Skip to main content
POST
/
cards
Create Card
curl --request POST \
  --url https://{defaultHost}/cards \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "account_id": "<string>",
  "user_id": "<string>",
  "name": "<string>",
  "spend_limit": 123,
  "transaction_limit": 123
}
'
{
  "object": "card",
  "id": "<string>",
  "name": "<string>",
  "last4": "<string>",
  "expiration_month": "<string>",
  "expiration_year": "<string>",
  "user_id": "<string>",
  "spent_last_month": 123,
  "limit": {
    "amount": 123,
    "frequency": "<string>"
  },
  "billing": {
    "line1": "<string>",
    "line2": "<string>",
    "city": "<string>",
    "region": "<string>",
    "postal_code": "<string>",
    "country_code": "<string>"
  },
  "created_at": "2023-11-07T05:31:56Z",
  "canceled_at": "2023-11-07T05:31:56Z",
  "secrets": {
    "card_number": "<string>",
    "cvc": "<string>",
    "name_on_card": "<string>"
  }
}

Authorizations

Authorization
string
header
required

An account API key, account scoped JWT, app API key, or user OAuth token.

Headers

Api-Version-Date
string<date>

Pins the request to a dated API version. When omitted, the request uses the original (2025-01-01) request/response shapes, so existing unversioned callers are never broken. Generated SDKs always send the latest version they were built against. An unrecognized value is rejected with a 400. The schemas documented here always describe the latest version.

Example:

"2026-06-09"

Body

application/json
account_id
string

The owning account ID (a biz_ identifier). Provide this or user_id.

user_id
string

The owning user ID (a user_ identifier). Provide this or account_id.

name
string

A display name for the card.

spend_limit
number

Spending limit amount, in dollars.

spend_limit_frequency
enum<string>

The spending limit window.

Available options:
daily,
weekly,
monthly,
one_time
transaction_limit
number

Per-transaction limit amount, in dollars.

Response

card created

object
enum<string>
required
Available options:
card
id
string
required

The icrd_ identifier of the card.

name
string | null
required
type
enum<string> | null
required

The card type.

Available options:
null,
virtual,
physical
status
enum<string> | null
required

The card status.

Available options:
null,
active,
frozen,
canceled,
invited
last4
string | null
required

The last 4 digits of the card number. Null for pending invitation cards.

expiration_month
string | null
required
expiration_year
string | null
required
user_id
string | null
required

The user_ identifier of the cardholder, when assigned.

spent_last_month
integer | null
required

Total spend in the last 30 days, in cents.

limit
object
required

The spending limit configuration.

billing
object
required

The billing address.

created_at
string<date-time> | null
required
canceled_at
string<date-time> | null
required
secrets
object

The card's sensitive details. Only present on GET /cards/:card_id (retrieve); null for cards that are not active or whose details could not be retrieved.