Quail Creek Bank has run from one address on North May Avenue in Oklahoma City since 1974, and the size of the bank is not what determines whether its app data is reachable — the platform underneath it is. Per its Play Store listing the Android package is com.apiture.xpressmobile.qcbocok.sub, which places the app on Apiture's Xpress Mobile white-label stack. That matters: the sign-in and data calls follow Apiture's documented OpenID Connect pattern rather than a one-off home-grown scheme, so the authorized route is well-characterized before a single packet is captured. The bottom line for an integrator is short. The account data is structured, per-user, and behind a stable token flow; the practical route is user-consented access through that interface; what we hand over is a runnable client plus its spec and tests.
What account data the QCB app holds
The surfaces below come straight from the app's own feature list and the bank's digital-banking page, named the way they appear to a customer. Each is server-side state behind an authenticated session — the kind of data a third party integrates rather than scrapes from a screen.
| Data domain | Where it originates in the app | Granularity | What an integrator does with it |
|---|---|---|---|
| Account balances | Accounts screen — latest balance per linked deposit/loan account | Per account, current | Cash-position dashboards, reconciliation, balance-trigger alerts |
| Transaction history | Recent-transactions search by date, amount, or check number | Per transaction; filterable; check-number addressable | Categorization, bookkeeping sync, audit and dispute lookup |
| Internal transfers | Transfers between the customer's QCB accounts | Per movement, with status | Sweep automation, balance rebalancing logic |
| External transfers | Transfers to accounts at other financial institutions | Per movement, scheduled or immediate | Outbound funding flows, settlement tracking |
| Bill Pay | Payments plus recent and scheduled payment lists | Per payment; future-dated visible | Payables reconciliation, scheduled-spend forecasting |
| Payees | Add, reuse, or delete payees from the app | Per payee record | Vendor-list sync; write path, handled with care (see below) |
| Mobile check deposit | Camera-captured check submission | Per deposit item with image | Deposit-status tracking; modeled only on request |
| P2P (PaySomeone) | Person-to-person payments named "PaySomeone" on the bank site | Per transfer | Disbursement reconciliation |
| Statements | eStatements, roughly 18 months of history per the bank's online-banking page | Per statement period (PDF) | Document archival, lending/underwriting evidence |
Getting to that data: the routes that apply here
Three routes are realistic for this app, and one native fallback exists. We name which we would actually run.
Authorized interface integration / protocol analysis
The app authenticates with OpenID Connect and PKCE against Apiture's token endpoint, then calls JSON resources with a bearer token. Under the customer's authorization we characterize that flow against a consenting account and build a client for the balance, transaction-search, transfer and Bill Pay calls. Reachable: nearly everything a customer sees. Effort: moderate, lowered because the platform pattern is documented and consistent. Durability: high for the token chain, medium for resource shapes that move with platform releases. Setup is ours — access and a consenting test account are arranged with you during onboarding.
User-consented credential access
For aggregation-style use, the integration runs under the account holder's own consent and credentials, scoped to read balances, transactions and statements. Reachable: read surfaces. Effort: low once route one is mapped. Durability: tracks the consent lifecycle. This is the route we would recommend as the spine for Quail Creek, because a single-branch community bank's customers are best served by consented read access that does not depend on a federal rule landing.
Native export fallback
The bank's online banking exports to Quicken, QuickBooks and Microsoft Money and offers about 18 months of eStatements. That covers historical pulls but not real-time balance or transfer state, so it supplements rather than replaces an interface integration.
A regulated open-banking path under US personal-financial-data rights is a fourth option on paper; its footing for a bank this size is covered below and is not something the delivery timeline waits on.
What lands at the end of the build
Everything is tied to Quail Creek's actual surfaces, not a template:
- An OpenAPI/Swagger specification covering the auth flow plus the balance, transaction-search (date / amount / check-number), transfer, Bill Pay, payee and statement endpoints as observed for this tenant.
- A protocol and auth-flow report: the OpenID Connect discovery, PKCE code-verifier/challenge exchange, bearer-token use and refresh as they behave on the Apiture stack.
- Runnable source for the key endpoints in Python and Node.js — authenticate, refresh, list accounts, search transactions, pull statements, and a gated transfer/payee path.
- Automated tests against a consenting account, including token-refresh and transaction-paging cases.
- Interface documentation plus data-retention and consent-logging guidance written for a US deposit institution.
Auth and a transaction call, concretely
Illustrative, reflecting the Apiture Xpress Mobile pattern this app uses; exact field names are confirmed against the live tenant during the build.
# 1. OpenID Connect discovery (Apiture, production)
GET https://auth.apiture.com/oidc/.well-known/openid-configuration
-> { "authorization_endpoint": "...", "token_endpoint": "..." }
# 2. PKCE authorization-code exchange (mobile client)
verifier = random_urlsafe(64)
challenge = base64url(sha256(verifier)) # code_challenge_method = S256
# user authenticates at authorization_endpoint -> returns ?code=...
POST {token_endpoint}
grant_type=authorization_code
code={code} code_verifier={verifier} client_id={tenant_client}
-> { "access_token": "...", "token_type": "Bearer",
"expires_in": 3600, "refresh_token": "..." }
# 3. Transaction search bound to QCB's surfaces
GET /accounts/{accountId}/transactions
?from=2026-04-01&to=2026-04-30&amount=125.00&checkNumber=1043
Authorization: Bearer {access_token}
200 -> { "items": [ { "id": "...", "postedDate": "...",
"amount": -125.00, "checkNumber": "1043",
"description": "...", "status": "posted" } ],
"nextPage": "..." }
# 4. Silent refresh before expiry
POST {token_endpoint} grant_type=refresh_token refresh_token={refresh_token}
# 401 -> re-run discovery + PKCE; do not retry blindly
Data-rights footing for a single-branch Oklahoma bank
Quail Creek has historically operated as a national association; the Oklahoma Banking Board approved its conversion to a state charter in February 2022, per the Oklahoma Banking Department. Either way it is a US deposit institution covered by federal personal-financial-data rules. The CFPB's Section 1033 rule was issued, then opened for reconsideration in August 2025, and a federal court enjoined its enforcement in late October 2025 — so its tiered, size-based compliance schedule should be treated as unsettled rather than a present obligation, and we do not quote those tier dates as fixed. The practical consequence for this bank is small: as the smallest data-provider class, a one-branch institution would sit at the very end of any phased schedule, so an integration here is built on user-consented access today, with consent records, scoped read permissions, revocation handling and data minimization, and re-pointed to a regulated channel later if and when one binds this size of bank. Access is authorized and logged; an NDA is in place where the engagement needs one.
Engineering realities we plan around
These are specific to this app and handled on our side, not conditions placed on you:
- The slug
qcbocokin the package name is one tenant on Apiture's shared Xpress Mobile build. We pin discovery and the client to Quail Creek's tenant configuration so balance reads, transfers and payee writes never resolve into another institution's namespace. - Several surfaces are write-capable — add or delete a payee, initiate an internal or external transfer, schedule a bill payment. The delivered client defaults to read-only (balances, transaction search, statements); any write path is a separate, opt-in call behind explicit consent logging, because a wrong payee delete is destructive and not reversible from our side.
- Mobile check deposit is camera-capture plus image upload, which carries Reg CC timing and fraud-control handling beyond a normal read. We keep it out of the standard scope and model deposit submission only when a project specifically needs it, coordinating that path with the bank during onboarding.
- The Apiture platform publishes versioned APIs and reports strong uptime for 2025 on its own materials; we pin to the schema version observed at build time and re-check the transaction and payee shapes after a platform release rather than assuming they held.
Where this data gets used
- A bookkeeping product pulls categorized QCB transactions by date range and check number to auto-reconcile a small Oklahoma business's ledger.
- A treasury tool tracks balances across QCB and other institutions, using the external-transfer surface to move funds to a target balance.
- A lender ingests 18 months of eStatements plus live balances as consented income and reserve evidence during underwriting.
- A personal-finance app mirrors Bill Pay scheduled payments into a cash-flow forecast so a future-dated payment never surprises the user.
What the app screens show
Store screenshots, used to confirm the surfaces named above. Select to enlarge.
Other community-bank apps in the same bucket
Same category — US community and regional bank apps holding comparable per-user balances, transfers and bill-pay records. Listed for ecosystem context; a unified integration normalizes across this set.
- Arvest Go — Arvest Bank's app across Arkansas, Oklahoma, Missouri and Kansas; balances, card controls, mobile deposit and transfers.
- BOK Financial / Bank of Oklahoma — regional bank app with deposit accounts, transfers and bill pay across Oklahoma.
- MidFirst Bank — Oklahoma City-based bank app covering personal and small-business accounts and lending.
- Tinker Federal Credit Union — large Oklahoma credit-union app with share accounts, loans and transfers.
- First Fidelity Bank — Oklahoma City community bank app with balances, deposit and payments.
- RCB Bank — Oklahoma and Kansas community bank app with everyday deposit and bill-pay features.
- Citizens Bank of Edmond — small Oklahoma bank app with consumer deposit accounts and transfers.
- Valliance Bank — Oklahoma City bank app with personal and business banking surfaces.
Sourcing and review notes
Built from the app's Play Store feature list and icon, the bank's own digital-banking and homepage descriptions, the Oklahoma Banking Department's 2022 charter-conversion notice, Apiture's developer documentation for the OpenID Connect / PKCE flow, and the CFPB's current reconsideration record — all opened in May 2026. Primary sources: Quail Creek Bank digital banking, Apiture secure-access guide, Oklahoma Banking Board notice, CFPB Section 1033 reconsideration. Compiled by the OpenBanking Studio integration desk, May 2026.
Questions integrators raise about this app
The app runs on Apiture's Xpress Mobile build — does that change how you reach the data?
It helps. The package identifier puts Quail Creek's app on Apiture's shared Xpress Mobile stack, whose mobile sign-in is OpenID Connect with PKCE against an AWS-hosted token endpoint. We characterize that token chain and the balance, transaction and statement calls once, pinned to Quail Creek's tenant configuration, so the delivered client is stable rather than guessed at.
Can transaction search by amount and check number come through, or only by date?
The app describes search by date, amount and check number. Those three become query parameters on the transaction-history call, and the client we hand over exposes all three filters plus date-range paging, not just a flat recent-activity list.
Quail Creek moved toward a state charter — does that affect the data-rights route?
In practice, no. The near-term route is user-consented access through the app's own authenticated interface. The federal personal-financial-data-rights rule is under reconsideration and its enforcement was judicially enjoined in late October 2025, and a one-branch bank of this size sits in the last compliance tier regardless of whether supervision is federal or state, so the route does not wait on that rule.
If Quail Creek ships an Apiture front-end update, does the integration stop working?
The OpenID Connect token flow is the stable part and rarely moves. We re-validate the transaction-history and payee surfaces against the published Apiture schema version after a platform release and refresh the client if field names or paging shift, so a UI refresh on the bank's side does not silently break a sync.
What you receive for Quail Creek Bank Mobile is the runnable client for its balance, transaction-search, transfer and Bill Pay calls, with the OpenAPI spec, the auth-flow report and the tests beside it. Source-code delivery starts at $300, invoiced only after the build is in your hands and working against a consenting account; if you would rather not run infrastructure, the same surfaces are available as hosted endpoints billed per call with nothing upfront. Either way the cycle is one to two weeks, and access, a test account and any compliance paperwork are arranged together with you — not asked of you before we start. Send the app name and what you need from its data at openbankingstudio.com/contact and we will scope it back to you.
App profile: Quail Creek Bank Mobile (factual recap)
Quail Creek Bank Mobile is the mobile banking app of Quail Creek Bank, a community bank operating from a single Oklahoma City location since 1974 (per the bank's site and DepositAccounts.com). Per its Play Store listing the Android package is com.apiture.xpressmobile.qcbocok.sub, on Apiture's Xpress Mobile platform. Stated features: account-balance checks and recent-transaction search by date, amount or check number; transfers between the customer's accounts and to other institutions; Bill Pay with recent and scheduled payments; payee add/reuse/delete; camera check deposit; and biometric sign-on via fingerprint or facial recognition. The bank's site also lists PaySomeone P2P, Zelle, SecurLOCK Equip card controls, eStatements and Apple Pay / Google Pay. Quail Creek operated as a national association; the Oklahoma Banking Board approved a state-charter conversion in February 2022 (Oklahoma Banking Department). This page is independent technical analysis and is not affiliated with the bank.