15.11. LibEuFin How-To

The LibEuFin Nexus is a Web service that provides a JSON abstraction layer to access bank accounts. It does not itself offer banking services, but is a translator between JSON requests and other banking protocols (such as EBICS), that are offered by banks.

This document explains how to set up Nexus to access a bank account via the EBICS protocol.

In order to follow all the steps below, the reader should either have access to a bank account with EBICS support or follow the steps in “Setting up the Sandbox”.

15.11.1. Installing LibEuFin


LibEuFin does not yet ship with any systemd unit files.

There is an open bug report for this issue.

Installation on Debian

To install the GNU Taler Debian packages, first ensure that you have the right Debian distribution. At this time, the packages are built for Sid, which means you should use a system which at least includes unstable packages in its source list. We recommend using APT pinning to limit unstable packages to those explicitly requested. To do this, set your /etc/apt/preferences as follows:

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=testing
Pin-Priority: 650

Package: *
Pin: release a=unstable
Pin-Priority: 600

Package: *
Pin: release l=Debian-Security
Pin-Priority: 1000

A typical /etc/apt/sources.list file for this setup would look like this:

deb http://ftp.ch.debian.org/debian/ buster main
deb http://security.debian.org/debian-security buster/updates main
deb http://ftp.ch.debian.org/debian/ testing main
deb http://ftp.ch.debian.org/debian/ unstable main
deb https://deb.taler.net/apt/debian sid main

The last line is crucial, as it adds the GNU Taler packages.

Next, you must import the Taler Systems SA public package signing key into your keyring and update the package lists:

# wget -O - https://taler.net/static/taler-systems.gpg.key | apt-key add -
# apt update


You may want to verify the correctness of the Taler Systems key out-of-band.

Now your system is ready to install the official GNU Taler binary packages using apt.

To install LibEuFin, you can now simply run:

# apt install libeufin

Run-time dependencies

LibEuFin has the following run-time dependencies:

  • OpenJDK 11
  • Python 3.8
  • python3-click (can be installed via pip3 install click)
  • python3-requests (can be installed via pip3 install requests)

These dependencies only need to be installed manually when building from source or using the prebuilt binaries.

Downloading prebuilt binaries

Pre-built packages can be obtained from the taler.net website.

Unpack the libeufin-$version.zip file to your desired location (typically /opt or ~/opt) and make sure that your $PATH variable contains the bin/ directory of the unpacked archive.

Building from source

Nexus belongs to the LibEuFin project, and can be downloaded via Git:

$ git clone git://git.taler.net/libeufin

Note that Kotlin+Gradle should already work on the host system.

Navigate into the libeufin local repository, and from top-level run:

$ ./bootstrap
$ ./configure --prefix=$PREFIX
$ make install

Verifying your installation

In case of success, the three following commands should be found:

$ which libeufin-nexus
$ which libeufin-sandbox
$ which libeufin-cli

15.11.2. (Optional) Configuring the Sandbox

If you don’t have access to a real bank account with an EBICS API, you can set up the sandbox. The sandbox is a simplistic and incomplete implementation of a core banking system with EBICS access to bank accounts.

For the following commands, the sandbox service must be running. The sandbox service is started with the following command:

$ libeufin-sandbox serve --port 5000

To reset the state of the sandbox, delete the database. By default, the database is a SQLite3 file in /tmp/libeufin-sandbox.sqlite3.

For invocations of the LibEuFin command line interface tool (libeufin-cli), the following environment variable must be set to the URL of the sandbox service:

export LIBEUFIN_SANDBOX_URL=http://localhost:5000/

Verify that the sandbox is running:

$ libeufin-cli sandbox check

Now an EBICS host can be created:

$ libeufin-cli sandbox ebicshost create --host-id testhost

Note that most libeufin-cli subcommands will ask for input interactively if the respective value is not specified as a command line option.

Next, create an EBICS subscriber (identified by the partner ID and user ID) for the host:

$ libeufin-cli sandbox ebicssubscriber create \
    --host-id testhost --partner-id partner01 --user-id user01

Create a bank account for the subscriber and add a sample transaction:

$ libeufin-cli sandbox ebicsbankaccount create \
    --currency EUR \
    --iban DE18500105172929531888 \
    --bic INGDDEFFXXX \
    --person-name "Jane Normal" \
    --account-name "testacct01" \
    --ebics-host-id testhost \
    --ebics-user-id user01 \
    --ebics-partner-id partner01

The account name “testacct01” is the unique identifier of the account within the sandbox. The EBICS parameters identify the subscriber that should have access to the bank account via EBICS.

To populate the account with some test transactions, run the following command (note that we use the bankaccount subcommand, because there is no need to rely on EBICS):

$ libeufin-cli sandbox bankaccount generate-transactions testacct01

Payments to a sandbox bank account can be listed as follows:

$ libeufin-cli sandbox bankaccount transactions testacct01


The sandbox is intended as a testing tool and thus not stable.

For more information on the available commands, use the built-in --help flag.

The full functionality of the sandbox is available via the API. (FIXME(TTN): specify which API)

15.11.3. Connect Nexus with an EBICS account

Use the following command to run the nexus service:

$ libeufin-nexus serve --port 5001

By default, the SQLite3 database /tmp/libeufin-nexus.sqlite3 will be used. The database can be specified as a JDBC connection URI with the --db-conn-string=$DBCONN option. Only SQLite and PostgreSQL (only via TCP) are supported right now.


For production-grade deployments of LibEuFin, we do not recommend specifying the secret database credentials via command line arguments, as can will expose those credentials to other users.

Instead, the DB connection string should be specified in an environment variable (which can be set in the systemd unit via an EnvironmentFile option) once LibEuFin supports this (see the corresponding bug tracker entry).

For example:

$ libeufin-nexus serve --db-conn-string=jdbc:postgresql://

At this point a superuser account needs to be created:

$ libeufin-nexus superuser --db-conn-string=jdbc:postgresql:// foo # Will interactively ask for password

For simplicity, a superuser can as well act as a normal user, but an API to create less privileged users is offered.


User and permissions management in LibEuFin is still under development. In particular, permissions for non-superusers are very limited at the moment.

The command line interface needs the following three values to be defined in the environment: LIBEUFIN_NEXUS_URL, LIBEUFIN_NEXUS_USERNAME, and LIBEUFIN_NEXUS_PASSWORD. In this example, LIBEUFIN_NEXUS_USERNAME should be set to foo, and LIBEUFIN_NEXUS_PASSWORD to the value given for its password in step (2).

Next, we create a EBICS bank connection that nexus can use to communicate with the bank.


For the sandbox setup in this guide, the EBICS base URL is http://localhost:5000/ebicsweb.

$ libeufin-cli \
    connections \
      new-ebics-connection \
        --ebics-url $EBICS_BASE_URL \
        --host-id $EBICS_HOST_ID \
        --partner-id $EBICS_PARTNER_ID \
        --ebics-user-id $EBICS_USER_ID \

If the step above executed correctly, Nexus created all the cryptographic material that is needed on the client side; in this EBICS example, it created the signature and identification keys. It is therefore advisable to (4) make a backup copy of such keys.

$ libeufin-cli \
    connections \
      export-backup \
        --passphrase $SECRET \
        --output-file $BACKUP_FILE \

At this point, Nexus needs to both communicate its keys to the bank, and download the bank’s. This syncronization happens through the INI, HIA, and finally HPB message types.

After the electronic synchronization, the subscriber must confirm their keys by sending a physical mail to the bank. The following command helps generating such letter:

$ libeufin-cli connections get-key-letter $CONNECTION_NAME out.pdf


When using the LibEuFin sandbox, subscribers are automatically activated after keys are received electronically.

$ libeufin-cli \
    connections \
      sync \

Once the connection is synchronized, Nexus needs to import locally the data corresponding to the bank accounts offered by the bank connection just made. The command below downloads the list of the bank accounts offered by $CONNECTION_NAME.

$ libeufin-cli \
    connections \
      download-bank-accounts \

It is now possible to list the accounts offered by the connection.

$ libeufin-cli \
    connections \
      list-offered-bank-accounts \

Nexus now needs an explicit import of the accounts it should manage. This step is needed to let the user pick a custom name for such accounts.

$ libeufin-cli
    connections \
      import-bank-account \
        --offered-account-id testacct01 \
        --nexus-bank-account-id $LOCAL_ACCOUNT_NAME \

Once a Nexus user imported a bank account ($LOCAL_ACCOUNT_NAME) under a certain connection ($CONNECTION_NAME), it is possible to accomplish the usual operations for any bank account: asking for the list of transactions, and making a payment.

15.11.4. Request history of transactions

The LibEuFin nexus keeps a local copy of the bank account’s transaction history. Before querying transactions locally, it is necessary to request transactions for the bank account via the bank connection.

This command asks Nexus to download the latest transaction reports/statements through the bank connection:

$ libeufin-cli accounts fetch-transactions $LOCAL_ACCOUNT_NAME


By default, the latest available transactions are fetched. It is also possible to specify a custom date range (or even all available transactions) and the type of transactions to fetch (inter-day statements or intra-day reports).

Once Nexus stored all the information in the database, the client can ask to actually see the transactions:

$ libeufin-cli accounts transactions $LOCAL_ACCOUNT_NAME

15.11.5. Make a payment

Payments pass through two phases: preparation and submission. The preparation phase assigns the payment initiation a unique ID, which prevents accidental double submissions of payments in case of network failures or other disruptions.

The following command prepares a payment:

$ libeufin-cli accounts prepare-payment \
        --creditor-iban $IBAN_TO_SEND_MONEY_TO \
        --creditor-bic $BIC_TO_SEND_MONEY_TO \
        --creditor-name $CREDITOR_NAME \
        --payment-amount $AMOUNT \
        --payment-subject $SUBJECT \

Note: the $AMOUNT value needs the format X.Y:CURRENCY; for example 10:EUR, or 1.01:EUR.

The previous command should return a value ($UUID) that uniquely identifies the prepared payment in the Nexus system. That is needed in the next step, to send the payment instructions to the bank:

$ libeufin-cli accounts submit-payment \
      --payment-uuid $UUID \

15.11.6. Automatic scheduling

With an EBICS bank connection, the LibEuFin nexus needs to regularly query for new transactions and (re-)submit prepared payments.

It is possible to schedule these tasks via an external task scheduler such as cron. However, the nexus also has an internal task scheduling mechanism for accounts.

The following three commands create a schedule for submitting payments hourly, fetching transactions (intra-day reports) every 5 minutes, and (inter-day statements) once at 11pm every day :

$ libeufin-cli accounts task-schedule myacct \
    --task-cronspec='0 0 *'

$ libeufin-cli accounts task-schedule myacct \
    --task-type="fetch" \
    --task-name='fetch-5min' \
    --task-cronspec='0 */5 *' \
    --task-param-level=report \

$ libeufin-cli accounts task-schedule myacct \
    --task-type="fetch" \
    --task-name='fetch-daily' \
    --task-cronspec='0 0 23' \
    --task-param-level=statement \

The cronspec has the following format, which is slightly non-standard due to the SECONDS field


15.11.7. Restore the backup

The following command restores all the details associated with one bank connection subscription. For EBICS, this means that the INI and HIA secret keys will be restored for the requesting user.

$ libeufin-cli connection \ restore-backup
    --passphrase $SECRET \
    --backup-file $BACKUP_FILE \

15.11.8. Creating a Taler facade

Facades are additional abstraction layers that can serve specific purposes. For example, one application might need a filtered version of the transaction history, or it might want to refuse payments that do not conform to certain rules.

At this moment, only the Taler facade type is implemented in the Nexus, and the command below instantiates one under a existing bank account / connection pair.

$ libeufin-cli facades new-facade \
    --facade-name $FACADE_NAME \

At this point, the additional taler-wire-gateway (FIXME: link here to API here) API becomes offered by the Nexus. The purpose is to let a Taler exchange to rely on Nexus to manage its bank account.

15.11.9. Managing Permissions and Users

This guide has so far assumed that a superuser is accessing the LibEuFin Nexus. However, it is advisable that the Nexus is accessed with users that only have a minimal set of permissions.

The Nexus currently only has support for giving non-superusers access to Taler wire gateway facades.

To create a new user, use the users subcommand of the CLI:

$ libeufin-cli users list
# [ ... shows available users ... ]

$ libeufin-cli users create $USERNAME
# [ ... will prompt for password ... ]

Permissions are managed with the permissions subcommand. The following commands grant permissions to view the transaction history and create payment initiations with a Taler wire gateway facade:

$ libeufin-cli permissions grant \
   user $USERNAME \
   facade $FACADENAME \

$ libeufin-cli permissions grant \
   user $USERNAME \
   facade $FACADENAME \

The list of all granted permissions can be reviewed:

$ libeufin-cli permissions list