Get Started

To start building with our APIs, you'll need to sign up for account.

Sign up for an account

Here's what you do:

  • Sign Up for an account.
  • Check for an email from us within a couple of days. Click the email link.

  • Follow the registration flow, then Log In  >  

To get your Client ID and Secret, you'll first need to Register an App on your API Keys workspace. Here's how:

Add A New App

API Keys is your workspace to add and manage your apps. To register a new app and get your Client ID and Secret, go to API KeysThen, click Register a New App. You'll see a series of fields asking you about your app or product.

Here's a breakdown of the fields:

Name (Req.)- The name of your application.

Description (Opt.)- Enter a short description of what your application does.

Redirect URI (Opt.)- Identifies which URI the user is sent to after they're authenticated and is used to identify authentication calls.

Note: Visit the FAQs for API-specific info on the Redirect URI

App Icon (Opt.)- Displays the logo your users will see after they grant access or log in.

 

Client ID and Client Secret

Once your application is confirmed, you'll get your Client ID and Client Secret. Copy down this information and keep it in a secure place. Here's what your credentials do:

Client ID – The public identifier of your application. It’s used in every call so we can tell who is requesting information.
Client Secret – The private identifier of your application. Allows us to verify your identity in the authentication step of our APIs.

 

Important! Your Client ID and Client Secret identify you and are essential to protecting yourself and your customers. Keep them in a very safe place.

 

Before you can start testing our APIs, you'll need to authenticate with the Authorize API. There are two types of authentications-two-legged and three-legged. Here's the difference:

Two-Legged OAuth

You'll use two-legged when Citi is not providing identifying information or financial history. 

Example: Exchanging rewards or submitting product applications

APIs you can use:

PAY WITH POINTS

ONBOARDING

 

 

 

 

 

 

Dive deeper into Two-Legged OAuth

Here's how Two-Legged OAuth works:

  1. Make a POST request with your Client ID/Client Secret (base64 encoded) and scopes to Citi servers. This tells Citi who youare and what APIs you're using.
  2. If the credentials pass, we need a response with access token, which enables you to make further two-legged API calls.
  3. When your user takes action that require two-legged API calls, include your access token in the request.

 

Three-Legged OAuth

You'll use three-legged when you need to access sensitive data from a specific customer.

Example: Checking balances or viewing personal information

APIs you can use:

ACCOUNTS

CUSTOMERS

MONEY MOVEMENT

CARDS

 

Dive deeper into Three-Legged OAuth

Three-Legged OAuth can be tricky. Here's more about how it works:

  1. Create a custom URL that redirects to a Citi login endpoint including the following parameters: your client ID, state, country, and scope.
  2. Once you've submitted the parameters, we'll ask your end-user to login via Citi portal.
  3. Once they've successfully logged in, we'll redirect them back to your redirect URL.
  4. Then, we pass the authentication code to you as var in the URL.
  5. You can then exchange the authentication code for an access token via POST command.

 

Important! Access Tokens. Just like your Client ID and Client Secret, keep your access tokens well-guarded and hidden, and keep them away from your client interface.

 

 

Now it’s time to choose an API and start testing. Our API Documentation will show you how to format your HTTPS request. 

Include your access token and the information needed for that API. From there, use the response for your application and you’re all set. 

Now you can start building applications with our API sandbox data!

 

Here's an example of an account summary response scoped for Australia.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You 're now up and runnning on Citi Developer Hub. But where do you go from here?

Submit for production

When you're finished testing, you may want to submit your app for production. If it seems like we'd be a good fit, our legal teams will look into it, and we'll do some testing together. If everything's good, we'll grant you access to our production environment.

To learn more, contact our sales team.

Want more help?

If you're stuck or have questions about any part of the process, feel free to visit our other resources: