POST
/
v1
/
customers
/
{customerId}
/
accounts
/
{accountId}
/
cards
/
{cardId}
/
secure
curl --request POST \
  --url https://api.next.orenda.finance/v1/customers/{customerId}/accounts/{accountId}/cards/{cardId}/secure \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "confirmation": {
    "method": "passkey",
    "passkeySession": "pks_5e8a3c1d9b7f",
    "assertion": "{\"id\":\"AQIDBAUGBwgJCgsMDQ4PEA\",\"response\":{\"clientDataJSON\":\"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0In0\",\"authenticatorData\":\"SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2M\",\"signature\":\"MEUCIQ\"}}"
  },
  "cipher": "v1.7c1d8e4a.8f3b2a9d6e4c1f0b"
}
'
{
  "success": true,
  "data": {
    "cardId": "crd_9f2a1c4b",
    "pan": "BASE64_ENCRYPTED_PAN==",
    "cvc2": "BASE64_ENCRYPTED_CVV==",
    "expiry": "12/29",
    "printedName": "Ada Lovelace"
  }
}
{
"success": false,
"code": "VALIDATION_ERROR",
"message": "newPin must be 4 digits"
}
{
"success": false,
"code": "UNAUTHORIZED",
"message": "Unauthorized"
}
{
"success": false,
"code": "CARD_NOT_FOUND",
"message": "Card not found"
}
{
"success": false,
"code": "INVALID_CARD_STATE",
"message": "Card is already active"
}
Returns the full PAN, CVV, and expiry, encrypted with the secretKey from Get secure key. It’s gated by a step-up confirmation — a passkey, a 2FA code, or a PIN (a program capability). The full flow:
  1. Get a secure key — keep the secretKey and cipher.
  2. For a passkey: POST .../card/{cardId}/secure/passkey-challenge to get a passkeySession and fido2options, and complete it on the device (same as a passkey login). For a 2FA code or PIN, skip this step.
  3. Call this endpoint with the cipher and a confirmation object:
    "confirmation": { "method": "passkey", "passkeySession": "…", "assertion": "…" }
    "confirmation": { "method": "totp", "totp": "123456", "accessToken": "…" }
    "confirmation": { "method": "pin", "pin": "1234" }
    
  4. Decrypt the returned pan / cvc2 with the secretKey.
Never log or store the decrypted values. Render them client-side and discard them.

Authorizations

Authorization
string
header
required

The user's access token. The program and environment come from the token.

Path Parameters

customerId
string
required

The customer's id.

accountId
string
required

The account the card belongs to. A customer can have several accounts; cards are issued against one.

cardId
string
required

The card id from create / get cards.

Body

application/json
confirmation
Passkey · object
required

Step-up confirmation. Set method to passkey, totp, or pin and include that method's fields. pin is a program capability — see Program capabilities.

cipher
string

The cipher from Get secure key.

Response

Secure card data

success
boolean
Example:

true

data
object

Sensitive values, encrypted with the secretKey from Get secure key. Decrypt client-side; never log or store them.