API Terms

API access may be provided through API keys, bearer sessions or other approved authentication mechanisms. Keys are issued to authorized merchant or developer workspaces and must not be shared publicly.

State-changing API calls should use Idempotency-Key when required by the contract. Responses may include request_id values for support and audit workflows.

Do not submit full PAN, CVV, PIN, card secrets, production provider credentials, webhook secrets or raw sensitive payloads unless an approved production agreement and data handling process expressly permits it.

Users must protect API keys, rotate compromised credentials, restrict access to authorized users and promptly report suspected unauthorized access or vulnerabilities.

AICardAPI may apply rate limits, abuse controls, maintenance windows and sandbox restrictions. Public documentation does not guarantee uptime, country coverage, provider support or transaction capacity.

Provider capability gates are internal controls. Unknown or unsupported provider paths fail closed and are not exposed as a merchant capability catalog in the MVP.

Sandbox and demo identifiers are for integration testing only. They must not be used for real payment activity, real cardholder secrets or production reconciliation.