Cards are issued against an account, so most endpoints sit under /v1/customers/{customerId}/accounts/{accountId}/.... A customer can have several accounts; a card belongs to one of them. Every call uses the user’s bearer token.

Lifecycle

A card moves through these states:
statusMeaning
CREATEDIssued, not yet usable. Activate it.
ACTIVEUsable for transactions.
BLOCKEDTemporarily stopped. Unblock to reinstate.
CANCELLEDPermanently closed. Can’t be undone.

What you can do

Create a card

Get cards

Get card details

Activate

Block

Unblock

Cancel

Reset PIN

Update limit group

Secure card details

Confirm 3DS

Secure details (PAN / CVV)

The card object never exposes the real PAN or CVV — they’re masked. To show them, use the secure flow, which is encrypted end to end and gated by a step-up confirmation (passkey, 2FA code, or PIN on supported programs):
  1. Get a secure key — a secretKey (to decrypt) and a cipher (to pass back).
  2. For a passkey, get a passkey challenge and complete it on the device.
  3. Get the secure card details with a confirmation object and the cipher; decrypt with the secretKey.

3DS

When a card transaction triggers 3D Secure, a challenge appears for the customer to approve. Receive challenges in real time over WebSockets (recommended) or poll Get 3DS challenges, then confirm with approve or reject.
Cards, secure details, and 3DS are program/provider features — not every program has all of them. If a feature isn’t available you’ll get a clear error rather than a result. See Program capabilities.