Support FAQS page

Frequently Asked Questions

What is Citi Open Banking?

Citi Open Banking is a set of APIs that allows you to connect to core Citi financial functionality. You can use these APIs to enable a wide variety of products and features.

What kind of data and access do I get?
Once you create an account on the Developer Hub, you can access the Sandbox. There you can make API calls that mimic our production environments. In the Sandbox, we use mock data so that you can prototype your application as if it were the real thing.
What functionality is available in the sandbox?
Functionality in the Sandbox varies by region. However, we provide simulated access to our points platform, customer profiles, accounts and transactions for everyone. Check out our API Catalog and documentation to see what’s available in your region.
What does it cost to use the Developer Hub?
There are no fees to access the Sandbox. If you wish to move to production, we can discuss next steps and pricing then. 
Where can I find out about Citi’s Institutional APIs?
Visit the Institutional APIs Portal to explore and access APIs for Treasury & Trade Solutions and Markets & Securities Services.
I have an idea for an API that would really enable my product. Can Citi help me?
We’re always looking for new ways to use our APIs for innovative solutions in the financial technology space. If you have an idea, we’d love to hear it.
I want to access the Sandbox. How do I create an account?
To access the Sandbox, you just need to create an account on Citi Developer Hub. Submit the form and we’ll email you an invitation, then follow the link inside the email and you’ll be redirected to the Developer Hub. The link expires in seven days so be sure to use it. Also, sometimes our email ends up in the spam folder, so be on the lookout.
What do I do if I never received an activation email or the activation link expired?
If you never received an activation email, or your activation link expired, let us know at We’ll try to get back to you as soon as possible.
How do I get a new password?

If you forgot your password or just want to change it, we can help.

What is an “application,” and how many can I register?
Think of an application as your API key and secret management. It’s what determines your three-legged OAuth display and enables you to retrieve access tokens. You can register as many as you like.
Does my application determine in what market I will implement APIs?
Your secret and client ID can access any market — just be sure to pay attention to the “Authorize” API for that region, as you have to retrieve tokens against the market you want to integrate against.
How do I move my application to production?
Once you’ve done some testing and have a valid prototype or idea worked out, let us know. If everything checks out, we’ll contact you with next steps.
Do I need a certificate to work in the Sandbox? What about production?
You don’t need a signed certificate to prototype in the Sandbox. If they want to create and test an idea quickly, sometimes our developers will self-sign a certificate to work in the confines of the HTTPS scheme. For production, we’ll provide a certificate and require TLS 1.2 implementation.
What system of authorization do you use for your APIs, and how do I get authorized to make calls?
We use a standard OAuth 2.0 scheme for authorization. To make calls, check out our Authorize Documentation to get information on implementing a two-legged and three-legged OAuth flow.
How do I base-encode my client_id and client_secret?
Most programming languages have base-encoding built in or readily available as a library. When coding your business logic on your app server, we recommend base-encoding your client and secret in-application rather than storing the encoding as a static string. If you’re looking to prototype quickly, there are online tools that can help you get running, which can be found with a quick search.
What is the difference between bearer and basic tokens?

A basic token is used for authentication with all types of authorization requests and a bearer token is used for post authentication requests. For example:

  • Basic base64 (client_id:client_secret) (used for creating and interacting with Authorize APIs)
  • Bearer access_token (used for all other resource APIs)
How do I test the APIs before implementing them?
Our documentation pages allow in-browser testing. Simply pre-populate the data using the documentation prompts and insert missing fields from your application or access token information. Once all the fields are filled, you’re ready to test.
I’m trying to get a token but don’t know which one to retrieve — what’s the difference between a Client Credential Grant and an Authorization Code Grant?

A Client Credential Grant is when your application merely needs to receive Citi data but not a customer’s—for example, you’re using the onboarding API to retrieve or submit credit card offers. In short, it lets us know that you’re a validated API consumer.

An Authorization Code Grant is when you need a customer’s permission to retrieve their data—such as their account information or transaction information.

You need to implement multi-factor authentication when you perform a high-risk transaction, such as making a money transfer.

For a detailed list of differences and which API domains require which type of token, take a look at our Authorize Documentation.

How do I get test data for accessing APIs?
We supply standard test accounts on our Authorize page, which has different types of mock-customer data stored on them. If you need specific test data for an account, please get in touch with the event host and they’ll supply you with the correct log-in information. If you have test data that you’d like to see here, let us know.
When do tokens expire?

Token expiration depends on the type of token you’re using:

  • Authcode (what you use to exchange for an access token)—120 seconds
  • Access_token (what you need to call other APIs)—30 minutes
  • Refresh_token (how you can programmatically refresh your access token)—30 days
I keep receiving a 401 ‘Unauthorized’ response. What can I do to resolve it?

Here are some common fixes:

  • Check that your client-id and secret are correctly matched against the application you created
  • Verify your base-64 encoding has been correctly formatted per the authorization documentation
  • Ensure that Basic is pre-fixed to the encoded client_id and client_secret while making your token call
  • Make sure that your access token is not invalidated or expired

If none of these help, please let us know.

Why do I keep receiving a “429” response?
In the Sandbox, we cap the amount of API calls you can make in a given period of time. Simply wait a minute and try again. If the issue persists, please let us know.
I’m looking for a specific API functionality — how do I know if you offer it?
Our API Catalog page can show you what APIs are available on a market-by-market basis. If you have a really strong business case for a new API, we’d love to hear about it.
Do you have sample or reference applications that could demonstrate some API calls for me?
Stay posted at our GitHub to see various reference helper applications and SDKs.
Do you support any version besides TLS 1.2?

As of Nov. 4, 2017, we only support TLS 1.2.

What does the My Teams feature allow me to do?
Once you’ve registered an application on the API Keys page, the My Teams feature allows you to securely share the Client ID and Client Secret application credentials with your teammates. You can create as many teams as you want and invite as many people you want to join your team. All invitations are sent out to the email ID you specify. You also have the option to join any team that might invite you.
You can switch between your teams at any time from the navigation bar. Once you switch teams you can view the API keys that your team mates have shared with you.
Didn't find what you are looking for ?
We're here to help.