubbing before any non-bank logging or analytics
SLA-backed key rotation and incident response playbook

Data flow & architecture

A typical VakıfBank integration follows a four-stage pipeline: Mobile / Web Client → OAuth Consent & API Gateway (Authorization Code at apiportal.vakifbank.com.tr) → Ingestion & Normalisation Layer (statement, card, FAST, investment adapters) → Storage & Output (PostgreSQL or BigQuery for analytics, plus a synchronous REST or webhook layer for ERP and dashboards). Token, consent and audit events are written to a separate compliance store with stricter retention. The same shape supports both batch reconciliation and event-driven payout workflows.

Market positioning & user profile

VakıfBank Mobil Bankacılık serves a mixed retail and commercial customer base inside Türkiye, with roughly 15 million customers and growing penetration through its 900-plus domestic branches and overseas desks in New York, Erbil, Doha and Bahrain. The platform is strong with salary-account holders, SME owners using the Commercial Mobile variant for Approval Transactions, and investors trading stocks, funds, eurobonds and treasury bills from a single screen. Android dominates installs, but iOS coverage is full-feature; a Wear OS smart-watch companion adds real-time market info, branch and ATM lookup. Buyers of our integration are typically Turkish SMEs, fintechs in the broader EMEA region, and accounting / treasury vendors building unified ledgers across the "big five" Turkish banks.

Screenshots

Click any thumbnail to view it at full size. These previews illustrate the data surfaces our integrations target (statements, card menus, investments, FAST flows).

VakıfBank Mobil Bankacılık screenshot 10

Similar apps & integration landscape

Teams that integrate VakıfBank Mobil Bankacılık usually need normalised access to the wider Turkish banking ecosystem. The apps below sit in the same category and share many of the same data surfaces (statements, card movements, FAST and investments); they are listed here as part of the integration landscape, not as a ranking.

Ziraat Mobil (Ziraat Bankası) — Turkey's largest state-owned bank by assets; users who work with Ziraat Mobil often need unified transaction exports across both VakıfBank and Ziraat for public-sector reconciliation.
Halkbank Mobil (Türkiye Halk Bankası) — A second large state-owned bank; common dual-account pattern with VakıfBank for SME and tradesman accounts.
İşCep (Türkiye İş Bankası) — The largest private bank's app; popular for investment trading, often combined with VakıfBank investment APIs in a single portfolio view.
Garanti BBVA Mobile — Frequently named the strongest private-bank digital channel; treasury teams aggregate Garanti and VakıfBank FAST flows for consolidated payouts.
Akbank Mobil — Named Turkey's best cash management bank in 2025; pairs with VakıfBank in many corporate ERP integrations.
Yapı Kredi Mobile — A pioneer in Turkish digital banking; expat-heavy user base, often unified with VakıfBank for cross-currency statements.
QNB Mobil (QNB Finansbank) — Strong on international remittance via Western Union "Quick Pay"; complements VakıfBank international corridors.
Denizbank Mobil — Owned by Emirates NBD; useful when integrations span Türkiye and the UAE alongside VakıfBank Bahrain and Doha desks.
ING Mobil (Turkey) — European parent gives ING a different open-banking footprint; teams syncing EU and TR data often pair ING and VakıfBank.
Enpara (QNB Finansbank) — A digital-only brand; popular as a complementary current account when VakıfBank carries salary or business deposits.

About us

OpenFinance Lab is an independent studio focused on fintech and open-data API integration. Our engineers come from banks, payment gateways, mobile protocol analysis and cloud platforms. We have shipped Turkish and EMEA financial integrations under BDDK, KVKK and PSD2-equivalent constraints, and we know how to map Turkish-language menus and bank-specific quirks to clean, English-documented APIs.

Payments, digital banking, insurtech, brokerage and treasury
Enterprise API gateways, security reviews and red-team support
Python, Node.js, Go and Java SDKs with test harnesses
Full pipeline: protocol analysis → build → validation → compliance
Source code delivery from $300 — runnable code and documentation; pay on satisfaction.
Pay-per-call hosted APIs — usage-based pricing, no upfront cost.

Contact

For quotes, sandbox access or to scope a VakıfBank Mobil Bankacılık integration, open our contact page:

Contact page

Tell us the target scope (statements, FAST, investments, card data) and any existing API Portal credentials; we will reply with a sandbox plan and a fixed-price quote.

Engagement workflow

Scope confirmation: choose between statement-only AIS, FAST PIS, card events, investment sync or a full pack.
Protocol analysis and API design against the VakıfBank API Portal (2-5 business days).
Build and internal validation in sandbox (3-8 business days).
Docs, samples, BDDK consent notes and test cases (1-2 business days).
Typical first delivery: 5-15 business days; production plan approval at the API Portal may extend timelines.

FAQ

What do you need from me to start a VakıfBank integration?

The target scope (statement export, FAST transfer initiation, card transactions, investment portfolio, multi-bank aggregation), the merchant or commercial customer profile, any existing VakıfBank API Portal credentials or sandbox keys, and the receiving systems on your side (ERP, accounting, data warehouse).

How long does a first VakıfBank API drop take?

Typically 5 to 12 business days for a first delivery covering login, statement query and one payment flow with documentation. Multi-bank aggregation, FAST PIS or smart-watch and ViBi voice channels can extend the schedule by another 1-2 weeks.

How do you handle Turkish Open Banking compliance?

We work under documented APIs from the VakıfBank API Portal and the BDDK Regulation on Information Systems of Banks and Electronic Banking Services, with OAuth 2.0 Authorization Code or Client Credentials flow, consent logging, and Law No. 6493 alignment for AIS and PIS.

Do you cover investment and card data, not just transfers?

Yes. Beyond statements and FAST transfers we cover stock, fund, eurobond, treasury bill and bond portfolio sync, plus credit and debit card transactions, installment splits, application status and statement closing dates.

📱 Original app overview (appendix)

VakıfBank Mobil Bankacılık is the official mobile app of Türkiye Vakıflar Bankası, one of Turkey's largest banks and second by market share in 2024 (around 13.4%). The app lets retail and commercial customers open an account remotely with an ID card, view balances and statements, transfer money, manage credit and debit cards, run investment trades (stocks, funds, eurobonds, treasury bills and bonds), and pay bills and taxes from a single channel.

Easy onboarding — Become a customer with your ID card without visiting a branch; create a personal app password during activation.
Commercial Mobile — Approval Transactions menu lets corporate customers view and approve pending transfers, payments and tax actions from one screen, in line with each user's authorisation level.
Investments — Open an investment account and trade stocks, mutual funds, eurobonds, treasury bills and bonds; manage the portfolio in one place.
Cards — Track credit and debit card spending, split into installments, manage applications and debt payment, change passwords and statement closing dates via card-settings.
Find from Past Transactions — Search transfers from the last year and repeat them in one tap.
Share Payment — Split subscriptions, transfers, bill payments and other expenditures with family or friends.
Cepte Kazan — Discover and join campaigns directly inside the app.
ViBi assistant — Run banking transactions by voice or text; the Financial Consultant adds product-level advice.
Benim Yerim — Add home and vehicle records to the app and run related tax (including MTV), bill and money-transfer actions on one screen.
Multi-bank view — Track accounts and cards in other banks; create single, future-dated or regular transfer orders from those accounts.
Smart-watch app — Follow real-time market info, find the closest VakıfBank branches and ATMs, reach the call centre quickly.
Permissions — Call logs for spam detection, phone for call-centre dialling, location for branch/ATM lookup, Google services for Maps, network/WiFi for connectivity, SMS for OTP autofill, photo/media for image saving, identity for Google services and Mobile Signature notifications.