Connect a bank Bank verbinden Conectar um banco

Setup guides for Teller (US), Enable Banking (EU), and Lunchflow. For Brazilian banks via Pluggy, see the dedicated Pluggy guide. Setup-Anleitungen für Teller (USA), Enable Banking (EU) und Lunchflow. Für brasilianische Banken via Pluggy: eigene Pluggy-Anleitung. Guias de configuração para Teller (EUA), Enable Banking (UE) e Lunchflow. Para bancos brasileiros via Pluggy, veja o guia dedicado da Pluggy.

Jump toSpringen zuIr para
Teller Enable Banking Lunchflow Pluggy →

Teller US

Connects to Chase, Citi, Amex, Bank of America, Wells Fargo, and most US retail banks. Free development tier covers personal use; production requires a paid plan + a real cert authority. Verbindet Chase, Citi, Amex, Bank of America, Wells Fargo und die meisten US-Retail-Banken. Kostenloser Development-Tarif für privaten Gebrauch; Produktion erfordert einen Bezahl-Tarif + echte Cert-Authority. Conecta com Chase, Citi, Amex, Bank of America, Wells Fargo e a maioria dos bancos de varejo dos EUA. O plano development grátis cobre uso pessoal; production exige um plano pago + uma autoridade certificadora real.

SetupSetupConfiguração

  1. Sign up at teller.io → confirm email.Anmeldung auf teller.io → E-Mail bestätigen.Cadastre-se em teller.io → confirme o e-mail.
  2. Dashboard → Settings → Application → copy the Application ID.Dashboard → Settings → ApplicationApplication ID kopieren.Dashboard → Settings → Application → copie o Application ID.
  3. Settings → Certificates → click Generate certificate → download the .pem certificate AND the matching .pem private key. Keep both files safe.Settings → Certificates → auf Generate certificate klicken → das .pem-Zertifikat UND den passenden .pem-Private-Key herunterladen. Beide Dateien sicher aufbewahren.Settings → Certificates → clique em Generate certificate → baixe o certificado .pem E a chave privada .pem correspondente. Guarde ambos os arquivos com segurança.

Upload the cert files to Railway's volumeCert-Dateien auf das Railway-Volume hochladenSubir os arquivos de cert para o volume da Railway

Teller authenticates via TLS client certificates — your tenant needs the cert + key files mounted on disk, not just env vars. Easiest path: from the finances dashboard → Connections → Teller → Upload cert form. They land in /app/data/teller-cert.pem and /app/data/teller-key.pem. Teller authentifiziert über TLS-Client-Zertifikate — deine Instanz braucht die Cert- + Key-Dateien auf der Festplatte, nicht nur Env-Vars. Einfachster Weg: vom finances-Dashboard → Connections → Teller → Upload cert-Formular. Sie landen in /app/data/teller-cert.pem und /app/data/teller-key.pem. A Teller autentica via certificados TLS de cliente — sua instância precisa dos arquivos de cert + key montados em disco, não só nas env vars. Caminho mais fácil: pelo dashboard do finances → Connections → Teller → Upload cert. Eles ficam em /app/data/teller-cert.pem e /app/data/teller-key.pem.

Env varsEnv-VarsVariáveis de ambiente

TELLER_APP_ID
From Teller → Settings → ApplicationVon Teller → Settings → ApplicationDe Teller → Settings → Application
TELLER_ENV
development for the free tier (real banks, your own accounts only); sandbox for fake test data; production for the paid tier.development für den Free-Tarif (echte Banken, nur eigene Konten); sandbox für Test-Daten; production für den Bezahl-Tarif.development para o plano grátis (bancos reais, apenas suas próprias contas); sandbox para dados de teste; production para o plano pago.
TELLER_CERT_PATH
Default: /app/data/teller-cert.pem — only override if you uploaded the cert under a different filename.Standard: /app/data/teller-cert.pem — nur überschreiben, wenn du das Cert unter einem anderen Namen hochgeladen hast.Padrão: /app/data/teller-cert.pem — só sobrescreva se subiu o cert com outro nome.
TELLER_KEY_PATH
Default: /app/data/teller-key.pemStandard: /app/data/teller-key.pemPadrão: /app/data/teller-key.pem

Connect a bankBank verbindenConectar um banco

Tenant Connections page → Teller → Connect. The hosted Teller widget opens in a new tab → log in to your bank → return. Each enrollment becomes a sync target. Tenant Connections-Seite → Teller → Connect. Das gehostete Teller-Widget öffnet einen neuen Tab → bei deiner Bank anmelden → zurück. Jede Enrollment wird ein Sync-Ziel. Página Connections da sua instância → Teller → Connect. O widget hospedado do Teller abre numa nova aba → faça login no seu banco → volte. Cada enrollment vira um destino de sincronização.

Development-tier limit:Development-Tarif-Limit:Limite do plano development: Free tier is capped to 100 enrollments + you can only connect accounts you personally own. Plenty for individuals + family offices; not enough for a SaaS reselling. Free-Tarif ist auf 100 Enrollments gedeckelt + du kannst nur eigene Konten verbinden. Reicht für Einzelpersonen + Family Offices; nicht für SaaS-Wiederverkauf. O plano grátis tem teto de 100 enrollments e só permite conectar contas que você mesmo possui. Suficiente para indivíduos + family offices; não basta para revenda como SaaS.

Enable Banking EU PSD2

Connects to most major EU banks (Deutsche Bank, BBVA, ING, Commerzbank, Société Générale, Revolut, N26, etc.) via PSD2 / Open Banking. Free tier covers personal use up to a small monthly cap. Every authorization is valid for 90 days max — that's a PSD2 regulation, not a Steward limit. Verbindet die meisten großen EU-Banken (Deutsche Bank, BBVA, ING, Commerzbank, Société Générale, Revolut, N26 etc.) via PSD2 / Open Banking. Free-Tarif für privaten Gebrauch bis zu einem kleinen monatlichen Limit. Jede Autorisierung gilt maximal 90 Tage — das ist eine PSD2-Vorgabe, kein Steward-Limit. Conecta com a maioria dos grandes bancos europeus (Deutsche Bank, BBVA, ING, Commerzbank, Société Générale, Revolut, N26 etc.) via PSD2 / Open Banking. O plano grátis cobre uso pessoal até um pequeno teto mensal. Toda autorização vale no máximo 90 dias — isso é regra PSD2, não limite do Steward.

1. One-time provider setup1. Einmaliges Provider-Setup1. Configuração única do provider

  1. Sign up at enablebanking.com → developer portal.Anmeldung auf enablebanking.com → Developer-Portal.Cadastre-se em enablebanking.com → portal do desenvolvedor.
  2. Create an Application → copy the App ID (this is the long UUID, not the human name).Application erstellen → App ID kopieren (das ist die lange UUID, nicht der lesbare Name).Crie uma Application → copie o App ID (o UUID longo, não o nome legível).
  3. Generate an RSA-2048 keypair. Easiest: use the in-browser generator below (runs locally, key never sent anywhere). Or in a terminal: openssl genrsa -out enable.key 2048; then openssl rsa -in enable.key -pubout -out enable.pub. Either way: upload the public key to Enable Banking, keep the private key for the env var.RSA-2048-Keypair generieren. Am einfachsten: den Browser-Generator unten nutzen (läuft lokal, der Key verlässt dein Gerät nie). Alternativ im Terminal: openssl genrsa -out enable.key 2048; dann openssl rsa -in enable.key -pubout -out enable.pub. So oder so: Public-Key zu Enable Banking hochladen, Private-Key für die Env-Var behalten.Gere um par RSA-2048. Mais fácil: use o gerador embutido abaixo (roda localmente, a chave não sai do seu dispositivo). Ou no terminal: openssl genrsa -out enable.key 2048; depois openssl rsa -in enable.key -pubout -out enable.pub. De qualquer jeito: suba a chave pública para a Enable Banking, guarde a privada para a env var.
  4. In the Enable Banking app config, register your callback URL: https://<your-tenant>/api/enablebanking/callback. Copy-paste it — a trailing slash mismatch will break the redirect.In der Enable-Banking-App-Konfiguration die Callback-URL eintragen: https://<deine-instanz>/api/enablebanking/callback. Per Copy-Paste — ein fehlender oder zusätzlicher Slash am Ende killt den Redirect.Na configuração do app na Enable Banking, registre a URL de callback: https://<sua-instancia>/api/enablebanking/callback. Copy-paste — uma barra a mais ou a menos quebra o redirect.
Generate RSA-2048 keypair (in browser) RSA-2048-Keypair generieren (im Browser) Gerar par RSA-2048 (no navegador) Runs entirely on your device via WebCrypto. The key is never sent to Steward's servers or to Enable Banking — you upload the public half manually in step 4, and paste the private half into Railway in step 2 of the env vars. Läuft komplett lokal über WebCrypto. Der Key geht weder an Steward-Server noch an Enable Banking — den Public-Key lädst du in Schritt 4 manuell hoch, den Private-Key fügst du in Schritt 2 der Env-Vars in Railway ein. Roda inteiramente no seu dispositivo via WebCrypto. A chave não vai para os servidores do Steward nem para a Enable Banking — você sobe a metade pública manualmente no passo 4 e cola a metade privada na Railway no passo 2 das env vars.

2. Env vars (Railway → Variables)2. Env-Vars (Railway → Variables)2. Variáveis de ambiente (Railway → Variables)

ENABLE_BANKING_APP_ID
The App ID UUID from your Enable Banking application page.Die App-ID-UUID von deiner Enable-Banking-Application-Seite.O UUID do App ID da sua Application na Enable Banking.
ENABLE_BANKING_PRIVATE_KEY
The full PEM contents of the private key file (including -----BEGIN PRIVATE KEY----- headers and the trailing newline). Multi-line — Railway accepts that. If you'd rather not paste a multi-line value, base64-encode the PEM (base64 -i enable.key) and paste the single-line result; the server detects either format.Der vollständige PEM-Inhalt der Private-Key-Datei (inkl. -----BEGIN PRIVATE KEY------Headern und abschließendem Zeilenumbruch). Mehrzeilig — Railway akzeptiert das. Falls du kein Multi-Line einkleben willst, das PEM base64-encoden (base64 -i enable.key) und das einzeilige Ergebnis einfügen; der Server erkennt beides.O conteúdo PEM completo do arquivo da chave privada (incluindo os cabeçalhos -----BEGIN PRIVATE KEY----- e a quebra de linha final). Multilinha — a Railway aceita. Se preferir não colar multilinha, codifique o PEM em base64 (base64 -i enable.key) e cole a string única; o servidor detecta ambos.
ENABLE_BANKING_REDIRECT_URL
Your tenant URL + /api/enablebanking/callback. Must EXACTLY match what you registered in Enable Banking's dashboard. Set it, then save and let Railway redeploy before linking a bank.Deine Tenant-URL + /api/enablebanking/callback. Muss EXAKT mit dem Eintrag im Enable-Banking-Dashboard übereinstimmen. Setzen, speichern und Railway neu deployen lassen, bevor du eine Bank verbindest.URL da sua instância + /api/enablebanking/callback. Tem que bater EXATAMENTE com o que está no dashboard da Enable Banking. Salve e espere a Railway fazer redeploy antes de conectar um banco.

3. Link a bank (per-bank, takes ~2 minutes)3. Bank verbinden (pro Bank, ca. 2 Minuten)3. Conectar um banco (por banco, ~2 minutos)

There's no in-app "search and click" UI yet — the bank-link flow is API-only. The three steps below talk to your tenant directly. You'll need a manager-role API token (Settings → API Tokens) and your tenant URL. Es gibt noch keine "Bank suchen und klicken"-UI — der Link-Flow läuft per API. Die drei Schritte unten sprechen direkt mit deiner Instanz. Du brauchst einen Manager-API-Token (Settings → API Tokens) und deine Tenant-URL. Ainda não existe UI de "buscar e clicar" — o fluxo de link é só via API. Os três passos abaixo falam direto com sua instância. Você precisa de um token de API com role manager (Settings → API Tokens) e a URL da sua instância.

  1. Find the bank. Search by name across the major EU markets, or list everything for a single country (ISO code: DE, FR, GB, CH, FI, LT, LV, EE, etc.). Note the bank's exact name and country from the response — you'll pass them verbatim in step 2. Bank finden. Per Name über die großen EU-Märkte suchen oder alle Banken eines Landes listen (ISO-Code: DE, FR, GB, CH, FI, LT, LV, EE etc.). Den exakten name und country aus der Antwort notieren — die kommen in Schritt 2 wortgleich rein. Achar o banco. Busque por nome nos principais mercados da UE ou liste tudo de um país (ISO: DE, FR, GB, CH, FI, LT, LV, EE etc.). Anote o name e country exatos do retorno — você passa eles literalmente no passo 2.
    # Search by name (fuzzy, scans GB+DE+FR+CH+FI+LT+LV+EE by default)
    curl -H "Authorization: Bearer $STEWARD_TOKEN" \
      "https://<your-tenant>/api/enablebanking/banks?search=Revolut"
    
    # Or list every bank in a single country
    curl -H "Authorization: Bearer $STEWARD_TOKEN" \
      "https://<your-tenant>/api/enablebanking/banks?country=DE"
  2. Request an authorization URL. Pass the bank's exact name and country from step 1. Optionally pass valid_days (1–90, default 90 = the PSD2 max). The response includes a url — open it in a browser. Autorisierungs-URL anfordern. Exakten name und country aus Schritt 1 mitgeben. Optional valid_days (1–90, Default 90 = PSD2-Maximum). Die Antwort enthält eine url — die im Browser öffnen. Pedir a URL de autorização. Passe o name e country exatos do passo 1. Opcional: valid_days (1–90, default 90 = máximo do PSD2). A resposta tem uma url — abra no navegador.
    curl -X POST -H "Authorization: Bearer $STEWARD_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{"bank_name":"Revolut","bank_country":"LT","valid_days":90}' \
      "https://<your-tenant>/api/enablebanking/link"
    # → { "authorizationId": "...", "url": "https://api.enablebanking.com/auth/..." }
  3. Run the bank's PSD2 flow in the browser. Open the url, log in at your bank, approve account access. The bank redirects back to /api/enablebanking/callback on your tenant, which auto-completes the session and shows a green "✅ <Bank> Connected!" page listing the linked accounts. You can close that tab. PSD2-Flow der Bank im Browser durchlaufen. Die url öffnen, bei deiner Bank einloggen, Kontozugriff freigeben. Die Bank leitet zurück auf /api/enablebanking/callback deiner Instanz, der Server schließt die Session ab und zeigt eine grüne "✅ <Bank> Connected!"-Seite mit den verbundenen Konten. Tab kannst du schließen. Rode o fluxo PSD2 do banco no navegador. Abra a url, faça login no banco, libere o acesso às contas. O banco redireciona para /api/enablebanking/callback na sua instância, o servidor fecha a sessão e mostra uma página verde "✅ <Banco> Connected!" listando as contas conectadas. Pode fechar a aba.

4. Day-to-day4. Im Alltag4. Dia a dia

Common gotchasHäufige StolperfallenPegadinhas comuns

Lunchflow LightweightLeichtgewichtigLeve

Lightweight aggregator covering a smaller set of banks but with a one-key setup — by far the easiest of the four. Good for testing or as a fallback. Leichtgewichtiger Aggregator mit kleinerem Bank-Umfang, aber Ein-Schlüssel-Setup — mit Abstand das einfachste der vier. Gut zum Testen oder als Fallback. Agregador leve, com cobertura menor de bancos mas configuração de uma única chave — de longe o mais fácil dos quatro. Bom para testes ou como fallback.

SetupSetupConfiguração

  1. Sign up at lunchflow.app.Anmeldung auf lunchflow.app.Cadastre-se em lunchflow.app.
  2. Connect your bank account inside Lunchflow's UI.Bankkonto innerhalb der Lunchflow-UI verbinden.Conecte sua conta bancária dentro da UI da Lunchflow.
  3. In the Lunchflow sidebar click Destinations, then Add Destination.In der Lunchflow-Seitenleiste auf Destinations klicken, dann Add Destination.Na barra lateral da Lunchflow clique em Destinations, depois Add Destination.
  4. From the grid (Lunch Money / YNAB / Google Sheets / Sure / Actual Budget / Firefly III / MCP / REST API / File Export) pick REST API.Aus der Liste (Lunch Money / YNAB / Google Sheets / Sure / Actual Budget / Firefly III / MCP / REST API / File Export) REST API wählen.Na grade (Lunch Money / YNAB / Google Sheets / Sure / Actual Budget / Firefly III / MCP / REST API / File Export) escolha REST API.
  5. Give it any name (default "REST API" is fine) and click Create REST API Destination.Beliebigen Namen vergeben (Default "REST API" ist okay) und auf Create REST API Destination klicken.Dê qualquer nome (o padrão "REST API" serve) e clique em Create REST API Destination.
  6. In the freshly-created destination, the REST API Configuration panel shows your API Key — click the eye icon to reveal, then the copy icon.In der neu erstellten Destination zeigt der REST API Configuration-Bereich deinen API Key — Augen-Icon zum Anzeigen, dann Kopier-Icon.Na destinação recém-criada, o painel REST API Configuration mostra sua API Key — clique no ícone do olho para revelar, depois no ícone de copiar.

Env varsEnv-VarsVariáveis de ambiente

LUNCHFLOW_API_KEY
In Railway → your Steward service → Variables → paste the key. Save → Railway redeploys → done.In Railway → dein Steward-Service → Variables → Schlüssel einfügen. Speichern → Railway deployt neu → fertig.Na Railway → seu serviço Steward → Variables → cole a chave. Salve → a Railway faz redeploy → pronto.

SyncSyncSincronizar

Tenant Connections page → Lunchflow → Sync. Pulls all your Lunchflow-connected accounts at once. Subsequent syncs run automatically every 6 hours. Tenant Connections-Seite → Lunchflow → Sync. Zieht alle deine Lunchflow-Konten auf einmal. Nachfolgende Syncs laufen automatisch alle 6 Stunden. Página Connections da sua instância → Lunchflow → Sync. Puxa todas as suas contas conectadas via Lunchflow de uma vez. Sincronizações seguintes rodam automaticamente a cada 6 horas.

Pluggy BR

Brazilian banks have their own dedicated guide (longer because of the MeuPluggy two-product flow): Brasilianische Banken haben eine eigene Anleitung (länger wegen des MeuPluggy-Zwei-Produkt-Flows): Bancos brasileiros têm um guia dedicado (mais longo por causa do fluxo de dois produtos do MeuPluggy):

→ /docs/pluggy

What we see vs. what each provider seesWas wir sehen vs. was jeder Anbieter siehtO que nós vemos vs. o que cada provedor vê

Your tenant calls each provider directly using YOUR keys. Nothing routes through any infrastructure we control. Each provider only sees what they themselves return — Teller sees Teller transactions, EB sees EB transactions, etc. We see nothing. Deine Instanz ruft jeden Anbieter direkt mit DEINEN Keys auf. Nichts läuft über Infrastruktur, die wir kontrollieren. Jeder Anbieter sieht nur, was er selbst zurückgibt — Teller sieht Teller-Transaktionen, EB sieht EB-Transaktionen etc. Wir sehen nichts. Sua instância chama cada provedor diretamente usando as SUAS chaves. Nada passa por infraestrutura controlada por nós. Cada provedor só vê o que ele mesmo retorna — a Teller vê transações da Teller, a EB vê transações da EB etc. A gente não vê nada.

See SECURITY.md for the full egress-allowlist + privacy model. Siehe SECURITY.md für die vollständige Egress-Allowlist + das Datenschutz-Modell. Veja SECURITY.md para a allowlist de saída completa + o modelo de privacidade.