openapi: 3.0.3 info: title: Cross River Operating System (COS) API description: >- The Cross River Operating System (COS) is a collection of RESTful APIs from Cross River Bank (an FDIC-member bank) for embedded finance and Banking-as-a-Service - deposit accounts, ACH, wires, instant payments (RTP / FedNow / CRNow), card issuing and management, lending, and customer management (KYC / onboarding). COS is organized around REST with object-oriented URLs and JSON responses, and uses OAuth 2.0 (client credentials grant) to issue a signed JWT Bearer access token that must be sent on every request. ACCESS MODEL: Cross River is a regulated bank and COS access is partner/enterprise-gated. Programs are onboarded via Cross River sales and a relationship manager, who provision client_id / client_secret credentials for the sandbox (https://sandbox.crbcos.com) and, after go-live, for production. The public production base URL is not published in the open documentation. GROUNDING NOTE: The paths, methods, and module base URLs in this document are grounded in the public Cross River developer documentation at docs.crossriver.com (as of 2026-07-12). Because the live sandbox is credential-gated, request and response BODY SCHEMAS below are MODELED representative structures, not copied from the credential-gated OpenAPI / Postman collection Cross River shares with onboarded partners. Verify exact field names and required properties against the official reference and the partner-provided collection. version: '1.0' contact: name: Cross River url: https://www.crossriver.com/ license: name: Proprietary url: https://www.crossriver.com/ servers: - url: https://sandbox.crbcos.com description: >- COS sandbox host for the core modules (Core, ACH, Wires, RTP, Cards, etc.). Requires partner-provisioned OAuth2 credentials. Production host is issued separately during go-live and is not publicly documented. - url: https://arixapisandbox.crbnj.net description: Lending / loan origination sandbox host (separate from the core COS host). security: - oauth2ClientCredentials: [] tags: - name: Customer Management description: Customer records, KYC, and onboarding (COS Core module, /core/v1/cm). - name: Accounts description: Deposit accounts and subledgers (COS Core module, /core/v1/dda). - name: ACH description: ACH origination and receipt (COS Payments, /ach). - name: Wires description: Domestic wire transfers and drawdowns (COS Payments, /wires). - name: Instant Payments description: RTP, FedNow, and CRNow instant payments (COS Payments, /rtp). - name: Cards description: Debit card issuing and management (COS Card Management, /cardmanagement). - name: Lending description: Loan origination and servicing (separate lending host). paths: /core/v1/cm/customers: post: operationId: createCustomer tags: - Customer Management summary: Create a customer description: >- Creates a personal or business customer record used for KYC / onboarding. A customer record is required before opening deposit accounts or issuing cards. MODELED request body. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CustomerInput' responses: '200': description: The created customer. content: application/json: schema: $ref: '#/components/schemas/Customer' '401': $ref: '#/components/responses/Unauthorized' '422': $ref: '#/components/responses/ValidationError' /core/v1/cm/customers/{id}: parameters: - $ref: '#/components/parameters/Id' get: operationId: getCustomer tags: - Customer Management summary: Retrieve a customer description: Retrieves a customer record by its ID. responses: '200': description: The requested customer. content: application/json: schema: $ref: '#/components/schemas/Customer' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' delete: operationId: deactivateCustomer tags: - Customer Management summary: Deactivate a customer description: Deactivates (soft-deletes) a customer record. responses: '200': description: Deactivation confirmation. content: application/json: schema: $ref: '#/components/schemas/StatusResponse' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /core/v1/cm/customers/{customerId}/beneficial-owners: parameters: - $ref: '#/components/parameters/CustomerId' post: operationId: addBeneficialOwner tags: - Customer Management summary: Add a beneficial owner description: Adds a beneficial owner to a business customer. MODELED request body. requestBody: required: true content: application/json: schema: type: object additionalProperties: true responses: '200': description: The updated customer. content: application/json: schema: $ref: '#/components/schemas/Customer' '401': $ref: '#/components/responses/Unauthorized' /core/v1/cm/customers/{customerId}/identifications: parameters: - $ref: '#/components/parameters/CustomerId' post: operationId: addIdentification tags: - Customer Management summary: Add an identification description: Adds an identification document (e.g. SSN, passport) to a customer. MODELED request body. requestBody: required: true content: application/json: schema: type: object additionalProperties: true responses: '200': description: The updated customer. content: application/json: schema: $ref: '#/components/schemas/Customer' '401': $ref: '#/components/responses/Unauthorized' /core/v1/dda/accounts: post: operationId: createAccount tags: - Accounts summary: Open a deposit account description: Creates a deposit account (DDA) based on a product ID for a customer. MODELED request body. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AccountInput' responses: '200': description: The created account. content: application/json: schema: $ref: '#/components/schemas/Account' '401': $ref: '#/components/responses/Unauthorized' '422': $ref: '#/components/responses/ValidationError' /core/v1/dda/accounts/{accountNumber}/restrictions: parameters: - $ref: '#/components/parameters/AccountNumber' post: operationId: addAccountRestriction tags: - Accounts summary: Restrict an account description: Applies a restriction (e.g. hold, freeze) to a deposit account. MODELED request body. requestBody: required: true content: application/json: schema: type: object additionalProperties: true responses: '200': description: Restriction confirmation. content: application/json: schema: $ref: '#/components/schemas/StatusResponse' '401': $ref: '#/components/responses/Unauthorized' /core/v1/dda/accounts/{accountNumber}/statements: parameters: - $ref: '#/components/parameters/AccountNumber' get: operationId: listAccountStatements tags: - Accounts summary: List account statements description: Retrieves statement information for a deposit account. responses: '200': description: A list of statements. content: application/json: schema: type: object properties: data: type: array items: type: object additionalProperties: true '401': $ref: '#/components/responses/Unauthorized' /ach/v1/payments: post: operationId: sendAchPayment tags: - ACH summary: Send an ACH payment description: >- Originates a single ACH payment over the Federal Reserve ACH network. Supports standard and same-day ACH. An idempotency-key header is recommended to safely retry. MODELED request body. parameters: - $ref: '#/components/parameters/IdempotencyKey' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AchPaymentInput' responses: '200': description: The created ACH payment. content: application/json: schema: $ref: '#/components/schemas/Payment' '401': $ref: '#/components/responses/Unauthorized' '422': $ref: '#/components/responses/ValidationError' /wires/v1/payments: post: operationId: sendWirePayment tags: - Wires summary: Send a wire transfer description: Sends a single domestic wire transfer payment. MODELED request body. parameters: - $ref: '#/components/parameters/IdempotencyKey' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/WirePaymentInput' responses: '200': description: The created wire payment. content: application/json: schema: $ref: '#/components/schemas/Payment' '401': $ref: '#/components/responses/Unauthorized' '422': $ref: '#/components/responses/ValidationError' /wires/v1/payments/{id}/cancel: parameters: - $ref: '#/components/parameters/Id' post: operationId: cancelWirePayment tags: - Wires summary: Cancel a wire transfer description: Cancels a wire transfer payment by ID. responses: '200': description: Cancellation confirmation. content: application/json: schema: $ref: '#/components/schemas/StatusResponse' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /rtp/v1/payments: post: operationId: sendInstantPayment tags: - Instant Payments summary: Send an instant payment description: >- Initiates a single instant payment (credit transfer) over CRNow, RTP (The Clearing House), or FedNow, depending on the receiving bank's supported networks. MODELED request body. parameters: - $ref: '#/components/parameters/IdempotencyKey' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/InstantPaymentInput' responses: '200': description: The created instant payment. content: application/json: schema: $ref: '#/components/schemas/Payment' '401': $ref: '#/components/responses/Unauthorized' '422': $ref: '#/components/responses/ValidationError' /rtp/v1/directory: get: operationId: getInstantPaymentDirectory tags: - Instant Payments summary: Get supported instant-payment services description: >- Retrieves a list of instant-payment-related services supported by a specific financial institution (routing number), used to check whether a receiving bank supports RTP and/or FedNow before sending. parameters: - name: routingNumber in: query required: false description: ABA routing number of the financial institution to query. schema: type: string responses: '200': description: Supported services for the institution. content: application/json: schema: type: object additionalProperties: true '401': $ref: '#/components/responses/Unauthorized' /cardmanagement/v1/cards: get: operationId: listCards tags: - Cards summary: List cards description: Returns details about cards matching the supplied filters. responses: '200': description: A list of cards. content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/Card' '401': $ref: '#/components/responses/Unauthorized' post: operationId: createCard tags: - Cards summary: Create a card description: Requests creation of a new debit card for a customer/account. MODELED request body. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CardInput' responses: '200': description: The created card. content: application/json: schema: $ref: '#/components/schemas/Card' '401': $ref: '#/components/responses/Unauthorized' '422': $ref: '#/components/responses/ValidationError' /cardmanagement/v1/cards/{id}: parameters: - $ref: '#/components/parameters/Id' get: operationId: getCard tags: - Cards summary: Get a card description: Returns the details of a specific debit card by its ID. responses: '200': description: The requested card. content: application/json: schema: $ref: '#/components/schemas/Card' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /cardmanagement/v1/cards/{id}/activate: parameters: - $ref: '#/components/parameters/Id' post: operationId: activateCard tags: - Cards summary: Activate a card description: Activates a card for a customer (the preferred way to activate a card). responses: '200': description: Activation confirmation. content: application/json: schema: $ref: '#/components/schemas/Card' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /cardmanagement/v1/cards/{id}/suspend: parameters: - $ref: '#/components/parameters/Id' post: operationId: suspendCard tags: - Cards summary: Suspend a card description: Suspends a card by ID. responses: '200': description: Suspend confirmation. content: application/json: schema: $ref: '#/components/schemas/Card' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /cardmanagement/v1/cards/{id}/close: parameters: - $ref: '#/components/parameters/Id' post: operationId: closeCard tags: - Cards summary: Close a card description: Permanently deactivates a card. Closed cards cannot be reactivated. responses: '200': description: Close confirmation. content: application/json: schema: $ref: '#/components/schemas/Card' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /loan: post: operationId: addLoan tags: - Lending summary: Add a loan description: >- Creates a loan record in the lending system. Served from the separate lending host (arixapisandbox.crbnj.net in sandbox) with its own OAuth server. MODELED request body. requestBody: required: true content: application/json: schema: type: object additionalProperties: true responses: '200': description: The created loan. content: application/json: schema: $ref: '#/components/schemas/Loan' '401': $ref: '#/components/responses/Unauthorized' /loandetail/{id}: parameters: - $ref: '#/components/parameters/Id' get: operationId: getLoanDetail tags: - Lending summary: Get loan details description: Retrieves the details of a loan by its ID. responses: '200': description: The requested loan. content: application/json: schema: $ref: '#/components/schemas/Loan' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /loan/{id}/fundinginfo: parameters: - $ref: '#/components/parameters/Id' put: operationId: requestLoanFundingRails tags: - Lending summary: Request loan funding rails description: Requests new payment rails for funding a loan. MODELED request body. requestBody: required: true content: application/json: schema: type: object additionalProperties: true responses: '200': description: The updated loan funding info. content: application/json: schema: $ref: '#/components/schemas/Loan' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' components: securitySchemes: oauth2ClientCredentials: type: oauth2 description: >- OAuth 2.0 client credentials grant. POST client_id, client_secret and grant_type=client_credentials to the COS identity provider token endpoint (sandbox: https://idptest.crbcos.com/connect/token; lending uses https://oauthtest.crbnj.net/connect/token). The response is a signed JWT that must be sent as `Authorization: Bearer ` on every request. flows: clientCredentials: tokenUrl: https://idptest.crbcos.com/connect/token scopes: {} parameters: Id: name: id in: path required: true description: The unique identifier of the resource. schema: type: string CustomerId: name: customerId in: path required: true description: The unique identifier of the customer. schema: type: string AccountNumber: name: accountNumber in: path required: true description: The deposit account number. schema: type: string IdempotencyKey: name: idempotency-key in: header required: false description: A client-generated UUID used to safely retry a request without duplicating it. schema: type: string format: uuid responses: Unauthorized: description: Missing or invalid Bearer token. content: application/json: schema: $ref: '#/components/schemas/Error' NotFound: description: The requested resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' ValidationError: description: The request payload failed validation. content: application/json: schema: $ref: '#/components/schemas/Error' schemas: Error: type: object properties: error: type: object properties: code: type: string message: type: string details: type: object additionalProperties: true StatusResponse: type: object properties: id: type: string status: type: string CustomerInput: type: object description: MODELED. Verify required fields against the official reference. required: - type properties: type: type: string enum: - personal - business firstName: type: string lastName: type: string legalName: type: string description: Legal name for a business customer. email: type: string format: email Customer: allOf: - $ref: '#/components/schemas/CustomerInput' - type: object properties: id: type: string status: type: string AccountInput: type: object description: MODELED. Verify required fields against the official reference. required: - productId - customerId properties: productId: type: string description: The deposit product to open the account under. customerId: type: string currency: type: string default: USD Account: allOf: - $ref: '#/components/schemas/AccountInput' - type: object properties: accountNumber: type: string status: type: string availableBalance: type: number AchPaymentInput: type: object description: MODELED. Verify required fields against the official reference. required: - amount - accountNumber properties: amount: type: number currency: type: string default: USD accountNumber: type: string description: The funding account number. counterparty: type: object additionalProperties: true sameDay: type: boolean secCode: type: string description: Standard Entry Class code (e.g. PPD, CCD, WEB). WirePaymentInput: type: object description: MODELED. Verify required fields against the official reference. required: - amount - accountNumber properties: amount: type: number currency: type: string default: USD accountNumber: type: string beneficiary: type: object additionalProperties: true InstantPaymentInput: type: object description: MODELED. Verify required fields against the official reference. required: - amount - accountNumber properties: amount: type: number currency: type: string default: USD accountNumber: type: string description: The funding account number. creditorAccountNumber: type: string creditorRoutingNumber: type: string network: type: string enum: - CRNow - RTP - FedNow Payment: type: object properties: id: type: string status: type: string amount: type: number currency: type: string createdAt: type: string format: date-time CardInput: type: object description: MODELED. Verify required fields against the official reference. required: - customerId - accountNumber properties: customerId: type: string accountNumber: type: string cardType: type: string enum: - physical - virtual Card: allOf: - $ref: '#/components/schemas/CardInput' - type: object properties: id: type: string status: type: string last4: type: string Loan: type: object properties: id: type: string status: type: string amount: type: number currency: type: string