Authentication and authorization
OAuth 2.0 is a popular protocol for authorization. This controls entry to our system and ensures that only authorized entities can access our APIs and other protected resources. The information you enter into our authentication system is confidential and can never be accessed from any other Cross River applications.
Accessing Cross River APIs
Our system authenticates machine clients and authorizes them to talk to our APIs.
Authenticating your identity
The Cross River Integration Team provides you with a client_id and a client_secret that you use when requesting an access token. You can use a web-based tool, like Postman, to send API requests.
Auth0 support has ended. Please note the updated endpoints below:
Sandbox:
https://idptest.crbcos.com/connect/token
Auth0 support in the sandbox environment has ended.
Production:
HTTPS request components
|
HTTP component |
Attribute |
Description |
|---|---|---|
|
Endpoint |
|
Endpoint for retrieving an access token |
|
Header |
|
|
|
Body |
|
This field will always have a value of |
|
Body |
|
The unique identifier for a client |
|
Body |
|
An encrypted string of characters used to sign and validate ID tokens. Important: Secrets aren't recoverable by CR. If you lose a secret, a new one must be generated. |
|
Body |
|
A way for the user to validate if a particular access token is meant for them. |
Ways to acquire an access token
Sample call for an access token in cURL
Sample access token in cURL
curl --location --request POST 'https://idptest.crbcos.com/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=[your id here]' \
--data-urlencode 'client_secret=[your secret here]' \
--data-urlencode 'audience=https://api.crbcos.com/'Sample call for an access token in Postman
Detailed instructions for using Postman to create an access token.
Requesting Tokens Using Explorer
Go into the Explorer, click the arrow down next your login, and click Copy Access Token.
The access token is copied to your clipboard and ready for use in the Test APIs.
Successful authentication and access token returned
When you've successfully authenticated, an access_token will be returned to you. This access token allows you to send information securely as a JSON object for use in our APIs. Add this token to the header of your API calls.
Make sure to protect your token. Don’t log it. Anyone who steals your token can impersonate your client for the lifetime of the token.
Sample response from cURL request
Presenting Tokens
Presenting Tokens in the Request Header
In the header of each API request, the access token obtained should be included as follows:
Sample call for wire payment in cURL
cURL
curl --location --request POST 'https://sandbox.crbcos.com/Wires/v1/payments' \
--header 'Authorization: Bearer your token here' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-raw '{
"accountNumber": "2255685659",
"businessFunctionCode": "CTR",
"receiverRoutingNumber": "021000021",
"beneficiaryFi": {
"idCode": "F",
"identifier": "021000021",
"name": "JP Morgan Chase"
},
"beneficiary": {
"idCode": "D",
"identifier": "123456789",
"name": "Peter Griffin"
},
"beneficiaryReference": "XYZ123",
"amount": 10000,
"purpose": "payment"
}'Presenting Tokens in Swagger
In the top of the swagger screen, paste the token from the clipboard into the token field and click Explore. The token is now activated.
The access token should be stored and used until it expires. The token response you receive specifies the expiration time in seconds.
Do not request a new token for every API request.
It is recommended you use the current token until you receive a 401 unauthorized error, at which point you would request a new token.
