Cross River Accounts API

Open and manage COS deposit accounts (DDA) and subledgers - create accounts from a product, apply and remove restrictions, retrieve statements and tax documents, and manage time deposits (CDs). Part of the COS Core module.

OpenAPI Specification

cross-river-openapi.yml Raw ↑
openapi: 3.0.3
info:
  title: Cross River Operating System (COS) API
  description: >-
    The Cross River Operating System (COS) is a collection of RESTful APIs from
    Cross River Bank (an FDIC-member bank) for embedded finance and
    Banking-as-a-Service - deposit accounts, ACH, wires, instant payments
    (RTP / FedNow / CRNow), card issuing and management, lending, and customer
    management (KYC / onboarding). COS is organized around REST with
    object-oriented URLs and JSON responses, and uses OAuth 2.0 (client
    credentials grant) to issue a signed JWT Bearer access token that must be
    sent on every request.

    ACCESS MODEL: Cross River is a regulated bank and COS access is
    partner/enterprise-gated. Programs are onboarded via Cross River sales and a
    relationship manager, who provision client_id / client_secret credentials
    for the sandbox (https://sandbox.crbcos.com) and, after go-live, for
    production. The public production base URL is not published in the open
    documentation.

    GROUNDING NOTE: The paths, methods, and module base URLs in this document
    are grounded in the public Cross River developer documentation at
    docs.crossriver.com (as of 2026-07-12). Because the live sandbox is
    credential-gated, request and response BODY SCHEMAS below are MODELED
    representative structures, not copied from the credential-gated OpenAPI /
    Postman collection Cross River shares with onboarded partners. Verify exact
    field names and required properties against the official reference and the
    partner-provided collection.
  version: '1.0'
  contact:
    name: Cross River
    url: https://www.crossriver.com/
  license:
    name: Proprietary
    url: https://www.crossriver.com/
servers:
  - url: https://sandbox.crbcos.com
    description: >-
      COS sandbox host for the core modules (Core, ACH, Wires, RTP, Cards, etc.).
      Requires partner-provisioned OAuth2 credentials. Production host is issued
      separately during go-live and is not publicly documented.
  - url: https://arixapisandbox.crbnj.net
    description: Lending / loan origination sandbox host (separate from the core COS host).
security:
  - oauth2ClientCredentials: []
tags:
  - name: Customer Management
    description: Customer records, KYC, and onboarding (COS Core module, /core/v1/cm).
  - name: Accounts
    description: Deposit accounts and subledgers (COS Core module, /core/v1/dda).
  - name: ACH
    description: ACH origination and receipt (COS Payments, /ach).
  - name: Wires
    description: Domestic wire transfers and drawdowns (COS Payments, /wires).
  - name: Instant Payments
    description: RTP, FedNow, and CRNow instant payments (COS Payments, /rtp).
  - name: Cards
    description: Debit card issuing and management (COS Card Management, /cardmanagement).
  - name: Lending
    description: Loan origination and servicing (separate lending host).
paths:
  /core/v1/cm/customers:
    post:
      operationId: createCustomer
      tags:
        - Customer Management
      summary: Create a customer
      description: >-
        Creates a personal or business customer record used for KYC / onboarding.
        A customer record is required before opening deposit accounts or issuing
        cards. MODELED request body.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CustomerInput'
      responses:
        '200':
          description: The created customer.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Customer'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '422':
          $ref: '#/components/responses/ValidationError'
  /core/v1/cm/customers/{id}:
    parameters:
      - $ref: '#/components/parameters/Id'
    get:
      operationId: getCustomer
      tags:
        - Customer Management
      summary: Retrieve a customer
      description: Retrieves a customer record by its ID.
      responses:
        '200':
          description: The requested customer.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Customer'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
    delete:
      operationId: deactivateCustomer
      tags:
        - Customer Management
      summary: Deactivate a customer
      description: Deactivates (soft-deletes) a customer record.
      responses:
        '200':
          description: Deactivation confirmation.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/StatusResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /core/v1/cm/customers/{customerId}/beneficial-owners:
    parameters:
      - $ref: '#/components/parameters/CustomerId'
    post:
      operationId: addBeneficialOwner
      tags:
        - Customer Management
      summary: Add a beneficial owner
      description: Adds a beneficial owner to a business customer. MODELED request body.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
      responses:
        '200':
          description: The updated customer.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Customer'
        '401':
          $ref: '#/components/responses/Unauthorized'
  /core/v1/cm/customers/{customerId}/identifications:
    parameters:
      - $ref: '#/components/parameters/CustomerId'
    post:
      operationId: addIdentification
      tags:
        - Customer Management
      summary: Add an identification
      description: Adds an identification document (e.g. SSN, passport) to a customer. MODELED request body.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
      responses:
        '200':
          description: The updated customer.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Customer'
        '401':
          $ref: '#/components/responses/Unauthorized'
  /core/v1/dda/accounts:
    post:
      operationId: createAccount
      tags:
        - Accounts
      summary: Open a deposit account
      description: Creates a deposit account (DDA) based on a product ID for a customer. MODELED request body.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AccountInput'
      responses:
        '200':
          description: The created account.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Account'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '422':
          $ref: '#/components/responses/ValidationError'
  /core/v1/dda/accounts/{accountNumber}/restrictions:
    parameters:
      - $ref: '#/components/parameters/AccountNumber'
    post:
      operationId: addAccountRestriction
      tags:
        - Accounts
      summary: Restrict an account
      description: Applies a restriction (e.g. hold, freeze) to a deposit account. MODELED request body.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
      responses:
        '200':
          description: Restriction confirmation.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/StatusResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
  /core/v1/dda/accounts/{accountNumber}/statements:
    parameters:
      - $ref: '#/components/parameters/AccountNumber'
    get:
      operationId: listAccountStatements
      tags:
        - Accounts
      summary: List account statements
      description: Retrieves statement information for a deposit account.
      responses:
        '200':
          description: A list of statements.
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      type: object
                      additionalProperties: true
        '401':
          $ref: '#/components/responses/Unauthorized'
  /ach/v1/payments:
    post:
      operationId: sendAchPayment
      tags:
        - ACH
      summary: Send an ACH payment
      description: >-
        Originates a single ACH payment over the Federal Reserve ACH network.
        Supports standard and same-day ACH. An idempotency-key header is
        recommended to safely retry. MODELED request body.
      parameters:
        - $ref: '#/components/parameters/IdempotencyKey'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AchPaymentInput'
      responses:
        '200':
          description: The created ACH payment.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Payment'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '422':
          $ref: '#/components/responses/ValidationError'
  /wires/v1/payments:
    post:
      operationId: sendWirePayment
      tags:
        - Wires
      summary: Send a wire transfer
      description: Sends a single domestic wire transfer payment. MODELED request body.
      parameters:
        - $ref: '#/components/parameters/IdempotencyKey'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/WirePaymentInput'
      responses:
        '200':
          description: The created wire payment.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Payment'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '422':
          $ref: '#/components/responses/ValidationError'
  /wires/v1/payments/{id}/cancel:
    parameters:
      - $ref: '#/components/parameters/Id'
    post:
      operationId: cancelWirePayment
      tags:
        - Wires
      summary: Cancel a wire transfer
      description: Cancels a wire transfer payment by ID.
      responses:
        '200':
          description: Cancellation confirmation.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/StatusResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /rtp/v1/payments:
    post:
      operationId: sendInstantPayment
      tags:
        - Instant Payments
      summary: Send an instant payment
      description: >-
        Initiates a single instant payment (credit transfer) over CRNow, RTP
        (The Clearing House), or FedNow, depending on the receiving bank's
        supported networks. MODELED request body.
      parameters:
        - $ref: '#/components/parameters/IdempotencyKey'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/InstantPaymentInput'
      responses:
        '200':
          description: The created instant payment.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Payment'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '422':
          $ref: '#/components/responses/ValidationError'
  /rtp/v1/directory:
    get:
      operationId: getInstantPaymentDirectory
      tags:
        - Instant Payments
      summary: Get supported instant-payment services
      description: >-
        Retrieves a list of instant-payment-related services supported by a
        specific financial institution (routing number), used to check whether a
        receiving bank supports RTP and/or FedNow before sending.
      parameters:
        - name: routingNumber
          in: query
          required: false
          description: ABA routing number of the financial institution to query.
          schema:
            type: string
      responses:
        '200':
          description: Supported services for the institution.
          content:
            application/json:
              schema:
                type: object
                additionalProperties: true
        '401':
          $ref: '#/components/responses/Unauthorized'
  /cardmanagement/v1/cards:
    get:
      operationId: listCards
      tags:
        - Cards
      summary: List cards
      description: Returns details about cards matching the supplied filters.
      responses:
        '200':
          description: A list of cards.
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/Card'
        '401':
          $ref: '#/components/responses/Unauthorized'
    post:
      operationId: createCard
      tags:
        - Cards
      summary: Create a card
      description: Requests creation of a new debit card for a customer/account. MODELED request body.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CardInput'
      responses:
        '200':
          description: The created card.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Card'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '422':
          $ref: '#/components/responses/ValidationError'
  /cardmanagement/v1/cards/{id}:
    parameters:
      - $ref: '#/components/parameters/Id'
    get:
      operationId: getCard
      tags:
        - Cards
      summary: Get a card
      description: Returns the details of a specific debit card by its ID.
      responses:
        '200':
          description: The requested card.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Card'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /cardmanagement/v1/cards/{id}/activate:
    parameters:
      - $ref: '#/components/parameters/Id'
    post:
      operationId: activateCard
      tags:
        - Cards
      summary: Activate a card
      description: Activates a card for a customer (the preferred way to activate a card).
      responses:
        '200':
          description: Activation confirmation.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Card'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /cardmanagement/v1/cards/{id}/suspend:
    parameters:
      - $ref: '#/components/parameters/Id'
    post:
      operationId: suspendCard
      tags:
        - Cards
      summary: Suspend a card
      description: Suspends a card by ID.
      responses:
        '200':
          description: Suspend confirmation.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Card'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /cardmanagement/v1/cards/{id}/close:
    parameters:
      - $ref: '#/components/parameters/Id'
    post:
      operationId: closeCard
      tags:
        - Cards
      summary: Close a card
      description: Permanently deactivates a card. Closed cards cannot be reactivated.
      responses:
        '200':
          description: Close confirmation.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Card'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /loan:
    post:
      operationId: addLoan
      tags:
        - Lending
      summary: Add a loan
      description: >-
        Creates a loan record in the lending system. Served from the separate
        lending host (arixapisandbox.crbnj.net in sandbox) with its own OAuth
        server. MODELED request body.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
      responses:
        '200':
          description: The created loan.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Loan'
        '401':
          $ref: '#/components/responses/Unauthorized'
  /loandetail/{id}:
    parameters:
      - $ref: '#/components/parameters/Id'
    get:
      operationId: getLoanDetail
      tags:
        - Lending
      summary: Get loan details
      description: Retrieves the details of a loan by its ID.
      responses:
        '200':
          description: The requested loan.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Loan'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /loan/{id}/fundinginfo:
    parameters:
      - $ref: '#/components/parameters/Id'
    put:
      operationId: requestLoanFundingRails
      tags:
        - Lending
      summary: Request loan funding rails
      description: Requests new payment rails for funding a loan. MODELED request body.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
      responses:
        '200':
          description: The updated loan funding info.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Loan'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
components:
  securitySchemes:
    oauth2ClientCredentials:
      type: oauth2
      description: >-
        OAuth 2.0 client credentials grant. POST client_id, client_secret and
        grant_type=client_credentials to the COS identity provider token
        endpoint (sandbox: https://idptest.crbcos.com/connect/token; lending
        uses https://oauthtest.crbnj.net/connect/token). The response is a signed
        JWT that must be sent as `Authorization: Bearer <token>` on every request.
      flows:
        clientCredentials:
          tokenUrl: https://idptest.crbcos.com/connect/token
          scopes: {}
  parameters:
    Id:
      name: id
      in: path
      required: true
      description: The unique identifier of the resource.
      schema:
        type: string
    CustomerId:
      name: customerId
      in: path
      required: true
      description: The unique identifier of the customer.
      schema:
        type: string
    AccountNumber:
      name: accountNumber
      in: path
      required: true
      description: The deposit account number.
      schema:
        type: string
    IdempotencyKey:
      name: idempotency-key
      in: header
      required: false
      description: A client-generated UUID used to safely retry a request without duplicating it.
      schema:
        type: string
        format: uuid
  responses:
    Unauthorized:
      description: Missing or invalid Bearer token.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    NotFound:
      description: The requested resource was not found.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    ValidationError:
      description: The request payload failed validation.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
  schemas:
    Error:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
            message:
              type: string
            details:
              type: object
              additionalProperties: true
    StatusResponse:
      type: object
      properties:
        id:
          type: string
        status:
          type: string
    CustomerInput:
      type: object
      description: MODELED. Verify required fields against the official reference.
      required:
        - type
      properties:
        type:
          type: string
          enum:
            - personal
            - business
        firstName:
          type: string
        lastName:
          type: string
        legalName:
          type: string
          description: Legal name for a business customer.
        email:
          type: string
          format: email
    Customer:
      allOf:
        - $ref: '#/components/schemas/CustomerInput'
        - type: object
          properties:
            id:
              type: string
            status:
              type: string
    AccountInput:
      type: object
      description: MODELED. Verify required fields against the official reference.
      required:
        - productId
        - customerId
      properties:
        productId:
          type: string
          description: The deposit product to open the account under.
        customerId:
          type: string
        currency:
          type: string
          default: USD
    Account:
      allOf:
        - $ref: '#/components/schemas/AccountInput'
        - type: object
          properties:
            accountNumber:
              type: string
            status:
              type: string
            availableBalance:
              type: number
    AchPaymentInput:
      type: object
      description: MODELED. Verify required fields against the official reference.
      required:
        - amount
        - accountNumber
      properties:
        amount:
          type: number
        currency:
          type: string
          default: USD
        accountNumber:
          type: string
          description: The funding account number.
        counterparty:
          type: object
          additionalProperties: true
        sameDay:
          type: boolean
        secCode:
          type: string
          description: Standard Entry Class code (e.g. PPD, CCD, WEB).
    WirePaymentInput:
      type: object
      description: MODELED. Verify required fields against the official reference.
      required:
        - amount
        - accountNumber
      properties:
        amount:
          type: number
        currency:
          type: string
          default: USD
        accountNumber:
          type: string
        beneficiary:
          type: object
          additionalProperties: true
    InstantPaymentInput:
      type: object
      description: MODELED. Verify required fields against the official reference.
      required:
        - amount
        - accountNumber
      properties:
        amount:
          type: number
        currency:
          type: string
          default: USD
        accountNumber:
          type: string
          description: The funding account number.
        creditorAccountNumber:
          type: string
        creditorRoutingNumber:
          type: string
        network:
          type: string
          enum:
            - CRNow
            - RTP
            - FedNow
    Payment:
      type: object
      properties:
        id:
          type: string
        status:
          type: string
        amount:
          type: number
        currency:
          type: string
        createdAt:
          type: string
          format: date-time
    CardInput:
      type: object
      description: MODELED. Verify required fields against the official reference.
      required:
        - customerId
        - accountNumber
      properties:
        customerId:
          type: string
        accountNumber:
          type: string
        cardType:
          type: string
          enum:
            - physical
            - virtual
    Card:
      allOf:
        - $ref: '#/components/schemas/CardInput'
        - type: object
          properties:
            id:
              type: string
            status:
              type: string
            last4:
              type: string
    Loan:
      type: object
      properties:
        id:
          type: string
        status:
          type: string
        amount:
          type: number
        currency:
          type: string