Link a card
Link a card to an existing Moov account.
Read our accept card payments guide to learn more.
Only use this endpoint if you have provided Moov with a copy of your PCI attestation of compliance.
During card linking, the provided data will be verified by submitting a $0 authorization (account verification) request.
If merchantAccountID is provided, the authorization request will contain that account’s statement descriptor and address.
Otherwise, the platform account’s profile will be used. If no statement descriptor has been set, the authorization will
use the account’s name instead.
It is strongly recommended that callers include the X-Wait-For header, set to payment-method, if the newly linked
card is intended to be used right away. If this header is not included, the caller will need to poll the List Payment
Methods
endpoint to wait for the new payment methods to be available for use.
To access this endpoint using an access token
you’ll need to specify the /accounts/{accountID}/cards.write scope.
POST
/accounts/{accountID}/cards
|
|
|
|
The request completed successfully.
Describes a card on a Moov account.
{
"billingAddress": {
"addressLine1": "123 Main Street",
"addressLine2": "Apt 302",
"city": "Boulder",
"country": "US",
"postalCode": "80301",
"stateOrProvince": "CO"
},
"bin": "123456",
"brand": "Visa",
"cardAccountUpdater": {
"updateType": "number-update",
"updatedOn": "2024-05-06T12:20:38.184Z"
},
"cardCategory": "CLASSIC",
"cardID": "01234567-89ab-cdef-0123-456789abcdef",
"cardOnFile": true,
"cardType": "credit",
"cardVerification": {
"accountName": {
"firstName": "match",
"fullName": "match",
"lastName": "match",
"middleName": "match"
},
"addressLine1": "match",
"cvv": "match",
"postalCode": "match"
},
"commercial": false,
"domesticPullFromCard": "supported",
"domesticPushToCard": "standard",
"expiration": {
"month": "01",
"year": "21"
},
"fingerprint": "9948962d92a1ce40c9f918cd9ece3a22bde62fb325a2f1fe2e833969de672ba3",
"holderName": "Jules Jackson",
"issuer": "GRINGOTTS BANK",
"issuerCountry": "US",
"issuerPhone": "8185551212",
"issuerURL": "HTTPS://WWW.EXAMPLE.COM/",
"lastFourCardNumber": "1234",
"merchantAccountID": "01234567-89ab-cdef-0123-456789abcdef",
"paymentMethods": [
{
"paymentMethodID": "01234567-89ab-cdef-0123-456789abcdef",
"paymentMethodType": "card-payment"
},
{
"paymentMethodID": "01234567-89ab-cdef-0123-456789abcdef",
"paymentMethodType": "push-to-card"
},
{
"paymentMethodID": "01234567-89ab-cdef-0123-456789abcdef",
"paymentMethodType": "pull-from-card"
}
],
"regulated": false
}Response headers
x-request-id
string
<uuid>
required
A unique identifier used to trace requests.
The server could not understand the request due to invalid syntax.
{
"error": "string"
}Response headers
x-request-id
string
<uuid>
required
A unique identifier used to trace requests.
The request contained missing or expired authentication.
Response headers
x-request-id
string
<uuid>
required
A unique identifier used to trace requests.
The user is not authorized to make the request.
Response headers
x-request-id
string
<uuid>
required
A unique identifier used to trace requests.
The requested resource was not found.
Response headers
x-request-id
string
<uuid>
required
A unique identifier used to trace requests.
The request conflicted with the current state of the target resource.
{
"error": "string"
}Response headers
x-request-id
string
<uuid>
required
A unique identifier used to trace requests.
The request was well-formed, but the contents failed validation. Check the request for missing or invalid fields.
{
"billingAddress": "string",
"cardCvv": "string",
"cardNumber": "string",
"cardOnFile": "string",
"e2ee": {
"token": "string"
},
"error": "string",
"expiration": "string",
"holderName": "string",
"merchantAccountID": "string",
"verifyName": "string"
}Response headers
x-request-id
string
<uuid>
required
A unique identifier used to trace requests.
Request was refused due to rate limiting.
Response headers
x-request-id
string
<uuid>
required
A unique identifier used to trace requests.
The request failed due to an unexpected error.
Response headers
x-request-id
string
<uuid>
required
A unique identifier used to trace requests.
The request failed because a downstream service failed to respond.
Response headers
x-request-id
string
<uuid>
required
A unique identifier used to trace requests.
Headers
x-moov-version
string
API version
Specify an API version.
API versioning follows the format vYYYY.QQ.BB, where
YYYYis the yearQQis the two-digit month for the first month of the quarter (e.g., 01, 04, 07, 10)BBis the build number, starting at.01, for subsequent builds in the same quarter.- For example,
v2024.01.00is the initial release of the first quarter of 2024.
- For example,
The latest version represents the most recent development state. It may include breaking changes and should be treated as a beta release.
Default:
v2024.01.00x-wait-for
string
Optional header to wait for certain events, such as the creation of a payment method, to occur before returning a response.
When this header is set to payment-method, the response will include any payment methods that were created for the newly
linked card in the paymentMethods field. Otherwise, the paymentMethods field will be omitted from the response.
Possible values:
payment-method
Path parameters
accountID
string
<uuid>
required
Body
application/json
billingAddress
object
required
Show child attributes
postalCode
string
<=10 characters
required
addressLine1
string
<=60 characters
addressLine2
string
<=32 characters
city
string
<=32 characters
country
string
<=2 characters
stateOrProvince
string
<=2 characters
cardCvv
string
required
cardNumber
string
required
expiration
object
required
The expiration date of the card or token.
Show child attributes
month
string
2 characters
required
year
string
2 characters
required
cardOnFile
boolean
e2ee
object
Wraps a compact-serialized JSON Web Encryption (JWE) token used for secure transmission of sensitive data (e.g., PCI information) through intermediaries.
This token is encrypted using the public key from /end-to-end-keys and wraps an AES key. For details and examples, refer to our
GitHub repository.
Show child attributes
token
string<jwe>
required
An RFC compact-serialized JSON Web Encryption (JWE) token.
holderName
string
merchantAccountID
string
verifyName
boolean
Response
application/json
billingAddress
object
required
Show child attributes
postalCode
string
<=10 characters
required
addressLine1
string
<=60 characters
addressLine2
string
<=32 characters
city
string
<=32 characters
country
string
<=2 characters
stateOrProvince
string
<=2 characters
bin
string
[6 to 8] characters
required
The first six to eight digits of the card number, which identifies the financial institution that issued the card.
brand
string<enum>
required
The card brand.
Possible values:
American Express,
Discover,
Mastercard,
Visa,
Unknown
cardID
string<uuid>
required
ID of the card.
cardType
string<enum>
required
The type of the card.
Possible values:
debit,
credit,
prepaid,
unknown
cardVerification
object
required
The results of submitting cardholder data to a card network for verification.
Show child attributes
accountName
object
required
The results of submitting cardholder name to a card network for verification.
Show child attributes
firstName
string<enum>
required
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
fullName
string<enum>
required
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
lastName
string<enum>
required
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
middleName
string<enum>
required
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
addressLine1
string<enum>
required
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
cvv
string<enum>
required
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
postalCode
string<enum>
required
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
domesticPullFromCard
string<enum>
required
Indicates if the card supports domestic pull-from-card transfer.
Possible values:
not-supported,
supported,
unknown
domesticPushToCard
string<enum>
required
Indicates which level of domestic push-to-card transfer is supported by the card, if any.
Possible values:
not-supported,
standard,
fast-funds,
unknown
expiration
object
required
The expiration date of the card or token.
Show child attributes
month
string
2 characters
required
year
string
2 characters
required
fingerprint
string
<=100 characters
required
Uniquely identifies a linked payment card or token.
For Apple Pay, the fingerprint is based on the tokenized card number and may vary based on the user’s device.
This field can be used to identify specific payment methods across multiple accounts on your platform.
issuer
string
required
Financial institution that issued the card.
issuerCountry
string
required
Country where the card was issued.
issuerPhone
string
required
Phone number of the issuer.
issuerURL
string<uri>
required
URL of the issuer.
lastFourCardNumber
string
4 characters
required
Last four digits of the card number
cardAccountUpdater
object
The results of the most recent card update request.
Show child attributes
updateType
string<enum>
The results of the card update request.
Possible values:
unspecified,
account-closed,
contact-cardholder,
expiration-update,
no-change,
no-match,
number-update
updatedOn
string<date-time>
cardCategory
string
The category or level of the card defined by the issuer.
Examples include, but not limited to, “REWARDS”, “TRADITIONAL REWARDS”, “CLASSIC”, and “CORPORATE PURCHASING”.
cardOnFile
boolean
Indicates cardholder has authorized card to be stored for future payments.
commercial
boolean
If true, the card is for commercial use, or associated with a business.
If false, the card is associated with a general consumer.
holderName
string
The name of the cardholder as it appears on the card.
merchantAccountID
string<uuid>
paymentMethods
array
Show child attributes
paymentMethodID
string<uuid>
ID of the payment method.
paymentMethodType
string<enum>
The payment method type that represents a payment rail and directionality
Possible values:
moov-wallet,
ach-debit-fund,
ach-debit-collect,
ach-credit-standard,
ach-credit-same-day,
rtp-credit,
card-payment,
push-to-card,
pull-from-card,
apple-pay,
card-present-payment
regulated
boolean
If true, the card issuing bank is regulated, and the scheme fees for debit transactions will be limited based on the Durbin Amendment.
If false, the card issuing bank is not regulated, and the scheme fees will not be limited.