Get started
The first step to working with Cross River APIs is to submit a request for Sandbox access.
Fill in the Submit a Request form.
Make sure you fill in all the relevant fields. The more accurate the information you give us at this stage, the faster you'll be onboarded into our systems.
Include:
-
Your full name
-
The name of the company you work for/represent.
-
The URL of the official company website.
-
The location/address of your company.
-
A working telephone number including international dialing code.
-
Your static public IP address in IPv4 format (not hexadecimal format).
ImportantYou must have an allowlisted static public IP to access our products. Your internal IT department should be able to provide you with your static IP. For more information on static IPs see here.
Once we allowlist your static IP, we send you 2 encrypted emails with your COS credentials. One email with your client_id and one email with your client_secret). Your relationship manager will give you your partner_id.
If you are onboarding into the P2C system we'll also send you an encrypted email with your P2C credentials.
If you also need access to the COS Explorer contact your Cross River Relationship Manager. You'll need to give them the work emails of anyone you want to have access to the Explorer. We can't give access to generic email addresses like info@companymail.com or dev@companymail.com.
OAuth 2.0 is a popular protocol for authorization. This controls entry to our system and ensures that only authorized entities can access our APIs and other protected resources. The information you enter into our authentication system is confidential and can never be accessed from any other Cross River applications.
Accessing Cross River APIs
Our system authenticates machine clients and authorizes them to talk to our APIs.
Authenticating your identity
The Cross River Integration Team provides you with a client_id and a client_secret that you use when requesting an access token. You can use a web-based tool, like Postman, to send API requests.
Generate your authentication token to access the COS Swagger and COS Explorer
HTTPS request components
|
HTTP component |
Attribute |
Description |
|---|---|---|
|
Endpoint |
|
Endpoint for retrieving an access token |
|
Header |
|
|
|
Body |
|
This field will always have a value of |
|
Body |
|
The unique identifier for a client |
|
Body |
|
An encrypted string of characters used to sign and validate ID tokens. Important: Secrets aren't recoverable by CR. If you lose a secret, a new one must be generated. |
|
Body |
|
A way for the user to validate if a particular access token is meant for them. |
How do I generate an access token?
Sample call for an access token in cURL
Sample access token in cURL
curl --location --request POST 'https://crbcos-sandbox.auth0.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=[your id here]' \
--data-urlencode 'client_secret=[your secret here]' \
--data-urlencode 'audience=https://api.crbcos.com/'Using Postman to get an access token
Postman is an application that you can use to practice and test API calls. To start using our APIs in Postman, contact our Integration Team to get credentials.
Authenticate
After you receive credentials, create an HTTP request in Postman to get an access token.
-
Go to My Workspace -> New -> HTTP Request.
-
Give the new request a relevant name such as Get access token.
-
Select
POSTfrom the API method dropdown and enter https://crbcos-sandbox.auth0.com/oauth/token -
Select Body and click
x-www-form-urlencoded. -
Fill in these details
Key Value grant_typeclient_credentialsscopescopeprovided from the Integration Teamclient_idclient_idprovided from the Integration Teamclient_secretclient_secretprovided from the Integration Team -
Click Send.
An access token is returned. Copy the token and use it to make API calls.
Requesting Tokens Using Explorer
The access token is copied to your clipboard and ready for use in the Test APIs.
Go into the Explorer, click the arrow down next your login, and click Copy Access Token.
Successful authentication and access token returned
When you've successfully authenticated, an access_token will be returned to you. This access token allows you to send information securely as a JSON object for use in our APIs. Add this token to the header of your API calls.
Make sure to protect your token. Don’t log it. Anyone who steals your token can impersonate your client for the lifetime of the token.
Sample response from cURL request
Presenting Tokens
Presenting Tokens in the Request Header
In the header of each API request, the access token obtained should be included as follows:
Sample call for wire payment in cURL
cURL
curl --location --request POST 'https://sandbox.crbcos.com/Wires/v1/payments' \
--header 'Authorization: Bearer your token here' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-raw '{
"accountNumber": "2255685659",
"businessFunctionCode": "CTR",
"receiverRoutingNumber": "021000021",
"beneficiaryFi": {
"idCode": "F",
"identifier": "021000021",
"name": "JP Morgan Chase"
},
"beneficiary": {
"idCode": "D",
"identifier": "123456789",
"name": "Peter Griffin"
},
"beneficiaryReference": "XYZ123",
"amount": 10000,
"purpose": "payment"
}'Presenting Tokens in Swagger
In the top of the swagger screen, paste the token from the clipboard into the token field and click Explore. The token is now activated.
-
The access token should be stored and used until it expires. The token response you receive specifies the expiration time in seconds.
-
It is recommended you use the current token until you receive a 401 unauthorized error. At that point you need to request a new token.
-
Do not request a new token for every API request.
Generate your authentication token to access the P2C Swagger
HTTP request components
|
HTTP component |
Attribute |
Description |
|---|---|---|
|
Endpoint |
|
Endpoint for retrieving an access token. |
|
Header |
|
|
|
Body |
|
This field will always have a value of Secrets aren't recoverable by CR. If you lose a secret, a new one must be generated. |
|
Body |
|
The unique identifier for a client. |
|
Body |
|
An encrypted string of characters used to sign and validate ID tokens. Important: Don’t commit your secrets into source control. Secrets aren't recoverable by CR. If you lose a secret, a new one must be generated. |
|
Body |
|
A specific range or a limited set of services that a user can access with an access token. - If the required scope is missing, the subsequent API call will be returned as forbidden (403). - If a scope isn't specified, the token returned will contain all scopes associated with your credentials. Note: Multiple scopes can be sent in the same request by adding a space between the name of each scope. For example: 'scope=scope1 scope2 scope3' |
Sample call for an access token in cURL
curl --location --request POST 'https://crbcos-sandbox.auth0.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=[your id here]' \
--data-urlencode 'client_secret=[your secret here]' \
--data-urlencode 'audience=https://api.crbcos.com/'Sample call for an access token in Postman
Successful authentication and access token returned
When you've successfully authenticated, an access_token will be returned to you. This access token allows you to send information securely as a JSON object for use in our APIs. Add this token to the header of your API calls.
Make sure to protect your token. Don’t log it. Anyone who steals your token can impersonate your client for the lifetime of the token.
Response attributes
|
access_token |
A digitally signed JSON web token (JWT) sent from the oAuth server that allows access to specific Cross River resources. |
|
scope |
A range of services that a user can access. |
|
expires_in |
The amount of time until the token expires.
IMPORTANT: Make sure to never decode your token on a publicly hosted website. |
|
token_type |
Bearer token. |
{
"access_token": {access token},
"expires_in": 3600,
"token_type": "Bearer",
"scope": "relevant-scope",
}Sample Postman access token return
If the authentication is successful, the Status code is OK.
Sandbox URL: https://oauthtest.crbnj.net/connect/token
Troubleshooting
You can test the authorization and authentication into our systems with this endpoint, GET /api/SignupCard/TestOauth. If the authentication token is valid, it will return a 200. If the authentication token isn't valid, it will return a 401.
If you can't get a bearer token and you haven't received one in the past:
-
Confirm the URL.
-
Check that the
client_idandclient_secretare typed correctly. They are case sensitive. -
Check your
client_idandclient_secretagainst the one you received. -
Make sure there are no network or allowlist issues.
Contact our Integration Team if your account is locked as a result of 3 incorrect log in attempts.
Generate your authentication token to access the Arix Swagger
|
HTTP component |
Attribute |
Description |
|---|---|---|
|
Endpoint |
|
Endpoint for retrieving an access token |
|
Header |
|
|
|
Body |
|
This field will always have a value of Secrets cannot be recovered by CR. If you lose a secret, a new one must be generated. |
|
Body |
|
A specific range of services that a user can access. - If the required scope is missing the subsequent API call will be returned as forbidden (403). - If a scope isn't specified, the token returned will contain all scopes associated with your credentials. Note
Multiple scopes can be sent in the same request by adding a space between the name of each scope. For example: 'scope=scope1 scope2 scope3' |
|
Body |
|
The unique identifier for a client |
|
Body |
|
An encrypted string of characters used to sign and validate ID tokens. Important
Do not commit your secrets into source control |
Sample access token request in cURL
cURL
curl --location --request POST 'https://oauthtest.crbnj.net/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials' \
-d 'scope=relevant scope' \
-d 'client_id={xxx}' \
-d 'client_secret={xxx}'Sample access token request in Postman
Successful authentication and access token returned
When you've successfully authenticated, an access_token will be returned to you. The access token allows you to send information securely as a JSON object for use in our APIs. Add this token to the header of your API calls.
Protect your token. Don’t log them. Anyone who steals your token can impersonate your client for the lifetime of the token.
|
Attribute |
Description |
|---|---|
|
|
A digitally signed JSON web token (JWT) sent from the oAuth server that allows access to specific Cross River resources |
|
|
A range of services that a user can access |
|
|
The amount of time until the token expires. - Our Integration Team will inform you of the expiration time or you can decode your access token as well. - We recommend that you retrieve a new access token a short time before the old token is set to expire. - Reuse tokens for their entire lifespan rather than getting a new token for each call to the same protected resource (API). Important
Never decode your token on a publicly hosted website |
|
|
Bearer token |
Sample access token returned in Postman
If the authentication is successful, the Status code is OK.
Sandbox URL: https://oauthtest.crbnj.net/connect/token
Troubleshooting
You can test the authorization and authentication into our systems with this endpoint, GET /api/SignupCard/TestOauth.
If the authentication token is valid, it will return a 200. If the authentication token isn't valid, it will return a 401.
If you unable to get a bearer token and you haven't received one in the past:
-
Confirm the URL.
-
Check that the
client_idandclient_secretare typed correctly. They are case sensitive. -
Check your
client_idandclient_secretagainst the one you received. -
Make sure there are no network or allowlist issues.
Contact our Integration Team if your account is locked as a result of 3 incorrect log in attempts.
The request and response models for Cross River products are available in our Swagger.
Your static public IP address must be allowlisted by Cross River to access Swagger.
COS is a collection of REST APIs that let you design and manage unique financial products. COS is designed to be an API driven banking core with no legacy systems getting in the way. We give you the same tools to build your product that we use internally.
We have a full sandbox to explore the API. The sandbox is a completely isolated environment, so feel free to experiment. When you're ready to move to production, we will provision you production credentials and give you access to the live environment.
-
ACH
-
Wires
-
Core
-
Webhooks
-
RTP
-
Card Management
https://sandbox.crbcos.com/cardmanagement/swagger/ui/index#/
Status Page
To see a list of upcoming releases, monitor current API status, view incident reports, or get notified of scheduled maintenance, visit our status page and subscribe to alerts.
Push-to-Card has its own collection of APIs that require a separate authentication key and integration.
Status Page
To see a list of upcoming releases, monitor current API status, view incident reports, or get notified of scheduled maintenance, visit our status page and subscribe to alerts.
Arix includes a robust set of API calls to allow you to create, update, and manage your loans.
You can use cURL from the command line or a service such as Postman in our sandbox to test the API calls.
-
The base URL for Loan origination API calls to the Arix Sandbox environment is https://arixapisandbox.crbnj.net
-
The full API Swagger reference documentation is available at this URL https://arixapisandbox.crbnj.net/swagger-ui.
-
The base URL for Sandbox of Application Decisioning is https://lendingsandbox.crbcos.com/preapproval/v1
-
The Swagger link for Hooks is https://lendingsandbox.crbcos.com/hooks/swagger/index.html
Status Page
To see a list of upcoming releases, monitor current API status, view incident reports, or get notified of scheduled maintenance, visit our status page and subscribe to alerts.
In Swagger if you click Model you can see the parameter details.
