Arsenal Credit Union API integration (FDX / OpenBanking)

Deliverables checklist

• OpenAPI / Swagger specification covering login, accounts, transactions, statements and card-control endpoints
• Protocol & auth flow report (token lifecycle, refresh, MFA challenges, device binding)
• Runnable reference source in Python and Node.js, with retry, pagination and rate-limit handling
• Automated test suite, fixtures and sandbox replay traces
• Compliance pack: CFPB Section 1033 mapping, FDX field map, data-minimization and retention notes

Engagement models

Pick the model that matches how your team buys software.

• Source code delivery from $300. You receive runnable API source plus documentation; payment is due after acceptance testing.
• Pay-per-call hosted API. Connect to our managed endpoints, pay only for what you use, and let us absorb token refresh and connector maintenance.

1. PFM dashboard for St. Louis-area households

A regional personal-finance app wants to add Arsenal Credit Union alongside Bank of America and Capital One. We provide a hosted connector that returns FDX-style accounts, transactions and statements resources under member consent, refreshing twice daily and exposing webhooks on new posted activity. The household sees one cash-flow view across megabanks and their credit union.

2. Small-business accounting sync (QuickBooks / Xero)

An accountant serving Arsenal business members wants automatic transaction feed into QuickBooks Online. We deliver a daily job that authenticates as the member, pulls business-account transactions with running balances, applies a categorization map, and posts into the accounting platform via QBO/Xero APIs. The deliverable includes idempotency keys so retries do not duplicate entries.

3. Lending originator with affordability checks

A consumer-lender wants 90 days of transaction history plus employer credits to compute affordability. We map Arsenal's transaction stream to FDX posted-transactions and emit a derived income-stream object with confidence scoring. The flow is consent-screen first and time-boxed: tokens are short-lived and the lender's vault stores only summary derivations, not raw transactions.

4. Compliance reporting & CCM audit pack

A compliance team needs a quarterly audit pack: statements, transfer logs, card-control changes and bill-pay activity. We package the data as a signed archive with a manifest and SHA-256 hashes, suitable for handover to internal audit or a Section 1033 data-rights request response.

5. Card-control automation for travel and fraud

A fintech offering family-finance tooling wants to flip Arsenal-issued debit cards into "lock" state when geofenced anomalies appear, mirroring the in-app card control. We provide an authorized write endpoint that calls the same protected route used by the app, returns the new state and a server-side audit record, and triggers an alert thread for the cardholder.

Authorize a member session (PKCE)

# 1. Build authorization URL (OAuth 2.0 + PKCE)
GET https://api.openfinance-lab.com/v1/arsenal-cu/authorize
  ?client_id=acme-pfm
  &redirect_uri=https://acme.example/cb
  &scope=accounts.read transactions.read statements.read cards.write
  &code_challenge=<sha256(verifier)>
  &code_challenge_method=S256
  &state=<csrf-nonce>

# 2. Exchange code for tokens
POST /v1/arsenal-cu/token
{
  "grant_type": "authorization_code",
  "code": "<code>",
  "code_verifier": "<verifier>",
  "client_id": "acme-pfm"
}
# -> { "access_token": "...", "refresh_token": "...", "expires_in": 1800 }

List accounts and pull transactions

GET /v1/arsenal-cu/accounts
Authorization: Bearer <ACCESS_TOKEN>

# Response (FDX-aligned)
{
  "accounts": [
    {"accountId":"acct_9f2","type":"CHECKING","nickname":"Everyday",
     "currentBalance":1842.17,"availableBalance":1742.17,"currency":"USD"},
    {"accountId":"acct_a13","type":"SAVINGS","nickname":"Vacation",
     "currentBalance":5210.00,"availableBalance":5210.00,"currency":"USD"}
  ]
}

GET /v1/arsenal-cu/accounts/acct_9f2/transactions
  ?fromDate=2026-04-01&toDate=2026-04-30&page=1
Authorization: Bearer <ACCESS_TOKEN>

# Response
{
  "transactions": [
    {"id":"t_001","postedTimestamp":"2026-04-03T14:22Z","amount":-42.10,
     "description":"SCHNUCKS #1184","mcc":"5411","status":"POSTED"}
  ],
  "page": {"next": "2"}
}

Card control + webhook for posted activity

PATCH /v1/arsenal-cu/cards/card_77e
Authorization: Bearer <ACCESS_TOKEN>
{ "lockState": "LOCKED", "reason": "user_request" }

# Subscribe to webhook
POST /v1/arsenal-cu/webhooks
{
  "url": "https://acme.example/hooks/arsenal",
  "events": ["transaction.posted","statement.ready","card.locked"]
}

# Webhook payload (signed with HMAC-SHA256)
{
  "event": "transaction.posted",
  "accountId": "acct_9f2",
  "transactionId": "t_007",
  "amount": -12.50,
  "occurredAt": "2026-05-09T17:04Z"
}

US open banking framework

Our work for Arsenal Credit Union is built around CFPB Section 1033 (Personal Financial Data Rights), the rule finalized by the Consumer Financial Protection Bureau and effective January 17, 2025. Compliance dates for data providers begin April 1, 2026 and stagger through April 1, 2030 by asset size. In August 2025 the CFPB issued an Advance Notice of Proposed Rulemaking for reconsideration of the rule, so we track ongoing changes and adjust the deliverable accordingly.

FDX data model

Resource names, field shapes and error semantics align with the Financial Data Exchange (FDX) API, recognized by the CFPB as a standard-setting body in January 2025 and now covering over 130 million consumer account connections. Using FDX shapes keeps your code reusable when adding other US institutions later.

Privacy & safeguards

Member consent is captured at session start and pinned to a scope list (e.g. transactions.read, cards.write). Tokens are short-lived; refresh is rotated. Raw responses are encrypted at rest with envelope keys. Access events, scope changes and revocations are logged for at least the retention period required by the customer's policy. NDAs and DPAs are available on request.

About OpenFinance Lab

We are an independent technical studio focused on mobile-app protocol analysis and API integration for the financial-services sector. Our engineers come from retail banking, payment gateways, credit-union back-office vendors and reverse-engineering teams. We have shipped consent-driven integrations across US, EU and APAC institutions and stay current with FDX, OBIE, PSD2 and equivalent regional frameworks.

• Consumer banking, credit unions, lending and small-business accounting
• Aggregator-backed integrations (Plaid, MX, Finicity) and direct protocol work
• Python, Node.js, Go, Kotlin and Swift reference clients
• End-to-end pipeline: protocol analysis → API build → automated tests → compliance handover
• Source code delivery from $300, pay after acceptance
• Pay-per-call hosted API for teams that prefer usage-based billing

Contact

Send the target app name and the data you need (e.g. "Arsenal Credit Union transactions + statements, 90-day window"), plus any existing sandbox or aggregator credentials. We will reply with a scoped quote and timeline.

Contact page

Engagement workflow

1. Scope confirmation: which Arsenal Credit Union surfaces you need (login, transactions, statements, cards, transfers).
2. Protocol analysis and FDX field mapping (2–5 business days).
3. Build, sandbox replay and internal validation (3–8 business days).
4. Documentation, automated tests and compliance pack (1–2 business days).
5. Handover and acceptance testing; first delivery typically lands in 5–15 business days.

FAQ

Does Arsenal Credit Union expose a public developer API?

Which data can be exported from a member account?

How long does delivery take and what is the price?

Is the integration compliant with US data-sharing rules?