Skip to main content
GET
/
cards
List Cards
curl --request GET \
  --url https://{defaultHost}/cards \
  --header 'Authorization: Bearer <token>'
{
  "data": [
    {
      "object": "card",
      "id": "<string>",
      "name": "<string>",
      "status": "<string>",
      "last4": "<string>",
      "expiration_month": "<string>",
      "expiration_year": "<string>",
      "user_id": "<string>",
      "spent_last_month_cents": 123,
      "limit": {
        "amount": 123,
        "frequency": "<string>"
      },
      "billing": {
        "line1": "<string>",
        "line2": "<string>",
        "city": "<string>",
        "region": "<string>",
        "postal_code": "<string>",
        "country_code": "<string>"
      },
      "created_at": "2023-11-07T05:31:56Z",
      "canceled_at": "2023-11-07T05:31:56Z",
      "secrets": {
        "pan": "<string>",
        "cvc": "<string>",
        "name_on_card": "<string>"
      }
    }
  ]
}

Authorizations

Authorization
string
header
required

A company API key, company scoped JWT, app API key, or user OAuth token.

Headers

Api-Version-Date
string<date>

Pins the request to a dated API version. When omitted, the request uses the original (2025-01-01) request/response shapes, so existing unversioned callers are never broken. Generated SDKs always send the latest version they were built against. An unrecognized value is rejected with a 400. The schemas documented here always describe the latest version.

Example:

"2026-06-09"

Query Parameters

account_id
string

The owning account ID (a biz_ identifier). Provide this or user_id.

user_id
string

The owning user ID (a user_ identifier). Provide this or account_id.

card_id
string

An icrd_ identifier. When provided, only that card is returned.

reveal_secrets
boolean

When true, each active card includes a secrets object with the full card number (pan), cvc, and cardholder name.

Response

cards listed for an assigned cardholder without the ledger scope

data
object[]
required