Moov API (v1)

Download OpenAPI specification:Download

The Moov API is an HTTP API served by Moov Financial, Inc for initiating money movements across the ACH payment rail. We follow RESTful operations and naming conventions with predictable and standard HTTP status codes. We are available to help with onboarding or issues related to our services on the Moov slack organization or via support email.

Tenants and Organizations

The Moov API offers grouping for Customer, Transfer, and other records. A Tenant is the largest grouping which covers an entire business entity such as an LCC or corporation. Login credentials are tied to a Tenant and is extracted from the credentials provided on each request. An Organization is a company onboarded by a Tenant that facilitates payments with its Customers.


The API will respond with various standard HTTP status codes for errors which indicate how to resolve the request's problem. All errors will be in the application/json Content-Type with the below structure.

  "error": "Descriptive message"
Status Code Summary Description
200 OK The request was successful.
400 Bad Request The request could not be understood by the server. The Incoming parameters might not be valid.
404 Not Found The requested resource is not found or the credentials are not authorized to access it.
422 Unprocessable Entity The request was parsed but failed validation.
429 Too Many Requests Too many requests have been made in a short period of time. Please make requests at a slower rate or contact us.
500 Server Error The server could not return the representation due to an internal server error.
501 Not Implemented The requested operation is not supported (e.g. supports PUT but not POST etc.)


Currently the Moov API supports authenticaiton with Cookies or JWT's on each request. Those need to be properly created from browser flows or API keys.

OpenID Connect (OIDC) Setup

The Moov API offers one authorization method via a configured OpenID Connect (OIDC) provider for your Tenant. This provider can be Google, Github, LDAP, or another vendor. We leverage OIDC because it allows immediate credential revocation, two-factor verification with that provider and a faster signup flow for users.

Cross-Origin Request Sharing

We support cross-origin resource sharing with whitelisted domains. This allows you to interact securely with our API from client-side web applications. Never expose your secret API key in any public website's client-side code.

Audience Claims

Audience claims are attached onto your JWT request and are used to establish request URIs that the token is authorized to access. They're useful to restrict a specific token to specific access patterns which limits fallout if the token is leaked or stolen.

Within Moov our audience claims do not contain version paths. They are designed to work across endpoint versions.

An example claim requesting a sub-path looks like the following:


This would allow the following

  • GET

but reject the following

  • GET
  • GET

Note: Multiple HTTP request verbs can be included in an audience claim, for example.*/accounts

Note: When creating a JWT include multiple audience claims for all the request URIs to access.

Query parameters

Within an audience claim you can specify whitelisted query parameters. By default no query parameters can be included.


This would allow the following

  • GET (out of order query parameters are allowed)

but reject the following

  • GET (missing skip and count)
  • GET (unexpected extra parameter)

Note: Specified query parameter values are case insensitive when compared to request URIs.



All requests and responses will be in the application/json MIME Content-Type unless otherwise specified.


The Moov API is currently using /v1/ as the versioning prefix for all endpoints. This results in a base URI of


Moov continuously monitors and scans our API services for security and privacy issues, but if you find a security related problem please contact us at