Get started

The first step to working with Cross River APIs is to submit a request for Sandbox access.

Fill in the Submit a Request form.

Make sure you fill in all the relevant fields. The more accurate the information you give us at this stage, the faster you'll be onboarded into our systems.

Include:

  • Your full name

  • The name of the company you work for/represent.

  • The URL of the official company website.

  • The location/address of your company.

  • A working telephone number including international dialing code.

  • Your static public IP address in IPv4 format (not hexadecimal format).

    Important

    You must have an allowlisted static public IP to access our products. Your internal IT department should be able to provide you with your static IP. For more information on static IPs see here.

Once we allowlist your static IP, we send you 2 encrypted emails with your COS credentials. One email with your client_id and one email with your client_secret. Your relationship manager will give you your partner_id.

If you are onboarding into the P2C system we'll also send you an encrypted email with your P2C credentials.

If you also need access to the COS Explorer contact your Cross River Relationship Manager. You'll need to give them the work emails of anyone you want to have access to the Explorer. We can't give access to generic email addresses such as info@companymail.com or dev@companymail.com.

OAuth 2.0 is a popular protocol for authorization. This controls entry to our system and ensures that only authorized entities can access our APIs and other protected resources. The information you enter into our authentication system is confidential and can never be accessed from any other Cross River applications.

Note

COS Users: We have changed our authentication provider. See the COS tab below for important information about the updated endpoints. If you have completed migration to Identity Server, no action is required.

Accessing Cross River APIs

Our system authenticates machine clients and authorizes them to talk to our APIs.

Authenticating your identity

The Cross River Integration Team provides you with a client_id  and a client_secret that you use when requesting an access token. You can use a web-based tool, like Postman, to send API requests.

Important

Call to action for existing users:

We have changed authentication providers from Auth0 to our internal Identity Server. Please note the updated endpoints below:

Sandbox:

https://idptest.crbcos.com/connect/token

Auth0 support in the sandbox environment has ended.

Production:

https://idp.crbcos.com/connect/token

Auth0 support has ended.

Generate your authentication token to access the COS Swagger and COS Explorer

HTTPS request components

HTTP component

Attribute

Description

Endpoint

POST /connect/token

Endpoint for retrieving an access token

Header

content-type

application/x-www-form- urlencoded

Body

grant_type

This field will always have a value of client_credentials

Body

client_id

The unique identifier for a client

Body

client_secret

An encrypted string of characters used to sign and validate ID tokens.

Important: Secrets aren't recoverable by CR. If you lose a secret, a new one must be generated.
Do not commit your secrets into source control.

Body

audience

A way for the user to validate if a particular access token is meant for them.

How do I generate an access token?

Sample call for an access token in cURL

Copy

Sample access token in cURL

curl --location --request POST 'https://idptest.crbcos.com/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=[your id here]' \
--data-urlencode 'client_secret=[your secret here]' \
--data-urlencode 'audience=https://api.crbcos.com/'

Using Postman to get an access token

Postman is an application that you can use to practice and test API calls. To start using our APIs in Postman, contact our Integration Team to get credentials.

Authenticate

After you receive credentials, create an HTTP request in Postman to get an access token.

  1. Go to My Workspace -> New -> HTTP Request.

  2. Give the new request a relevant name such as Get access token.

  3. Select POST from the API method dropdown and enter https://idptest.crbcos.com/connect/token

  4. Select Body and click x-www-form-urlencoded.

  5. Fill in these details

    Key Value
    grant_type client_credentials
    scope

    scope provided from the Integration Team

    client_id

    client_id provided from the Integration Team

    client_secret

    client_secret provided from the Integration Team

  6. Click Send.

    An access token is returned. Copy the token and use it to make API calls.

Requesting Tokens Using Explorer

The access token is copied to your clipboard and ready for use in the Test APIs.

Go into the Explorer, click the arrow down next your login, and click Copy Access Token.

Successful authentication and access token returned

When you've successfully authenticated, an access_token will be returned to you. This access token allows you to send information securely as a JSON object for use in our APIs. Add this token to the header of your API calls.

Important

Make sure to protect your token. Don’t log it. Anyone who steals your token can impersonate your client for the lifetime of the token.

Sample response from cURL request

Copy

Token Response

{
    "access_token": "xxxxx",
    "expires_in": 86400,
    "token_type": "Bearer"
}

Presenting Tokens

Presenting Tokens in the Request Header

In the header of each API request, the access token obtained should be included as follows:

Copy

API Request Header

Authorization: Bearer [your token here]

Sample call for wire payment in cURL

Copy

cURL

curl --location --request POST 'https://sandbox.crbcos.com/Wires/v1/payments' \
--header 'Authorization: Bearer your token here' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-raw '{
  "accountNumber": "2255685659",
  "businessFunctionCode": "CTR",
  "receiverRoutingNumber": "021000021",
  "beneficiaryFi": {
    "idCode": "F",
    "identifier": "021000021",
    "name": "JP Morgan Chase"
  },
  "beneficiary": {
    "idCode": "D",
    "identifier": "123456789",
    "name": "Peter Griffin"
  },
  "beneficiaryReference": "XYZ123",
  "amount": 10000,
  "purpose": "payment"
}'

Presenting Tokens in Swagger

In the top of the swagger screen, paste the token from the clipboard into the token field and click Explore. The token is now activated.

Note
  • The access token should be stored and used until it expires. The token response you receive specifies the expiration time in seconds.

  • It is recommended you use the current token until you receive a 401 unauthorized error. At that point you need to request a new token.

  • Do not request a new token for every API request.

Generate your authentication token to access the P2C Swagger

Note: See below for instructions on Authenticating directly to the P2C Swagger sites.

HTTP request components

HTTP component

Attribute

Description

Endpoint

POST /connect/token

Endpoint for retrieving an access token.

Header

content-type

application/x-www-form- urlencoded

Body

grant_type

This field will always have a value of client_credentials

Secrets aren't recoverable by CR. If you lose a secret, a new one must be generated.

Body

client_id

The unique identifier for a client.

Body

client_secret

An encrypted string of characters used to sign and validate ID tokens.

Important: Don’t commit your secrets into source control.

Secrets aren't recoverable by CR. If you lose a secret, a new one must be generated.

Body

scope

A specific range or a limited set of services that a user can access with an access token.

- If the required scope is missing, the subsequent API call will be returned as forbidden (403).

- If a scope isn't specified, the token returned will contain all scopes associated with your credentials.

Note: Multiple scopes can be sent in the same request by adding a space between the name of each scope.

For example: 'scope=scope1 scope2 scope3'

Sample call for an access token in cURL

Copy
Sample access token in cURL
curl --location --request POST 'https://oauthtest.crbnj.net/connect/token'
--header 'Content-Type: application/x-www-form-urlencoded'
-d 'grant_type=client_credentials'
-d 'scope=relevant scope'
-d 'client_id={xxx}'
-d 'client_secret={xxx}'

Sample call for an access token in Postman

Successful authentication and access token returned

When you've successfully authenticated, an access_token will be returned to you. This access token allows you to send information securely as a JSON object for use in our APIs. Add this token to the header of your API calls.

Important

Make sure to protect your token. Don’t log it. Anyone who steals your token can impersonate your client for the lifetime of the token.

Response attributes

access_token

A digitally signed JSON web token (JWT) sent from the OAuth server that allows access to specific Cross River resources.

scope

A range of services that a user can access.

expires_in

The amount of time until the token expires.

  • Our Integration Team will inform you of the expiration time or you can decode your encrypted access token as well.

  • We recommend that you retrieve a new access token a short time before the old token is set to expire.

  • Reuse tokens for their entire lifespan rather than get a new token for each call to the same protected resource (API).

IMPORTANT: Make sure to never decode your token on a publicly hosted website.

token_type

Bearer token.

Copy
Sample response
{
"access_token": {access token},
"expires_in": 3600,
"token_type": "Bearer",
"scope": "relevant-scope",
}

Sample Postman access token return

If the authentication is successful, the Status code is OK.

Authenticating directly to the P2C Swagger sites

  1. In your browser, open https://pushtopaystaging.crbnj.net (for Push API collection); or https://pullfromcardapistg.crbcloud.com (for Pull API collection).

  2. Open an API branch, for example, Transactions.

  3. Click on an API endpoint, for example, GET /api/transaction.

  4. In the upper-right portion of the endpoint display, click the red-encircled exclamation point (!).

  5. Select the crbapi checkbox.

  6. Click the Authorize button.

URLs for our sandbox and production environments

Sandbox URL: https://oauthtest.crbnj.net/connect/token

Production URL: https://oauth.crbnj.net/connect/token

Troubleshooting

You can test the authorization and authentication into our systems with this endpoint, GET /api/SignupCard/TestOauth. If the authentication token is valid, it will return a 200. If the authentication token isn't valid, it will return a 401.

If you can't get a bearer token and you haven't received one in the past:

  • Confirm the URL.

  • Check that the client_id and client_secret are typed correctly. They are case sensitive.

  • Check your client_id and client_secret against the one you received.

  • Make sure there are no network or allowlist issues.

Contact our Integration Team if your account is locked as a result of 3 incorrect log in attempts.

Generate your authentication token to access the Arix Swagger

HTTP component

Attribute

Description

Endpoint

POST /connect/token

Endpoint for retrieving an access token

Header

content-type

application/x-www-form- urlencoded

Body

grant_type

This field will always have a value of client_credentials

Secrets cannot be recovered by CR. If you lose a secret, a new one must be generated.

Body

scope

A specific range of services that a user can access.

- If the required scope is missing the subsequent API call will be returned as forbidden (403).

- If a scope isn't specified, the token returned will contain all scopes associated with your credentials.

Note
Multiple scopes can be sent in the same request by adding a space between the name of each scope. For example: 'scope=scope1 scope2 scope3'

Body

client_id

The unique identifier for a client

Body

client_secret

An encrypted string of characters used to sign and validate ID tokens.

Important
Do not commit your secrets into source control

Sample access token request in cURL

Copy

cURL

curl --location --request POST 'https://oauthtest.crbnj.net/connect/token'
--header 'Content-Type: application/x-www-form-urlencoded'
-d 'grant_type=client_credentials'
-d 'scope=relevant scope'
-d 'client_id={xxx}'
-d 'client_secret={xxx}'

Sample access token request in Postman

Successful authentication and access token returned

When you've successfully authenticated, an access_token will be returned to you. The access token allows you to send information securely as a JSON object for use in our APIs. Add this token to the header of your API calls.

Important
Protect your token. Don’t log them. Anyone who steals your token can impersonate your client for the lifetime of the token.

Attribute

Description

access_token

A digitally signed JSON web token (JWT) sent from the oAuth server that allows access to specific Cross River resources

scope

A range of services that a user can access

expires_in

The amount of time until the token expires.

- Our Integration Team will inform you of the expiration time or you can decode your access token as well.

- We recommend that you retrieve a new access token a short time before the old token is set to expire.

- Reuse tokens for their entire lifespan rather than getting a new token for each call to the same protected resource (API).

Important
Never decode your token on a publicly hosted website

token-type

Bearer token

Sample access token returned in Postman

If the authentication is successful, the Status code is OK.

Sandbox URL: https://oauthtest.crbnj.net/connect/token

Troubleshooting

You can test the authorization and authentication into our systems with this endpoint,
GET /api/SignupCard/TestOauth.

If the authentication token is valid, it will return a 200. If the authentication token isn't valid, it will return a 401.

If you unable to get a bearer token and you haven't received one in the past:

  • Confirm the URL.

  • Check that the client_id and client_secret are typed correctly. They are case sensitive.

  • Check your client_id and client_secret against the one you received.

  • Make sure there are no network or allowlist issues.

Contact our Integration Team if your account is locked as a result of 3 incorrect log in attempts.

The request and response models for Cross River products are available in our Swagger.

Note

Your static public IP address must be allowlisted by Cross River to access Swagger.

COS is a collection of REST APIs that let you design and manage unique financial products. COS is designed to be an API driven banking core with no legacy systems getting in the way. We give you the same tools to build your product that we use internally.

We have a full sandbox to explore the API. The sandbox is a completely isolated environment, so feel free to experiment. When you're ready to move to production, we will provision you production credentials and give you access to the live environment.

Status Page

To see a list of upcoming releases, monitor current API status, view incident reports, or get notified of scheduled maintenance, visit our status page and subscribe to alerts.

Push-to-Card has its own collection of APIs that require a separate authentication key and integration.

Status Page

To see a list of upcoming releases, monitor current API status, view incident reports, or get notified of scheduled maintenance, visit our status page and subscribe to alerts.

Arix includes a robust set of API calls to allow you to create, update, and manage your loans.

You can use cURL from the command line or a service such as Postman in our sandbox to test the API calls.

Status Page

To see a list of upcoming releases, monitor current API status, view incident reports, or get notified of scheduled maintenance, visit our status page and subscribe to alerts.

Note

In Swagger if you click Model you can see the parameter details.