curl --request POST \
--url https://api.next.orenda.finance/v1/customers/{customerId}/accounts/{accountId}/cards/{cardId}/secure \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '
{
"confirmation": {
"method": "passkey",
"passkeySession": "pks_5e8a3c1d9b7f",
"assertion": "{\"id\":\"AQIDBAUGBwgJCgsMDQ4PEA\",\"response\":{\"clientDataJSON\":\"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0In0\",\"authenticatorData\":\"SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2M\",\"signature\":\"MEUCIQ\"}}"
},
"cipher": "v1.7c1d8e4a.8f3b2a9d6e4c1f0b"
}
'{
"success": true,
"data": {
"cardId": "crd_9f2a1c4b",
"pan": "BASE64_ENCRYPTED_PAN==",
"cvc2": "BASE64_ENCRYPTED_CVV==",
"expiry": "12/29",
"printedName": "Ada Lovelace"
}
}{
"success": false,
"code": "VALIDATION_ERROR",
"message": "newPin must be 4 digits"
}{
"success": false,
"code": "UNAUTHORIZED",
"message": "Unauthorized"
}{
"success": false,
"code": "CARD_NOT_FOUND",
"message": "Card not found"
}{
"success": false,
"code": "INVALID_CARD_STATE",
"message": "Card is already active"
}Cards
Get secure card details
Show the full PAN, CVV, and expiry behind a step-up confirmation.
POST
/
v1
/
customers
/
{customerId}
/
accounts
/
{accountId}
/
cards
/
{cardId}
/
secure
curl --request POST \
--url https://api.next.orenda.finance/v1/customers/{customerId}/accounts/{accountId}/cards/{cardId}/secure \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '
{
"confirmation": {
"method": "passkey",
"passkeySession": "pks_5e8a3c1d9b7f",
"assertion": "{\"id\":\"AQIDBAUGBwgJCgsMDQ4PEA\",\"response\":{\"clientDataJSON\":\"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0In0\",\"authenticatorData\":\"SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2M\",\"signature\":\"MEUCIQ\"}}"
},
"cipher": "v1.7c1d8e4a.8f3b2a9d6e4c1f0b"
}
'{
"success": true,
"data": {
"cardId": "crd_9f2a1c4b",
"pan": "BASE64_ENCRYPTED_PAN==",
"cvc2": "BASE64_ENCRYPTED_CVV==",
"expiry": "12/29",
"printedName": "Ada Lovelace"
}
}{
"success": false,
"code": "VALIDATION_ERROR",
"message": "newPin must be 4 digits"
}{
"success": false,
"code": "UNAUTHORIZED",
"message": "Unauthorized"
}{
"success": false,
"code": "CARD_NOT_FOUND",
"message": "Card not found"
}{
"success": false,
"code": "INVALID_CARD_STATE",
"message": "Card is already active"
}Returns the full PAN, CVV, and expiry, encrypted with the
secretKey from Get secure
key. It’s gated by a step-up confirmation — a passkey, a 2FA code,
or a PIN (a program capability). The full flow:
-
Get a secure key — keep the
secretKeyandcipher. -
For a passkey:
POST .../card/{cardId}/secure/passkey-challengeto get apasskeySessionandfido2options, and complete it on the device (same as a passkey login). For a 2FA code or PIN, skip this step. -
Call this endpoint with the
cipherand aconfirmationobject:"confirmation": { "method": "passkey", "passkeySession": "…", "assertion": "…" } "confirmation": { "method": "totp", "totp": "123456", "accessToken": "…" } "confirmation": { "method": "pin", "pin": "1234" } -
Decrypt the returned
pan/cvc2with thesecretKey.
Never log or store the decrypted values. Render them client-side and discard them.
Authorizations
The user's access token. The program and environment come from the token.
Path Parameters
The customer's id.
The account the card belongs to. A customer can have several accounts; cards are issued against one.
The card id from create / get cards.
Body
application/json
Step-up confirmation. Set method to passkey, totp, or pin and include that method's fields. pin is a program capability — see Program capabilities.
- Passkey
- 2FA code
- PIN
Show child attributes
Show child attributes
The cipher from Get secure key.
⌘I