Provider-agnostic card issuing API

Virtual card issuing infrastructure with ledger-first controls.

AICardAPI gives issuing teams a normalized API surface for cards, controls, webhooks and reconciliation without exposing provider-only semantics to merchant developers.

Start building Contact sales

Contract-first request_id tracing Sensitive values redacted

Normalized issuing flowrequest_id

requestPOST /v1/cards

cardprovider_required

ledgerreserve required

webhookevent fact only

API request

curl -X POST /v1/cardsX-API-Key · Idempotency-Key · request_id

Virtual card

last4 onlystatus comes from API

Ledger entry

reserve
capture
reconcile

Safe boundary

secrets: redacted

Webhook

delivery: from API

Capability

unknown: blocked

Code-generated contract

Public routes are anchored to the code-generated API contract before implementation drifts.

Idempotent writes

State-changing calls require Idempotency-Key and replay against request hashes.

Request correlation

Responses carry request_id so support can investigate without sensitive payloads.

Redaction by default

API keys, webhook secrets and card secrets are represented by prefix, last4 or safe stubs.

Capability fail-closed

Unknown provider capability is unavailable until AICardAPI evidence exists.

Platform

The primitives issuing teams need

Each module maps to a contract boundary, then feeds the same request and ledger trail.

Primary system surface

Virtual cards

Issue program-scoped virtual cards through AICardAPI resources without exposing provider-only fields.

Lifecycle: request - capability checked - ledger guarded
Exposure: provider-only fields stay behind adapters

Spend controls

Model card limits, MCC policy and merchant restrictions as normalized controls.

Webhook delivery

Track endpoint status, delivery attempts, retry states and DLQ follow-up from one contract.

Ledger and reconciliation

Use ledger projections and entries as the merchant-facing money record.

API keys

Create in Ops, copy the active key from the dashboard, and rotate revoked keys out of use.

Sensitive data controls

Card credential retrieval lives in card detail, while ordinary lists and metadata stay masked.

Solutions

Build card programs with controlled surfaces

Use AICardAPI for developer-first issuing, merchant operations and audit-oriented support flows.

For card issuing teams

Launch normalized APIs for virtual cards, controls and webhooks while keeping provider capability evidence behind a fail-closed registry.

For finance and operations

Read ledger projections, request IDs and delivery states without exposing raw provider payloads or card secrets.

Developer workflow

From API key to reconciled ledger

A compact path from authentication to webhook delivery and ledger review.

Authenticate

Send X-API-Key and keep request_id values for diagnostics.

X-API-Key: $YOUR_AICARD_API_KEY

Create customer and cardholder

Keep customer and cardholder identity separate from provider-specific enrollment state.

Issue a card

POST /v1/cards with an Idempotency-Key and a normalized program/cardholder reference.

Set controls

Patch /v1/cards/{card_id}/controls for spend policy and safe authorization limits.

Receive webhooks

Subscribe merchant endpoints and verify deliveries without storing signing secrets in the browser.

Reconcile ledger

Read /v1/ledger/balances and /v1/ledger/entries for audit-oriented reporting.

Control and compliance posture

Trust from architecture, not invented metrics

AICardAPI's public proof should come from contract consistency, security posture and careful wording.

Provider-agnostic boundary

AICardAPI names the contract. Provider raw fields stay behind adapters and capability evidence.

Audit-oriented operations

High-risk actions use reason capture, request IDs and explicit state transitions.

No fabricated trust proof

The public site does not claim uptime, volume, regions, customers or certifications without repo evidence.

Fail-safe docs posture

Docs explain sandbox and MVP behavior without importing unsupported provider production semantics.

Developers

Docs that behave like a product

The developer portal includes grouped navigation, copy affordances, code examples and contract positioning.

Quickstart

Create the core resources and understand idempotent write behavior.

Open

Authentication

Use X-API-Key, optional request IDs and dashboard key copy handling.

Open

Webhooks

Configure endpoints, delivery states and replay-safe support paths.

Open

AICardAPI

Build on a safer card issuing abstraction.

Start in docs, review the contract, then discuss the program architecture before production commitments.

Read docs Talk to sales