Explore our REST API ecosystem designed for seamless integration into enterprise and fintech workflows.
The Citicapitol Bank API suite empowers developers to orchestrate complex financial operations programmatically,
including payouts, collections, reconciliations, and real-time transaction monitoring.
Built with RESTful principles and secured using OAuth2 authentication standards, our APIs provide granular
access control, ensuring that each key and endpoint operates within your assigned permission scope.
Leverage sandbox environments for comprehensive testing, simulate high-volume transaction scenarios,
and validate responses before production deployment. Our endpoints return consistent, versioned JSON payloads,
with well-defined status codes, rate-limiting headers, and webhook callbacks for asynchronous event handling,
enabling your systems to maintain synchronization with Citicapitol's core banking infrastructure.
Whether integrating ERP platforms, e-commerce solutions, or custom financial applications, our APIs are engineered
to deliver high availability, low latency, and enterprise-grade security standards, allowing your organization
to innovate confidently in payments and treasury management.
Authentication
All Citicapitol Bank API requests must include your issued API key as a Bearer token.
This key uniquely identifies the system making the request and must be kept secure.
For production use, ensure that API keys are stored in encrypted environment variables
and never committed directly into source code repositories.
Unauthorized or malformed requests will be rejected with a
401 Unauthorized error.
API keys are tied to your business account and permissions. Meaning that if your account only has
payout permissions, methods like collections will return an access error. You may issue multiple keys
for different environments such as local development, staging, or production, allowing you to revoke any
compromised or inactive access tokens without impacting other systems.
For enterprise integrations we recommend the OAuth2 Client Credentials grant. Your application exchanges a
client_id and client_secret for a short-lived access token (JWT). This avoids storing long-lived static keys in code.
Tokens include scopes that restrict actions (e.g., payouts:write, reconciliation:read).
Rotate client secrets periodically and use mutual TLS for increased security if your operations require it.
Use the returned access_token in the Authorization header for subsequent API calls.
The token expiry is short (typically 1 hour), so your app should refresh periodically.
This endpoint allows businesses to initiate payouts to beneficiary bank accounts.
Once a payout request is submitted, Citicapitol Bank validates the request parameters,
verifies available balance, applies fraud-screening heuristics, and places the transaction
in the processing pipeline.
Depending on your account configuration, payouts may process instantly, batched in settlement
cycles, or require manual approval from your operations dashboard. If the payout is delayed,
intermediate statuses such as pending_approval or queued
may be returned. Failed payouts will contain error metadata that can be reviewed in the
dashboard or via the Reconciliation API.
The Collections API allows businesses to initiate fund pulls directly from customer deposit accounts.
Common use cases include subscription billing, invoice settlement, rent collection,
recurring payments, and merchant pull-authorized transfers.
When a collection request is submitted, Citicapitol Bank verifies:
The customer account exists and is authorized
Sufficient balance is available
The request matches your authorization scope
No fraud or compliance flags are triggered
Collections may process instantly or asynchronously. Depending on your business profile,
you may also configure multi-level approval rules and notification workflows.
Enterprise clients require automated reporting for auditing, financial mapping,
settlement tracking, and variance detection. The Reconciliation API provides
a structured financial report of every payout, collection, refund, reversal,
chargeback, adjustment, and fee applied to your account.
Reports can be downloaded by date range, batch ID, transaction type,
business wallet, or custom metadata filters. Data returned is suitable
for ingestion into ERP platforms, BI dashboards, treasury accounting systems,
and automated settlement processors.
Webhooks allow real-time event push notifications from Citicapitol Bank to your backend system.
When a payout completes, a collection fails, or a fraud block is triggered, an HTTPS POST request
is sent to the webhook endpoint you registered in your dashboard.
Webhooks eliminate the need for continuous polling and are critical for:
Updating internal dashboards
Notifying customers through SMS/email
Triggering automated settlement rules
Triggering workflow engines (e.g., ERP, BPM, or treasury systems)
Your endpoint must return HTTP 200 OK within 10 seconds.
Any failure results in retry attempts with exponential back-off for up to 24 hours.
Webhook Payload Example
POST https://your-server.com/webhooks
{
"event": "transaction.completed",
"transaction_id": "txn_abc123",
"status": "completed"
}
Citicapitol returns structured error objects for all failing requests. Each error contains a machine-readable code,
a short human message, an HTTP status code, and optional diagnostic details to help troubleshooting.
Surface errors directly in your UI or log them for reconciliation — but never expose internal diagnostic tokens to end users.
When possible the API will include a request_id and help_url in error payloads so you can trace the request with support.
For production incidents include the request_id when contacting Citicapitol support for faster triage.
Common Error Response
{
"status": "error",
"code": "invalid_request",
"message": "The account_id field is required",
"details": {
"field": "account_id",
"reason": "missing"
},
"request_id": "req_01F3X4",
"status_code": 400,
"timestamp": "2025-11-24T14:00:00Z"
}
curl -i -X POST "https://api.citicapitol.com/v1/payouts" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"amount":1000}' # missing account_id
# Check HTTP status and JSON body for 'code' and 'request_id'
const res = await fetch("https://api.citicapitol.com/v1/payouts", { method: "POST", headers, body });
if (!res.ok) {
const err = await res.json();
console.error("API error:", err.code, err.message, "request:", err.request_id);
// show friendly message to user
}
r = requests.post(url, headers=headers, json=payload)
if r.status_code >= 400:
err = r.json()
print("API error:", err.get("code"), err.get("message"), "req:", err.get("request_id"))
Rate Limiting
To preserve overall platform stability, Citicapitol enforces rate limits per API key and per endpoint.
Limits are applied as a rolling window and may vary by plan. When a limit is exceeded the API returns a 429 response
with a retry_after value in seconds.
Implement exponential backoff on retries and respect the Retry-After header. For high-volume use cases,
contact your Citicapitol account manager to discuss an Enterprise plan with elevated limits and dedicated capacity.
$headers = curl_getinfo($ch);
echo $headers['request_header'];
// or inspect response headers returned by your HTTP client
r = requests.get(url, headers=headers)
print(r.headers.get("X-RateLimit-Remaining"))
Status Code Breakdown
Citicapitol follows conventional HTTP semantics. The status code is your primary signal for route behavior
(success vs. client vs. server error). Use the status code plus the error code field to drive programmatic handling.
2xx — Success. Action completed or accepted (200, 201).
4xx — Client error. Fix request and retry if appropriate (400, 401, 403, 404, 409).
5xx — Server error. Retry with backoff and alert support if persistent (500, 503).
Combine status code checks with the API's machine-readable code string for fine-grained flows (e.g. insufficient_balance,
rate_limit_exceeded, validation_failed).
curl -i "https://api.citicapitol.com/v1/payouts/txn_abc123" \
-H "Authorization: Bearer YOUR_API_KEY"
# HTTP/1.1 200 OK
# or HTTP/1.1 404 Not Found
const res = await fetch(url, { headers });
if (res.status === 404) { console.log("Not found"); }
else if (res.status >= 500) { /* retry */ }
r = requests.get(url, headers=headers)
if r.status_code == 404:
print("Not found")
elif r.status_code >= 500:
# retry with backoff
Loading...
Preparing your secure form...
Account Created Successfully 🎉
Welcome to Citicapitol Banking
Account TypeSavings Account
Account HolderJohn Doe
Account Number
0398426593
Copied!
Initial Deposit$1,000.00
StatusActive
Date CreatedNov 09, 2025
Your account is now active and ready to receive funds.
You can view or manage your balance,
deposits, and
transfers in your online dashboard.
Use your new account number to create your online access.
Pending Compliance Review
Your account is currently being reviewed by the
CitiCapitol Compliance & Risk Division.
