Link a card
Link a card to an existing Moov account.
Read our accept card payments guide to learn more.
Only use this endpoint if you have provided Moov with a copy of your PCI attestation of compliance.
During card linking, the provided data will be verified by submitting a $0 authorization (account verification) request.
If merchantAccountID is provided, the authorization request will contain that account's statement descriptor and address.
Otherwise, the platform account's profile will be used. If no statement descriptor has been set, the authorization will
use the account's name instead.
It is strongly recommended that callers include the X-Wait-For header, set to payment-method, if the newly linked
card is intended to be used right away. If this header is not included, the caller will need to poll the List Payment
Methods
endpoint to wait for the new payment methods to be available for use.
To access this endpoint using an access token
you'll need to specify the /accounts/{accountID}/cards.write scope.
POST
/accounts/{accountID}/cards
curl -X POST "https://api.moov.io/accounts/{accountID}/cards" \
-H "Authorization: Bearer {token}" \
-H "X-Moov-Version: v2026.01.00" \
-d '{
"cardNumber": "4111111111111111",
"cardCvv": "123",
"expiration": {
"month": "01",
"year": "21"
},
"holderName": "Jules Jackson",
"billingAddress": {
"postalCode": "80301"
}
}'mc, _ := moov.NewClient()
var accountID string
cardPayload := moov.CreateCard{
BillingAddress: moov.Address{
AddressLine1: "123 Main Street",
City: "Denver",
StateOrProvince: "CO",
PostalCode: "80301",
Country: "US",
},
CardNumber: "4111111111111111",
CardCvv: "123",
Expiration: moov.Expiration{
Month: "01",
Year: "28",
},
HolderName: "Jules Jackson",
}
mc.CreateCard(ctx, accountID, cardPayload)
import { Moov } from "@moovio/sdk";
const moov = new Moov({
security: {
username: "",
password: "",
},
});
async function run() {
const result = await moov.cards.link({
xWaitFor: "payment-method",
accountID: "5593e46f-7936-474b-a52b-96f1da46867b",
linkCard: {
cardNumber: "4111111111111111",
cardCvv: "123",
expiration: {
month: "01",
year: "21",
},
holderName: "Jules Jackson",
billingAddress: {
postalCode: "80301",
},
},
});
console.log(result);
}
run();declare(strict_types=1);
require 'vendor/autoload.php';
use Moov\MoovPhp;
use Moov\MoovPhp\Models\Components;
$sdk = MoovPhp\Moov::builder()
->setSecurity(
new Components\Security(
username: '',
password: '',
)
)
->build();
$linkCard = new Components\LinkCard(
cardNumber: '4111111111111111',
cardCvv: '123',
expiration: new Components\CardExpiration(
month: '01',
year: '21',
),
holderName: 'Jules Jackson',
billingAddress: new Components\CardAddress(
postalCode: '80301',
),
);
$response = $sdk->cards->link(
accountID: '5593e46f-7936-474b-a52b-96f1da46867b',
linkCard: $linkCard,
xWaitFor: Components\LinkCardWaitFor::PaymentMethod
);
if ($response->card !== null) {
// handle response
}package hello.world;
import io.moov.sdk.Moov;
import io.moov.sdk.models.components.*;
import io.moov.sdk.models.errors.*;
import io.moov.sdk.models.operations.LinkCardResponse;
import java.lang.Exception;
public class Application {
public static void main(String[] args) throws GenericError, DuplicateCardError, LinkCardError, Exception {
Moov sdk = Moov.builder()
.security(Security.builder()
.username("")
.password("")
.build())
.build();
LinkCardResponse res = sdk.cards().link()
.xWaitFor(LinkCardWaitFor.PAYMENT_METHOD)
.accountID("5593e46f-7936-474b-a52b-96f1da46867b")
.linkCard(LinkCard.builder()
.cardNumber("4111111111111111")
.cardCvv("123")
.expiration(CardExpiration.builder()
.month("01")
.year("21")
.build())
.billingAddress(CardAddress.builder()
.postalCode("80301")
.build())
.holderName("Jules Jackson")
.build())
.call();
if (res.card().isPresent()) {
System.out.println(res.card().get());
}
}
}from moovio_sdk import Moov
from moovio_sdk.models import components
with Moov(
security=components.Security(
username="",
password="",
),
) as moov:
res = moov.cards.link(account_id="5593e46f-7936-474b-a52b-96f1da46867b", card_number="4111111111111111", card_cvv="123", expiration={
"month": "01",
"year": "21",
}, billing_address={
"postal_code": "80301",
}, x_wait_for=components.LinkCardWaitFor.PAYMENT_METHOD, e2ee={
"token": "eyJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTUyMSIsIngiOiJBS0NYVDM1WVdvTm8wbzExNy1SU0dqUGg3alN1NjFmLUhnYkx1dW0xVG1ueTRlcW5yX2hyU0hpY0w1d3gwODRCWDBRZjVTdEtkRUoydzY2ZUJqWHprRV9OIiwieSI6IkFIMEJfT2RaYTQtbG43dGJ4M3VBdlc1NDNQRE9HUXBCTDloRFFNWjlTQXNfOW05UWN3dnhRd1hrb1VrM3VzT1FnVV9ySVFrNFRoZ1NTUzV4UlhKcm5ZaTkifSwia2lkIjoiYmRvV3pLekpKUGw0TVFIaENDa05WYTZlZ1dmYi02V1haSjZKTFZqQ0hWMD0ifQ.HalyoHsfufBJEODd2lD9ThQvvVWw3b2kgWDLHGxmHhMv8rODyLL_Ug.rpQP178t8Ed_pUU2.Sn9UFeVoegAxiMUv11q7l3M0y9YHSLYi2n_JB7n7Pc777_47-icfaxstJemT0IC81w.akkq1EBxzWkBr4vEomSpWA",
}, holder_name="Jules Jackson")
# Handle response
print(res)require 'moov_ruby'
Models = ::Moov::Models
s = ::Moov::Client.new(
security: Models::Components::Security.new(
username: '',
password: ''
)
)
res = s.cards.link(account_id: '5593e46f-7936-474b-a52b-96f1da46867b', link_card: Models::Components::LinkCard.new(
card_number: '4111111111111111',
card_cvv: '123',
expiration: Models::Components::CardExpiration.new(
month: '01',
year: '21'
),
holder_name: 'Jules Jackson',
billing_address: Models::Components::CardAddress.new(
postal_code: '80301'
)
), x_wait_for: Models::Components::LinkCardWaitFor::PAYMENT_METHOD)
unless res.card.nil?
# handle response
endusing Moov.Sdk;
using Moov.Sdk.Models.Components;
var sdk = new MoovClient(security: new Security() {
Username = "",
Password = "",
});
var res = await sdk.Cards.LinkAsync(
accountID: "5593e46f-7936-474b-a52b-96f1da46867b",
body: new LinkCard() {
CardNumber = "4111111111111111",
CardCvv = "123",
Expiration = new CardExpiration() {
Month = "01",
Year = "21",
},
HolderName = "Jules Jackson",
BillingAddress = new CardAddress() {
PostalCode = "80301",
},
},
xWaitFor: LinkCardWaitFor.PaymentMethod
);
// handle responseThe request completed successfully.
{
"billingAddress": {
"addressLine1": "123 Main Street",
"addressLine2": "Apt 302",
"city": "Boulder",
"country": "US",
"postalCode": "80301",
"stateOrProvince": "CO"
},
"bin": "411111",
"brand": "Visa",
"cardAccountUpdater": {
"updateType": "number-update",
"updatedOn": "2024-05-06T12:20:38.184Z"
},
"cardCategory": "CLASSIC",
"cardID": "01234567-89ab-cdef-0123-456789abcdef",
"cardOnFile": true,
"cardType": "credit",
"cardVerification": {
"accountName": {
"firstName": "match",
"fullName": "match",
"lastName": "match",
"middleName": "match"
},
"addressLine1": "match",
"cvv": "match",
"postalCode": "match"
},
"commercial": false,
"domesticPullFromCard": "supported",
"domesticPushToCard": "standard",
"expiration": {
"month": "01",
"year": "21"
},
"fingerprint": "9948962d92a1ce40c9f918cd9ece3a22bde62fb325a2f1fe2e833969de672ba3",
"holderName": "Jules Jackson",
"issuer": "GRINGOTTS BANK",
"issuerCountry": "US",
"issuerPhone": "8185551212",
"issuerURL": "HTTPS://WWW.EXAMPLE.COM/",
"lastFourCardNumber": "1111",
"merchantAccountID": "01234567-89ab-cdef-0123-456789abcdef",
"regulated": false
}Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The server could not understand the request due to invalid syntax.
{
"error": "string"
}Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The request contained missing or expired authentication.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The user is not authorized to make the request.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The requested resource was not found.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
Attempted to link card that already exists on the account.
{
"error": "string",
"existingCardID": "string"
}Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The request was well-formed, but the contents failed validation. Check the request for missing or invalid fields.
{
"error": "string",
"e2ee": {
"token": "string"
},
"cardNumber": "string",
"cardCvv": "string",
"expiration": "string",
"holderName": "string",
"billingAddress": "string",
"cardOnFile": "string",
"merchantAccountID": "string",
"verifyName": "string"
}Response headers
x-request-id
string
required
A unique identifier used to trace requests.
Request was refused due to rate limiting.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The request failed due to an unexpected error.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
The request failed because a downstream service failed to respond.
Response headers
x-request-id
string
required
A unique identifier used to trace requests.
Headers
X-Moov-Version
string
Set this header to v2026.01.00 to use the API described in this specification. When omitted, the server defaults to v2024.01.00, which may not match the behavior documented here.
Possible values:
v2026.01.00
x-wait-for
string
Optional header to wait for certain events, such as the creation of a payment method, to occur before returning a response.
When this header is set to payment-method, the response will include any payment methods that were created for the newly
linked card in the paymentMethods field. Otherwise, the paymentMethods field will be omitted from the response.
Possible values:
payment-method
Path parameters
accountID
string
required
Body
application/json
billingAddress
object
required
The billing address associated with the card.
Show child attributes
addressLine1
string
<=60 characters
Street address line 1.
addressLine2
string
<=32 characters
Street address line 2 (e.g., apartment or suite number).
city
string
<=32 characters
City name.
country
string
<=2 characters
Two-letter ISO 3166-1 country code.
postalCode
string
<=10 characters
required
Postal or ZIP code.
stateOrProvince
string
<=2 characters
Two-letter state or province code.
cardCvv
string
required
The card's 3- or 4-digit card verification value.
cardNumber
string
required
The full card number (PAN).
expiration
object
required
The expiration date of the card or token.
Show child attributes
month
string
2 characters
required
Two-digit month the card expires.
year
string
2 characters
required
Two-digit year the card expires.
cardOnFile
boolean
Indicates cardholder has authorized card to be stored for future payments. (e.g., recurring payments).
If true and no
merchantAccountID is provided, the partner account's ID is used as the merchant account for verification.
e2ee
object
Wraps a compact-serialized JSON Web Encryption (JWE) token used for secure transmission of sensitive data (e.g., PCI information) through intermediaries.
This token is encrypted using the public key from /end-to-end-keys and wraps an AES key. For details and examples, refer to our
GitHub repository.
Show child attributes
token
string<jwe>
required
An RFC compact-serialized JSON Web Encryption (JWE) token.
holderName
string
The name of the cardholder as it appears on the card.
merchantAccountID
string
Merchant account whose details (statement descriptor, address, etc.) are used for the card verification authorization.
If omitted, the partner account's details are used instead.
verifyName
boolean
If true, submits the cardholder's name to the card network for verification as part of the $0 authorization.
Only supported for Visa and Mastercard; requesting name verification for American Express or Discover will return an error.
Response
billingAddress
object
required
The billing address associated with the card.
Show child attributes
addressLine1
string
<=60 characters
Street address line 1.
addressLine2
string
<=32 characters
Street address line 2 (e.g., apartment or suite number).
city
string
<=32 characters
City name.
country
string
<=2 characters
Two-letter ISO 3166-1 country code.
postalCode
string
<=10 characters
required
Postal or ZIP code.
stateOrProvince
string
<=2 characters
Two-letter state or province code.
bin
string
[6 to 8] characters
required
The first six to eight digits of the card number, which identifies the financial institution that issued the card.
brand
string<enum>
required
The card brand.
Possible values:
American Express,
Discover,
Mastercard,
Visa,
Unknown
cardID
string
required
ID of the card.
cardType
string<enum>
required
The type of the card.
Possible values:
debit,
credit,
prepaid,
unknown
cardVerification
object
required
The results of submitting cardholder data to a card network for verification.
Show child attributes
addressLine1
string
required
Verification result of the billing address line 1.
Derived from the same AVS code as
postalCode; the card network returns a single code covering both address fields.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
cvv
string
required
Verification result of the card's CVV.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
postalCode
string
required
Verification result of the billing address postal code.
Derived from the same AVS code as
addressLine1; the card network returns a single code covering both address fields.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
accountName
object
Verification results of the cardholder's name, broken down by name component.
The results of submitting cardholder name to a card network for verification.
Show child attributes
firstName
string
Verification result of the cardholder's first name.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
fullName
string
Verification result of the cardholder's full name.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
lastName
string
Verification result of the cardholder's last name.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
middleName
string
Verification result of the cardholder's middle name.
The result of a card verification check.
Possible values:
noMatch,
match,
notChecked,
unavailable,
partialMatch
expiration
object
required
The expiration date of the card or token.
Show child attributes
month
string
2 characters
required
Two-digit month the card expires.
year
string
2 characters
required
Two-digit year the card expires.
fingerprint
string
<=100 characters
required
Uniquely identifies a linked payment card or token.
For Apple Pay, the fingerprint is based on the tokenized card number and may vary based on the user's device.
This field can be used to identify specific payment methods across multiple accounts on your platform.
lastFourCardNumber
string
4 characters
required
Last four digits of the card number
cardAccountUpdater
object
The results of the most recent card update request.
Show child attributes
updateType
string<enum>
The results of the card update request.
Possible values:
unspecified,
account-closed,
contact-cardholder,
expiration-update,
no-change,
no-match,
number-update
updatedOn
string<date-time>
Timestamp from the card network indicating when the card update was processed.
cardCategory
string
The category or level of the card defined by the issuer.
Examples include, but not limited to, "REWARDS", "TRADITIONAL REWARDS", "CLASSIC", and "CORPORATE PURCHASING".
cardOnFile
boolean
Indicates cardholder has authorized card to be stored for future payments.
commercial
boolean
If true, the card is for commercial use, or associated with a business.
If false, the card is associated with a general consumer.
domesticPullFromCard
string<enum>
Indicates if the card supports domestic pull-from-card transfer.
Possible values:
not-supported,
supported,
unknown
domesticPushToCard
string<enum>
Indicates which level of domestic push-to-card transfer is supported by the card, if any.
Possible values:
not-supported,
standard,
fast-funds,
unknown
holderName
string
The name of the cardholder as it appears on the card.
issuer
string
Financial institution that issued the card.
issuerCountry
string
Country where the card was issued.
issuerPhone
string
Phone number of the issuer.
issuerURL
string<uri>
URL of the issuer.
merchantAccountID
string
Merchant account whose details (statement descriptor, address, etc.) are used for the card verification authorization.
If omitted, the partner account's details are used instead.
paymentMethods
array<object>
Includes any payment methods created as a result of linking a card with the x-wait-for header set to payment-method.
Only returned by the link card endpoint; not included when getting or listing cards.
Show child attributes
paymentMethodID
string
ID of the payment method.
paymentMethodType
string<enum>
The payment method type that represents a payment rail and directionality
Possible values:
moov-wallet,
ach-debit-fund,
ach-debit-collect,
ach-credit-standard,
ach-credit-same-day,
rtp-credit,
card-payment,
push-to-card,
pull-from-card,
apple-pay,
card-present-payment,
instant-bank-credit
regulated
boolean
If true, the card issuing bank is regulated, and the scheme fees for debit transactions will be limited based on the Durbin Amendment.
If false, the card issuing bank is not regulated, and the scheme fees will not be limited.