Card Issuing supports partner-controlled and customer-controlled authentication flows.
Use x-partner-api-key for server-side partner registration and login routes:
POST /v1/auth/register/partnerPOST /v1/auth/login/partner
Never expose the partner API key in browser or mobile clients.
Email and wallet registration/login routes use the partner identifier configured for your integration:
x-partner-id: YOUR_PARTNER_IDUse this header on email and wallet registration/login routes such as POST /v1/auth/register/email, POST /v1/auth/register/wallet/challenge, and POST /v1/auth/login/email.
Email registration passwords must be strong: at least 8 characters with lowercase, uppercase, number, and symbol characters.
Customer-scoped routes use:
Authorization: Bearer CUSTOMER_ACCESS_TOKENUse this token for KYC, accounts, cards, topups, and transactions.
Refresh expired access tokens with POST /v1/auth/refresh using the refresh token as the bearer token:
Authorization: Bearer CUSTOMER_REFRESH_TOKENIf a login flow returns a session requiring two-factor authentication, use the returned session token as the bearer token for:
POST /v1/auth/2fa/sendPOST /v1/auth/2fa/verify