Citi Mobile API integration & OpenBanking data services

Account login & session lifecycle

Reproduces the Citi Mobile login chain — username/password, OTP, device fingerprinting and Fingerprint/Touch ID — and exposes it as /auth/login and /auth/refresh endpoints. Use it to bind a Citi user to your tenant, keep the session warm for nightly statement pulls, and revoke tokens when an end-user disconnects.

Statement & transaction history API

Aggregates checking, savings and credit-card activity with paging, posted/pending flags, merchant strings, MCC categories and Citi's own spending-insights tags. The same endpoint emits CSV for finance teams that historically downloaded statements only via Citibank Online desktop — a gap users complain about on the mobile app.

Zelle & bill-pay sync

Mirrors the in-app Zelle flow: P2P transfers, request-to-pay, recurring bill payments, payee management (a 2024–2025 mobile-app addition) and same-day or scheduled payment confirmations. Drives reconciliation in property-management, marketplace-payout and shared-expense apps.

Card lifecycle & security

Citi® Quick Lock state, PIN reset, card replacement requests, change-due-date and dispute tracking are surfaced via /cards/{id}. Useful for issuer-of-record dashboards, fraud-ops tooling, and embedded-finance partners that resell Citi card products.

FICO® Score & credit insights

Citi cardholders see their FICO Score for free inside the app. We expose the score, score date, key factors and trend so wealth-tech and lending platforms can ingest it as part of a holistic credit profile alongside Aggregation data linked from other banks.

Account Alerts & ATM locator

Subscribe to Citi's customizable alert channel (low-balance, large purchase, statement available) and call the 60,000+ fee-free ATM locator as a geo-API for cash-access features in neobank, payroll-card or earned-wage-access products.

1. Accounting & ERP reconciliation

A small-business CFO links their Citi business checking and Citi credit cards to QuickBooks, Xero or NetSuite. Our wrapper around Citi Developer Hub's Accounts and Money Movement products pulls daily postings and pushes them into the GL, replacing manual CSV downloads from Citibank Online — the legacy path users still rely on because the mobile app rarely offers CSV export. Mapping: transactions[] → ledger entries; statements[] → period close documents.

2. Multi-bank wealth dashboard

A wealth-tech app combines Citi Mobile's Aggregation feature (which already lets users link "virtually all" bank, credit-card and investment accounts inside Citi Mobile) with Plaid- or MX-style external feeds. We expose a unified /networth endpoint that includes Citi balances, Citi-issued FICO score, and external linked institutions — useful for advisors who want one statement-quality data view per client.

3. Zelle payout reconciliation for marketplaces

A gig-economy or rental marketplace pays workers via Zelle from a Citi business account. Our webhook subscriber listens for Zelle send events, captures memo metadata, and posts to the marketplace's payouts table for 1099-K tagging and dispute handling. The integration handles Zelle's near-real-time settlement window and split-payment events surfaced in the Citi Mobile UI.

4. Lending & credit decisioning

A point-of-sale lender or BNPL provider queries the cardholder's free Citi FICO® Score, recent statement velocity, and Quick Lock state to score a loan in real time. Mapping into OpenFinance: /credit/score + /accounts/{id}/cashflow behind a consent token issued during the user's authorized session.

5. Compliance archival & e-discovery

Regulated counsel and audit teams need immutable copies of statements, dispute correspondence and alert preferences. Our pipeline rolls Citi Mobile data into WORM storage with hash chains, supporting subpoenas, CCPA Subject Access Requests (Citi already exposes this for California residents) and internal SOX controls.

Authorize a Citi user (OAuth-style)

POST /api/v1/citi/auth/login
Content-Type: application/json
Authorization: Bearer <TENANT_KEY>

{
  "username": "user@example.com",
  "device_id": "ios-9F3A...",
  "factor": "touch_id",
  "consent_scope": ["accounts.read", "transactions.read", "fico.read"]
}

200 OK
{
  "access_token": "eyJhbGciOi...",
  "refresh_token": "rft_8a91...",
  "expires_in": 1800,
  "linked_products": ["checking", "savings", "card"]
}

Pull a statement window

POST /api/v1/citi/statement
Authorization: Bearer <ACCESS_TOKEN>

{
  "account_id": "ck_4471",
  "from_date": "2026-03-01",
  "to_date":   "2026-03-31",
  "format":    "json",
  "include":   ["pending", "memo", "mcc"]
}

200 OK
{
  "account_id": "ck_4471",
  "currency": "USD",
  "opening_balance": 4123.55,
  "closing_balance": 5210.04,
  "transactions": [
    {"id":"tx_001","date":"2026-03-04","amount":-58.21,
     "merchant":"WHOLE FOODS #221","mcc":"5411","status":"posted"},
    {"id":"tx_002","date":"2026-03-06","amount":1500.00,
     "memo":"ACH PAYROLL","status":"posted"}
  ]
}

Zelle webhook (push events)

POST https://your-app.example.com/hooks/citi-zelle
X-Citi-Signature: sha256=...
Content-Type: application/json

{
  "event": "zelle.outbound.completed",
  "account_id": "ck_4471",
  "zelle_token": "u****@bank",
  "amount": 75.00,
  "memo": "Apt utilities split",
  "occurred_at": "2026-04-12T19:42:11Z"
}

Standard error model returns { "error": { "code": "consent_revoked", "retryable": false } }; clients are expected to call /auth/refresh on token_expired.

U.S. regulatory context

U.S. consumer-banking integrations sit in a moving regulatory window. The CFPB's Section 1033 open-banking rule was effectively shelved in 2025 and a replacement interim final rule was promised but missed its deadline, leaving most Citi Mobile data sharing under the existing FCRA/GLBA/Reg E framework plus contractual access via Citi's Developer Hub. We follow Citi's documented Privacy Notice and Notice at Collection, plus California's CCPA/CPRA flow for resident requests at the Citi Data Privacy Hub.

Operational safeguards

• Authorized-only access — either the end user's own credentials with explicit consent, or partner credentials via Citi Developer Hub sandbox/production.
• Data minimization: only the scopes the customer ticked are returned.
• End-to-end TLS, KMS-managed token vault, audit log of every consent event for SOC 2 / FFIEC reviews.
• NDA, DPIA and data-retention policy templates included on request.

Deliverables checklist

• API specification (OpenAPI / Swagger) for accounts, transactions, Zelle, FICO, alerts
• Protocol & auth flow report (login, OTP, biometric, token refresh, session pinning)
• Runnable source for login and statement APIs (Python / Node.js / Go available on request)
• Webhook subscriber for Zelle and Account Alerts
• Automated tests (mock server + recorded fixtures) and Postman collection
• Compliance guidance: GLBA/Reg E, CCPA, Citi Privacy Notice alignment
• Two engagement models: source-code delivery from $300, or pay-per-call hosted endpoints

Recent & in-scope features

Recent Citi Mobile additions explicitly covered: in-app payee management (added in the 2024–2025 redesign), Touch ID/Fingerprint auth, Apple Watch hand-off, Citi Mobile Snapshot pre-login view, Card Replacement, PIN reset, Quick Lock, due-date selection, FICO Score history, and the simplified spending-insights menu.

Quality & SLAs

We target 99.5% uptime on hosted pay-per-call endpoints, sub-500 ms p50 for cached balance reads, and same-day token-rotation patches whenever Citi pushes a new mobile-app build that changes the auth chain.

Who we are

We are an independent technical-services studio focused on App interface integration and authorized API integration. Our team brings hands-on experience from U.S. and global banks, payment processors, mobile reverse-engineering labs and compliance functions. We have shipped OpenBanking-style integrations for retail-banking, credit-card, e-commerce, food-delivery, OTA and OTT apps, and we routinely operate inside customer-authorized scopes plus documented public/partner APIs.

How we work

• Scoping call — you provide the target app (here: Citi Mobile) and the data slices you need.
• Protocol analysis & API design — typically 2–5 business days.
• Build and internal validation — 3–8 business days.
• Documentation, sample code and test cases — 1–2 business days.
• First delivery usually 5–15 business days; partner-portal approvals can extend timelines.

Contact

Tell us your target app and the exact data slices you need (statements, Zelle events, FICO, balances). We respond with a fixed-fee or pay-per-call quote within one business day.

Open contact page

Workflow

1. Confirm scope: which Citi Mobile data, output format, target system.
2. Sign mutual NDA and access agreement; collect any sandbox credentials you already have on Citi Developer Hub.
3. Protocol analysis and API design.
4. Implementation, internal QA, and joint UAT against your stack.
5. Hand-off: source code (or hosted endpoint), docs, runbook, on-call window for one rotation cycle.

FAQ

What do you need from me?

How long does delivery take?

How do you handle compliance?

Can I just pay per call?