Skip to content

Card Issuing supports partner-controlled and customer-controlled authentication flows.

Partner API key

Use x-partner-api-key for server-side partner registration and login routes:

  • POST /v1/auth/register/partner
  • POST /v1/auth/login/partner

Never expose the partner API key in browser or mobile clients.

Partner identifier

Email and wallet registration/login routes use the partner identifier configured for your integration:

x-partner-id: YOUR_PARTNER_ID

Use this header on email and wallet registration/login routes such as POST /v1/auth/register/email, POST /v1/auth/register/wallet/challenge, and POST /v1/auth/login/email.

Email registration passwords must be strong: at least 8 characters with lowercase, uppercase, number, and symbol characters.

Customer bearer token

Customer-scoped routes use:

Authorization: Bearer CUSTOMER_ACCESS_TOKEN

Use this token for KYC, accounts, cards, topups, and transactions.

Refresh tokens and 2FA

Refresh expired access tokens with POST /v1/auth/refresh using the refresh token as the bearer token:

Authorization: Bearer CUSTOMER_REFRESH_TOKEN

If a login flow returns a session requiring two-factor authentication, use the returned session token as the bearer token for:

  • POST /v1/auth/2fa/send
  • POST /v1/auth/2fa/verify