All card endpoints require X-Api-Key, X-Api-Secret, and Authorization: Bearer <user-jwt>. The JWT identifies which user’s card is being accessed.
Endpoints
| Method | Endpoint | Description |
|---|
GET | /api/v1/user/card/status | Return the current card status |
GET | /api/v1/user/card/details | Return masked details for the primary card |
POST | /api/v1/user/card/lock | Temporarily block the primary card |
POST | /api/v1/user/card/unlock | Reactivate a previously locked card |
PATCH | /api/v1/user/card/limit | Update the primary card spending limit |
GET | /api/v1/user/card/balance | Return the current balance by currency |
GET | /api/v1/user/card/transactions | Return transaction history |
Important notes
x-idempotency-key is required for lock, unlock, and limit- Use a unique UUID per operation to prevent duplicate processing
- A card with status
canceled cannot be reactivated
- If a card is
locked, secret endpoints such as PAN and CVC do not return data
Common errors
| HTTP status | Cause |
|---|
401 | Invalid or expired token |
404 | The authenticated user does not have a registered card |
409 | Duplicate idempotency key |