Frequently Asked Questions

What is Citi Open Banking?
Citi Open Banking is a set of APIs that allow you to connect to core Citi financial functionality. Whether you are an established retailer looking to kick-start a new credit card or a financial technology start up that needs account data, our APIs seek to enable your product and its features.
What kind of data and access do I get in the portal?
Our portal consists of a ‘sandbox’, which allows you to make API calls that are the same in form and function to our production environments. It contains mock  test data so that you can prototype your application as if it were the real thing. We keep our public APIs sandboxed to protect our clients’ data and validate products before moving them to production.
What functionality is available in the sandbox?
Our functionality varies from region to region – though we provide simulated access to our points platform, customer profiles, accounts, and transactions across all regions. To see if your desired functionality is available in your product’s region, be sure to check out our API catalog and documentation. Please be reminded that this a sandbox, which means a test environment, that only uses dummy data.
What does it cost me?
There are no fees currently to access our sandbox.  If we allow you to move beyond the sandbox, at that time we can discuss next steps and pricing.
Where can I find out about Citi’s Institutional APIs?
Visit the Institutional APIs Portal to explore and access APIs for Treasury & Trade Solutions and Markets & Securities Services.
I have an idea for an API that would really enable my product. Can Citi help me?
Please let us know at our Contact Us page! We are always looking for new ways to expose APIs that enable the financial technology space and create new opportunities.
Who can access the sandbox, and how do I get a Developer Hub account?
Anyone can apply for access to the Citi Developer Hub! Registration lives on our Get Started page. Once you submit that form, we will review your information, and we may elect to send you an invitation email. Once you click the link in the email, your account becomes active and you are now free to create new applications! Make sure to check your spam folder if you don’t see the email and activation link in your inbox.  Please note that the link expires in 7 days.
I haven’t received an activation email, or I accidentally let my activation link expire. What do I do now?
Please send an email with a brief description of your problem to and we’ll get back to you ASAP to help resolve your problems.
I’ve forgotten my User ID and my Password. How do I recover them?
Head to the login page and hit the forgot User ID/Password.
What is an “Application”, and how many can I register?
Think of an Application as your API key and secret management. It is what determines your three-legged OAuth display and enables you to retrieve access tokens. You can register as many of these as you want, so prototype to your heart’s content!
Does my application determine in what market I will implement APIs?
Not at all! Your secret and client id can access any market – just be sure to pay attention to the ‘authorize’ API for that region, as you have to retrieve tokens against the market you want to integrate against.
How do I move my application to production?
We’re excited to see your creation! If you’ve done some testing and have a valid prototype or idea worked out, check out our Contact Us page and fill out the form. We’ll engage your team and start vetting you for production access.
What certificates will I need to work in your sandbox and production environments?
In our sandbox, no signed certificate is needed to prototype. Our developers will self-sign a certificate as necessary to work in the confines of the HTTPS scheme if they want to create and test an idea quickly. In production, we will provide a certificate and require TLS 1.2 implementation.
What system of authorization do you use for your APIs, and how do I get authorized to make calls?
We use a standard OAuth 2.0 scheme for authorization. To make calls, check out our Authorize Documentation to get information on implementing a 2-legged and 3-legged OAuth flow.
How do I base-encode my client_id and client_secret?
Most programming languages have base-encoding built in or readily available as a library. When coding your business logic on your app server, we recommend base-encoding your client and secret in-application rather than storing the encoding as a static string. If you are looking to prototype quickly, there are online tools that can help you get running that can be found with a quick search.
What is the difference between Bearer and Basic tokens?

A basic token is used for authentication with all types of authorization requests and a bearer token is used for post authentication requests. For example:

  • Basic base64 (client_id:client_secret) (used for creating and interacting with Authorize APIs)
  • Bearer access_token (used for all other resource APIs)
I’m trying to get a token but don’t know which one to retrieve - what’s the difference between a Client Credential Grant and an Authorization Code Grant?
  • A Client Credential Grant is when your application merely needs to receive Citi data but not a customer’s – for example, you are using the onboarding API to retrieve or submit credit card offers. In short, it lets us know that you are a validated API consumer. 
  • An Authorization Code Grant is when you need a customer’s permission to retrieve their data – such as their account information or transaction information.
  • You need to implement multi-factor authentication when you perform a high-risk transaction, such as making a money transfer.
  • For a detailed list of differences and which API domains require which type of token, take a look at our Authorize Guide.
I want to test the APIs before I start implementing. How do I do this?
Our documentation pages allow in-browser testing – simply pre-populate the data using the documentation prompts and insert missing fields from your application or access token information. Once all of the fields are filled, hit test!
How to get Test Data for accessing APIs?
We supply standard test accounts on our Authorize page that has different types of mock-customer data stored on them. If you need a specific test data for an account, please get in touch with the event host and they will supply you with the correct login information. If you have a test data set that you’d like to see in the portal, let us know here.
What is the expiration time of various types of tokens?
  • Authcode (what you use to exchange for an access token) - 120 seconds
  • access_token (what you need to call other APIs) - 30 minutes
  • refresh_token (how you can programmatically refresh your access token) - 30 days
I keep receiving a 401 ‘Unauthorized’ response. What can I do to resolve it?

It could be a variety of issues, but here are some common problems. If these don’t help, please let us know at our contact us page.

  • Check that your client-id and secret are correctly matched against the application you created.
  • Verify your base-64 encoding has been correctly formatted per the authorization documentation
  • Ensure that Basic is pre-fixed to the encoded client_id and client_secret while making your token call.
  • Make sure that your access token is not invalidated or expired.
I keep receiving a ‘429’ response. What am I doing wrong?
We cap the amount of API calls you can make in a given period of time in our sandbox environments. Simply wait a minute and try again. If the issue persists, please get in touch with us at our contact us page
I’m looking for a specific API functionality – how do I know if you offer it?
Take a look at our catalog page – it will let you know what APIs are available on a market-by-market basis. If you have a really strong business case for a new API we’d love to hear about it! Send us a message through our contact us page.
Do you have sample or reference applications that could demonstrate some API calls for me?
Stay posted at our GitHub to see various reference helper applications and SDKs.
What do I need to know for the upgrade to TLS 1.2?
We’re reminding our users who are currently using TLS 1.0 and TLS 1.1 to make sure their applications support TLS 1.2 by November 4th, 2017 since we will no longer be able support previous versions. 
va0605 test
va0605test welcome
What does the My Teams feature allow me to do?
Once you’ve registered an application on the API Keys page, the My Teams feature allows you to securely share the Client ID and Client Secret application credentials with your teammates. You can create as many teams as you want and invite as many people you want to join your team. All invitations are sent out to the email ID you specify. You also have the option to join any team that might invite you.
You can switch between your teams at any time from the navigation bar. Once you switch teams you can view the API keys that your team mates have shared with you.
Didn't find what you are looking for ?
We're here to help.