1st Source Mobile Banking API integration (OpenBanking / OpenData)

1 · Accounting & bookkeeping sync

Context: a small business banking with 1st Source wants its checking activity flowing into QuickBooks/Xero-style ledgers nightly. Data/API: GET /accounts + GET /transactions?account_id=…&from=…&to=… with pagination, returning normalized transaction objects. OpenData mapping: this is the classic "account information service" pattern — the same "transaction history" covered-data category named in CFPB Section 1033 — delivered as a read-only export.

2 · Lending & underwriting cash-flow analysis

Context: a lender needs 24 months of verified inflows/outflows plus recent e-statements for a credit decision. Data/API: transaction history with categories and running balances, balance snapshots, and GET /statements/{id} returning a signed PDF URL. OpenBanking mapping: consented account-data sharing for affordability assessment, with consent scope and expiry recorded.

3 · Personal finance & budgeting dashboards

Context: a PFM app wants to show a 1st Source customer their balances, categorized spend, and upcoming Bill Pay/scheduled transfers in one place. Data/API: balance sync, transaction stream, Bill Pay payee list, recurring-transfer queue. OpenFinance mapping: aggregation across institutions, with the 1st Source connector normalized to a shared account/transaction schema.

4 · Treasury & multi-account reconciliation

Context: a finance team reconciles internal transfers and Zelle disbursements across several 1st Source accounts daily. Data/API: per-account transactions, Zelle activity records, scheduled-transfer status, and a webhook for new postings. OpenData mapping: event-driven ingestion — the bank pushes "transaction.created" / "balance.updated" events to your endpoint instead of you polling.

5 · Document automation & audit packages

Context: an accountant assembling a year-end audit needs every e-statement and cleared check image for a client's 1st Source accounts. Data/API: GET /statements (list periods), GET /statements/{id} (PDF), and GET /transactions/{id}/check-image. OpenBanking mapping: bulk document retrieval under a time-boxed consent, with every fetch written to an access log.

1 · Authorize an account holder (login / token)

POST /api/v1/firstsource/auth/login
Content-Type: application/json

{
  "username": "<ONLINE_BANKING_USERNAME>",
  "password": "<SECRET>",
  "device_id": "consented-device-uuid",
  "mfa": { "method": "biometric|otp", "value": "..." }
}

200 OK
{
  "access_token": "eyJ...",         // short-lived
  "refresh_token": "rt_...",        // rotate; honors app idle time-out
  "expires_in": 600,
  "consent": { "scope": ["accounts","transactions","statements"], "expires_at": "2026-11-12T00:00:00Z" }
}

2 · Fetch a statement period (transactions, paged)

GET /api/v1/firstsource/accounts/{account_id}/transactions
  ?from=2026-04-01&to=2026-04-30&cursor=&limit=200
Authorization: Bearer <ACCESS_TOKEN>

200 OK
{
  "account_id": "acct_9f2a",
  "items": [
    { "id":"txn_001","date":"2026-04-03","amount":-42.17,"currency":"USD",
      "description":"POS PURCHASE","merchant":"Martin's Super Markets",
      "check_number":null,"category":"groceries","running_balance":1832.45,"status":"posted" },
    { "id":"txn_002","date":"2026-04-05","amount":1500.00,"currency":"USD",
      "description":"MOBILE DEPOSIT","merchant":null,"category":"deposit",
      "running_balance":3332.45,"status":"pending" }
  ],
  "next_cursor": "c_2",
  "statement": { "id":"stmt_2026_04","pdf_url":"https://.../signed.pdf" }
}

3 · Webhook: balance & transaction alerts

# Your endpoint receives push events (mirrors the app's
# "Push Balance & Transaction Alerts"). Verify the signature.
POST https://your-app.example.com/webhooks/firstsource
X-OFL-Signature: t=1715500000,v1=hex(hmac_sha256(secret, body))
Content-Type: application/json

{
  "event": "transaction.created",
  "account_id": "acct_9f2a",
  "data": { "id":"txn_777","amount":-120.00,"merchant":"Zelle to J. Doe","status":"posted" },
  "balance_after": { "available": 3212.45, "ledger": 3332.45 },
  "occurred_at": "2026-05-12T14:03:09Z"
}

# Respond 2xx within 5s; we retry with backoff on 5xx/timeout.

4 · Error handling & resilience

// Normalized error envelope
{ "error": { "code":"consent_expired","message":"Re-authorization required",
             "retryable": false, "doc":"https://openfinance-lab.com/docs/errors" } }

Codes you handle in client code:
  invalid_credentials   -> stop, surface to user
  mfa_required          -> prompt step-up auth
  rate_limited (429)    -> exponential backoff, honor Retry-After
  consent_expired       -> trigger re-auth flow
  upstream_unavailable  -> queue + retry; alert after N failures

Idempotency: send Idempotency-Key on POSTs; webhook handlers must be
idempotent on event "id" (at-least-once delivery).

What we align to

1st Source Mobile Banking is a US depository-institution app, so integrations are framed by US open-banking and data-protection norms. We work under the account holder's explicit authorization or documented, authorized API access, and align with the CFPB Section 1033 Personal Financial Data Rights framework, FFIEC authentication and access guidance, and the Gramm–Leach–Bliley Act (GLBA) privacy and Safeguards expectations. Where a client operates internationally, we layer GDPR-style data-subject controls on top. The bank's own security posture — no personal data stored on the device, app idle time-out, multi-factor sign-in — is preserved in the integration layer.

How we operate

• Consent capture with explicit scope and expiry; revocation honored immediately.
• Data minimization — we request only the fields a use case needs.
• Full access logging and tamper-evident audit trails for every read.
• Encryption in transit and at rest; secrets in a managed vault, never in source.
• Retention and deletion guidance documented per data type; NDAs on request.
• No "credential cracking" or evasion — only reverse engineering of public app behavior for interoperability, and authorized API access.

Deliverables checklist

• API specification (OpenAPI / Swagger) scoped to your authorized use
• Protocol & auth flow report (sign-in, MFA/biometric re-auth, session/token chain, idle time-out behavior)
• Runnable source for login, transaction, balance and statement endpoints (Python / Node.js)
• Webhook receiver sample with signature verification and retry handling
• Automated tests, a Postman/HTTP collection, and written API documentation
• Compliance guidance: consent model, logging, retention and deletion per data type

Engagement workflow

1. Scope confirmation: which data and flows (login, transactions, statements, payments, alerts).
2. Protocol analysis & API design — 2–5 business days, complexity-dependent.
3. Build & internal validation — 3–8 business days.
4. Docs, samples and test cases — 1–2 business days.
5. First delivery typically 5–15 business days; third-party approvals may extend timelines.

Regional & super-regional bank apps

• Fifth Third Bank — large Midwest bank app with balances, transactions, early direct deposit and automatic savings; users who also bank with 1st Source often want unified transaction exports across both.
• Huntington Bank Mobile — well-regarded Midwest app with features like Standby Cash; similar account/transaction data shape, common in multi-bank reconciliation.
• KeyBank Mobile — regional app with in-app chat and standard balance, transfer and bill-pay data that aggregators normalize alongside 1st Source.
• Old National Bank — Indiana-headquartered regional bank with a wide ATM network; overlapping footprint with 1st Source makes combined statement pulls a frequent ask.
• Regions Bank Mobile — Southeast/Midwest super-regional with comparable transaction-history and deposit data used in PFM and lending workflows.
• Citizens Bank Mobile — Northeast/Midwest regional app whose account, statement and Zelle data feed the same aggregation pipelines.

National & digital-first apps

• Chase Mobile — large national app; many 1st Source customers also hold a Chase account, so cross-institution transaction sync is common.
• PNC Mobile — multi-state app with strong app-store ratings; balances, Bill Pay and transfers map cleanly to a shared schema.
• Capital One Mobile — national app with balances, spend tracking, bill pay, mobile deposit and card controls — a near-direct analog of the 1st Source feature set.
• Chime — digital-first (neobank) app; aggregators normalize its transaction and balance data into the same OpenFinance views as regional banks like 1st Source.

About us

We are an independent technical studio focused on fintech and open-data API integration. Our engineers come from banking, payment gateways, mobile protocol analysis and cloud infrastructure, so we can take a project from reverse engineering an app's authorized behavior through to a documented, tested API your team can run.

• Digital banking, payments, lending and document-automation integrations
• Enterprise API gateways, webhook delivery and security reviews
• Custom Python / Node.js / Go SDKs and test harnesses
• Full pipeline: protocol analysis → build → validation → compliance hand-off
• Source code delivery from $300 — runnable API source code and full documentation; pay after delivery upon satisfaction
• Pay-per-call API billing — access our hosted endpoints, pay only per call, no upfront cost

Contact

For a quote, or to submit your target app and requirements, open our contact page. Tell us which 1st Source Mobile Banking data you need (transactions, balances, e-statements, Zelle/Bill Pay, mobile deposit, Card Control) and whether you want source-code delivery or pay-per-call access.

Contact page

What do you need from me to start a 1st Source Mobile Banking integration?

The target app name (provided), the concrete data you need (for example transaction history, account balances, e-statements, Zelle or scheduled transfer status), and any account holder consent, sandbox access or aggregator credentials you already have. We then scope the protocol analysis and API design around that.

How long does delivery take?

A first API drop with documentation is usually 5 to 15 business days depending on scope. A read-only statement and balance export is at the fast end; flows that touch payments, mobile deposit or webhooks, or that depend on third-party approvals, take longer.

Is this compliant with US open banking rules?

We work only under account holder authorization or documented, authorized API access, with consent records, access logging and data minimization. We align with the CFPB Section 1033 Personal Financial Data Rights framework, the FFIEC authentication guidance and GLBA privacy expectations, and we sign NDAs when required.

Can you deliver runnable source code instead of a hosted API?

Yes. We offer two models: source code delivery from 300 USD, where you receive runnable Python or Node.js code plus documentation and pay after delivery upon satisfaction; or pay-per-call access to our hosted endpoints with no upfront fee, billed only for the calls you make.