To start building with our APIs, you'll need to sign up for account.
Here's what you do:
- Sign Up for an account.
- Check for an email from us within a couple of days. Click the email link.
- Follow the registration flow, then Log In >
To get your Client ID and Secret, you'll first need to Register an App in your API Keys workspace. Here's how:
Add A New App
API Keys is your workspace to add and manage your apps. To register a new app and get your Client ID and Secret, go to API Keys. Then, click Register a New App. You'll see a series of fields asking you about your app or product.
Here's a breakdown of the fields:
Name (Req.)- The name of your application.
Description (Opt.)- Enter a short description of what your application does.
Redirect URI (Opt.)- Identifies which URI the user is sent to after they're authenticated and is used to identify authentication calls.
App Icon (Opt.)- Displays the logo your users will see after they grant access or log in.
Client ID and Client Secret
Once your application is confirmed, you'll get your Client ID and Client Secret. Copy down this information and keep it in a secure place. Here's what your credentials do:
Important! Your Client ID and Client Secret identify you and are essential to protecting yourself and your customers. Keep them in a very safe place.
Before you can start testing our APIs, you'll need to authenticate with the Authorize API. There are two types of authentications: two-legged and three-legged. Here's the difference:
You'll use two-legged when Citi is not providing identifying information or financial history.
Example: Exchanging rewards or submitting product applications
APIs you can use:
PAY WITH POINTS
- Dive deeper into Two-Legged OAuth
Here's how Two-Legged OAuth works:
- Make a POST request with your Client ID/Client Secret (base64 encoded) and scopes to Citi servers. This tells Citi who you are and what APIs you're using.
- If the credentials pass, we need a response with access token, which enables you to make further two-legged API calls.
- When your user takes action that require two-legged API calls, include your access token in the request.
You'll use three-legged when you need to access sensitive data from a specific customer.
Example: Checking balances or viewing personal information
APIs you can use:
- Dive deeper into Three-Legged OAuth
Three-Legged OAuth can be tricky. Here's more about how it works:
- Create a custom URL that redirects to a Citi login endpoint including the following parameters: your client ID, state, country, and scope.
- Once you've submitted the parameters, we'll ask your end-user to login via Citi portal.
- Once they've successfully logged in, we'll redirect them back to your redirect URL.
- Then, we pass the authentication code to you as var in the URL.
- You can then exchange the authentication code for an access token via POST command.
Important! Access Tokens. Just like your Client ID and Client Secret, keep your access tokens well-guarded and hidden, and keep them away from your client interface.
Now it’s time to choose an API and start testing. Our API Documentation will show you how to format your HTTPS request.
Include your access token and the information needed for that API. From there, use the response for your application and you’re all set.
Now you can start building applications with our API sandbox data!
You're now up and running on Citi Developer Hub. But where do you go from here?
Submit for production
When you’re finished testing, you may want to submit your app for production. If it seems like we’d be a good fit, we’ll look into it and do some testing together. Then, we’ll talk about next steps to move to production.
To learn more, contact our sales team.