This is the recommended implementation pattern for the parent application to handle all PostMessage events securely and consistently.

window.addEventListener('message', (event) => {
  if (event.origin !== 'https://your-expected-origin.com') return;

  switch (event.data.event) {
    case 'CR:INVALID_TOKEN':
    case 'CR:INVALID_DOMAIN':
      redirectToLogin();
      break;

    case 'CR:SESSION_EXPIRED':
      refreshSession();
      break;

    case 'CR:CARD_REGISTRATION_SUBMITTED':
      showLoadingIndicator();
      break;

    case 'CR:CARD_REGISTRATION_SUCCESS':
      hideLoadingIndicator();
      showSuccessMessage();
      break;

    case 'CR:CARD_REGISTRATION_ERROR':
      hideLoadingIndicator();
      showErrorMessage();
      break;

    case 'CR:GENERAL_ERROR':
      showGeneralErrorMessage();
      break;

    default:
      console.warn('Unhandled event type:', event.data.event);
  }
});

Always verify the event origin using event.origin to ensure messages are coming from trusted sources

Avoid executing dynamic code or unsafe actions based on event payloads

Treat all message data as untrusted input unless validated

postMessage events

Implementation pattern

Fair banking is the principle and practice of providing equal and non-discriminatory access to financial services, ensuring that decisions by banks are based on objective risk rather than political, religious, or ideological affiliations.

Fair_Banking

Fair_Lending

Account Funding Transaction.  Pull funds from a debit card for specific purposes. Use an AFT to fund a wallet or prepaid card, or to initiate a person-to-person (P2P) transfer through the card network rails. AFTs are not allowed for purchases.

A 32-character hexadecimal string with hyphens, such as 123e4567-e89b-12d3-a456-426655440000 used as a unique identified. Sometimes called a UUID.

GUID

Know Your Business processes verify legitimacy business entities and their ownership structures to prevent financial crime and comply with regulations. KYB requires information including company registrations and operational activities. See also KYC.

Know Your Customer processes verify the identity of an individual customer to prevent financial crime and comply with regulations. KYC uses personal details and identity documents for this verification.

A GUID assigned to you by Cross River. This ID is required for some API calls.

Partner_ID

The automated lending platform from Cross River that includes services such as Preapproval, Oversight, Arix Origination and Funding, Selling, and Hooks.

Lending

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Also known as PII.

Personally_Identifiable_Information

These are contracts for monetary assets that can be purchased, traded, created, modified, or settled for. In terms of contracts, there is a contractual obligation between involved parties during a financial instrument transaction.

financial_instrument

Interest Rate Cards are pre-configured interest rate profiles that can be assigned to specific accounts on demand.

rate_card

A financial institution holding a principal license with a Card Network has the right to issue cards itself and sponsor other institutions (fintechs) to issue on its behalf (BIN sponsorship). Affiliate/Associate members cannot offer BIN sponsorship.

Principal_member

A 6 or 8 digit number assigned by the card networks for card issuing and functions as the first 6 or 8 digits on the card itself. The BIN identifies the bank that is responsible for issuing the program and handling daily settlement with the Network.

Card_BIN

A solution that allows partners to offer card solutions without requiring a direct relationship with the card networks. The bank acts as an intermediary while allowing partners to use its bank identification numbers (BIN). 

BIN_sponsorship

Politically Exposed Person is an individual who holds a prominent public position, or has done so in the recent past and is subject to a higher level of scrutiny due to an increased risk of involvement in bribery, corruption, and money laundering.

Office of Foreign Assets Control. Part of the US Department of the Treasury that administers and enforces economic and trade sanctions based on US foreign policy and national security goals.

OFAC

Move funds internally between accounts. The transfer requires both a debit and credit account and can be either a master account or sub-ledger, or any combination of the two.  Can be made via API calls or for non-API Partners on the COS Explorer.

book_transfer

This is where the financial institution verifies the member has the funds needed before they are transferred to the receiver.

Good_Funds_Model

An instant payment service developed and operated by the Federal Reserve for financial institutions in the United States, which allows individuals and businesses to send and receive money.

FedNow

A payment processing network used to send money electronically between banks in the US. Available year round, it transfers funds between 2 banks account instantaneously. Processes on bank holidays and weekend and after business hours.

A merchant category code (MCC) is a four-digit number used for retail financial services to classify a business by the types of goods or services it provides. Codes are specified by the ISO 18245 standard.

Card Acceptor ID. An internal identifier assigned to your business by your Acquirer when creating the merchant account used for financial processing.

CAID

Business Application Identifier, used by merchants in card payments

The automated loan validation and funding software from Cross River

Arix

Mobile Deposit Capture is the process of submitting a check electronically using a smartphone

Input Message Accountability Data. A unique number given to each FedWire payment when using the Federal Reserver Bank Service and can be used to investigate and track wire transfers.

IMAD

Notification of Change.  The purpose of an NOC is to identify and communicate incorrect information within an ACH entry, such as account numbers or transit and routing number. Sent by a RDFI to the ODFI and the Originator via their ACH Operator.

A global financial messaging standard for electronic payments. It enhances interoperability across financial systems, improves payment processing efficiency and supports compliance by providing detailed transaction information.

ISO20022

A SWIFT Code is a standard format of Bank Identifier Code (BIC) used to specify a particular bank or branch. These codes are used when transferring money between banks, particularly for international wire transfers.

SWIFT

Receiving Depository Financial Institution. All ODFIs must also agree to act as an RDFI to receive ACH payments. An RDFI receives entries directly or indirectly from its ACH Operator for debit or credit to the accounts of its customers.

RDFI

Originating Depository Financial Institution. It has the authority to initiate ACH transactions on behalf of its customers. ODFIs ensure compliance with regulatory standards and securely transmit payment instructions to the ACH network

ODFI

 National Automated Clearing House Association. Nacha governs the ACH Network, the payment system that drives Direct Deposits and Direct Payments with the capability to reach all U.S. bank and credit union accounts

Nacha

International ACH Transaction. A Nacha SEC code.

A uniquely configured financial product you offer your customers. For example, a debit card or a savings account, configured according to your needs and specifications, are product types.

product_type

Bank Identification Number. A unique identifier used in payment card transactions.

COS_Explorer

relationshipmanager

Cross River guides provide details about our products

guide

var_miha

new_var_2

new_mih_var

mih_var

This is a plain text that will be inserted in an expandable heading for using this raw as an exampl

testheight

available

testulet

testvar

altscenario

This is a plain text that will be inserted in an expandable heading for using this raw as an example

scenario

exemplu

variabila

Archbee

text

test

specific

refresh_token

YourBank

MyBank

variable_test_video

variable123

silviu

Bogdan_test

ferwhethgte

target1

google

support

product_name

Sample cards for testing

APIs

APIs intro