Citi Open Banking is a set of APIs that allows you to connect to core Citi financial functionality. You can use these APIs to enable a wide variety of products and features.
A basic token is used for authentication with all types of authorization requests and a bearer token is used for post authentication requests. For example:
- Basic base64 (client_id:client_secret) (used for creating and interacting with Authorize APIs)
- Bearer access_token (used for all other resource APIs)
A Client Credential Grant is when your application merely needs to receive Citi data but not a customer’s—for example, you’re using the onboarding API to retrieve or submit credit card offers. In short, it lets us know that you’re a validated API consumer.
An Authorization Code Grant is when you need a customer’s permission to retrieve their data—such as their account information or transaction information.
You need to implement multi-factor authentication when you perform a high-risk transaction, such as making a money transfer.
For a detailed list of differences and which API domains require which type of token, take a look at our Authorize Documentation.
Token expiration depends on the type of token you’re using:
- Authcode (what you use to exchange for an access token)—120 seconds
- Access_token (what you need to call other APIs)—30 minutes
- Refresh_token (how you can programmatically refresh your access token)—30 days
Here are some common fixes:
- Check that your client-id and secret are correctly matched against the application you created
- Verify your base-64 encoding has been correctly formatted per the authorization documentation
- Ensure that Basic is pre-fixed to the encoded client_id and client_secret while making your token call
- Make sure that your access token is not invalidated or expired
If none of these help, please let us know.
As of Nov. 4, 2017, we only support TLS 1.2.