Skip to content

Wise Platform API

The Wise Platform API is a REST-based interface that enables programmatic access to Wise's payment infrastructure. All endpoints return JSON-formatted responses and use standard HTTP methods and status codes.

New to wise?

We strongly recommend first reading our Getting Started Guide to help you set up credentials and make your first call.

Before you begin

To use this API reference effectively, you should have:

  • Received Valid API credentials from Wise (Client ID and Client Secret)
  • Understand OAuth 2.0 authentication
  • Be familiar with RESTful API concepts

Core API resources

ResourcePurpose
QuoteExchange rate and fee calculations
RecipientBeneficiary account management
TransferPayment creation and execution
BalanceMulti-currency account operations
ProfileAccount ownership details
RateCurrent and historical exchange rates

Not sure which workflow to build?
Start with our Integration Guides for step-by-step implementation examples.

Languages
Servers
Production Environment
https://api.wise.com/
Sandbox Environment
https://api.wise-sandbox.com/

3D Secure Authentication

To manage certain aspects of the 3D Secure (3DS) authentication, you will need to integrate with the following APIs.

Operations

Activity

Activity represents a snapshot of a performed action for a profile.

Operations

Additional Customer Verification

In certain situations, additional evidence is required to verify customers and ensure we’re compliant with the KYC regulations.

Additional Verification APIs support a list of evidences that can be found in the Supported Evidences guide.

If you use the Customer Account with Partner KYC model and your customers are primarily based in the EU, refer to this Onboarding EU customers guide for instructions on how to use these APIs.

If you use the Customer Account with Partner KYC model and you are onboarding high risk business customers based primarily based in the US, refer to this Onboarding High Risk US Businesses guide for instructions on how to use these APIs.

Operations

Address

Manage physical addresses associated with user profiles.

Address requirements vary by country — use the address requirements endpoints to dynamically discover which fields are needed before creating an address.

SchemasOperations

Balance

Create and manage balance accounts within a multi-currency account.

Each profile can hold multiple balance accounts in different currencies. A STANDARD balance is limited to one per currency, while SAVINGS balances (Jars) allow multiple in the same currency. Creating the first balance for a profile automatically creates the multi-currency account.

Balances include an investmentState field. Only balances with NOT_INVESTED can be operated on via the API. Invested balances should be shown but not actionable.

For a complete guide on multi-currency accounts, see Multi-Currency Accounts.

SchemasOperations

Balance Statement

Balance statements contain transactional activities on a Wise Multi-Currency Account, including deposits, withdrawals, conversions, card transactions, and fees.

Statements can be retrieved in multiple formats: JSON, CSV, PDF, XLSX, CAMT.053, MT940, or QIF.

Operations

Bank Account Details

Bank account details allow users to receive money into their Wise Multi-Currency Account. Each currency balance can have local bank details (for domestic payments) and international bank details (for SWIFT payments) where available.

Bank account details can be retrieved for existing balances, or new details can be ordered for currencies where they're available but not yet issued.

SchemasOperations

Batch Group

A batch group is a named collection of up to 1000 transfers that can be managed as a single unit. Batch groups are primarily used for funding multiple transfers with a single payment.

Workflow:

  1. Create a batch group with a source currency
  2. Add transfers to the group (up to 1000)
  3. Complete the batch group to close it for modifications
  4. Fund the batch group from a balance or via direct debit

Individual transfers in the group follow standard transfer lifecycle and can be tracked separately.

SchemasOperations

Bulk Settlement

Bulk settlement allows partners to settle multiple transfers in a single bank transfer at the end of a settlement period. This model splits transfer creation/funding from final settlement, allowing Wise to process transfers before receiving funds based on a partner's guarantee.

Use the settlement journal endpoint to submit a list of transfers to be settled, along with the settlement reference that matches your bank transfer payment.

Operations

Card

Manage your customers' cards programmatically. These APIs allow you to retrieve card details, control card status, manage spending permissions, and access sensitive card data securely.

Key capabilities:

  • List and retrieve card details for a profile
  • Update card status (active, frozen, blocked)
  • Control spending permissions (e-commerce, ATM, contactless, etc.)
  • Access sensitive card data (PAN, CVV, PIN) via encrypted JWE payloads

Sensitive card details: Wise is a PCI DSS compliant provider and stores all card data securely. The scope for PCI compliance depends on your use case and will impact how you integrate. For all sensitive card details endpoints, follow the detailed guide.

For ordering new cards, see the Card Order API. For transaction history, see the Card Transaction API.

SchemasOperations

Card

The Card resource represents a Wise card linked to a profile.

tokenstring

Unique identifier for the card.

Example: "ca0c8154-1e14-4464-a1ce-dcea7dc3de52"
profileIdinteger(int64)

Profile ID that owns this card.

Example: 123456
clientIdstring

Client ID of the partner that issued the card.

Example: "wise_api_docs"
statusobject

Current status of the card.

status.​valuestring

Status value. One of:

  • ACTIVE - Card is active and can be used
  • INACTIVE - Card is inactive and all transactions will be declined
  • BLOCKED - Card is blocked and cannot be reversed back to any state
  • FROZEN - Card is temporarily blocked
  • PARTNER_SUSPENDED - Card is suspended by Wise temporarily (do not display to end customers)
  • EXPIRED - Card is expired
  • PURGED - Cardholder data (e.g. PAN, PIN) has been purged after the retention period (555 days after the card's expiry date)
Enum"ACTIVE""INACTIVE""BLOCKED""FROZEN""PARTNER_SUSPENDED""EXPIRED""PURGED"
Example: "ACTIVE"
cardHolderNamestring

Name of the card holder.

Example: "John Smith"
expiryDatestring(date-time)

Date when the card will expire.

Example: "2028-05-31T00:00:00Z"
lastFourDigitsstring

Last 4 digits of the card number.

Example: "6320"
bankIdentificationNumberstring

Bank identification number (BIN) of the card.

Example: "459661"
phoneNumberstring

Phone number associated with the card.

Example: "+441234567890"
cardProgramobject

Card program details.

cardProgram.​namestring

Name of the card program.

Example: "VISA_DEBIT_BUSINESS_UK_1"
cardProgram.​schemestring

Card network scheme.

Enum"VISA""MASTERCARD"
Example: "VISA"
cardProgram.​defaultCurrencystring

Default currency of the card.

Example: "GBP"
cardProgram.​cardTypestring

Type of the card. E.g. PHYSICAL or VIRTUAL.

Example: "VIRTUAL"
unlockSpendingPermissionsstring

Method with which physical card spending permissions can be unlocked. One of:

  • WITH_PARTNER_API - Unlock via Partner API
  • WITH_FIRST_CHIP_AND_PIN_TRANSACTION - Unlock with first chip and PIN transaction
  • NONE - Not applicable (for virtual cards)
Enum"WITH_PARTNER_API""WITH_FIRST_CHIP_AND_PIN_TRANSACTION""NONE"
Example: "WITH_PARTNER_API"
creationTimestring(date-time)

Time when the card was created.

Example: "2022-05-31T01:43:24.596321434Z"
modificationTimestring(date-time)

Time when the card was last modified.

Example: "2022-05-31T01:43:24.596321825Z"
{
  "token": "ca0c8154-1e14-4464-a1ce-dcea7dc3de52",
  "profileId": 123456,
  "clientId": "wise_api_docs",
  "status": {
    "value": "ACTIVE"
  },
  "cardHolderName": "John Smith",
  "expiryDate": "2028-05-31T00:00:00Z",
  "lastFourDigits": "6320",
  "bankIdentificationNumber": "459661",
  "phoneNumber": "+441234567890",
  "cardProgram": {
    "name": "VISA_DEBIT_BUSINESS_UK_1",
    "scheme": "VISA",
    "defaultCurrency": "GBP",
    "cardType": "VIRTUAL"
  },
  "unlockSpendingPermissions": "WITH_PARTNER_API",
  "creationTime": "2022-05-31T01:43:24.596321434Z",
  "modificationTime": "2022-05-31T01:43:24.596321825Z"
}

Permission

Spending permission configuration for a card.

typestring

The type of transaction this permission controls:

  • ECOM - Online transactions
  • POS_CHIP - Physical point-of-sale transactions with chip
  • POS_MAGSTRIPE - Physical point-of-sale transactions with magnetic stripe
  • POS_CONTACTLESS - Physical point-of-sale contactless transactions
  • ATM_WITHDRAWAL - ATM withdrawals
  • MOBILE_WALLETS - Digital wallet payments (Apple Pay, Google Pay)
Enum"ECOM""POS_CHIP""POS_MAGSTRIPE""POS_CONTACTLESS""ATM_WITHDRAWAL""MOBILE_WALLETS"
Example: "ECOM"
isEnabledboolean

Indicates if this permission type is enabled.

Example: false
isLockedboolean

Indicates if this permission is locked. If locked, the permission cannot be enabled.

Example: false
{
  "type": "ECOM",
  "isEnabled": false,
  "isLocked": false
}

List cards for a profile

Request

Returns a paginated list of cards that belong to a specific profile.

Security
UserToken
Path
profileIdinteger(int64)required

The ID of the profile to retrieve cards for.

Example: 123456
Query
pageSizeinteger(int64)[ 10 .. 100 ]

The maximum number of cards to return per page. Must be between 10 and 100.

Default 10
Example: pageSize=10
pageNumberinteger(int64)>= 1

The page number to retrieve. Must be greater than or equal to 1.

Default 1
Example: pageNumber=1
curl -i -X GET \
  'https://api.wise.com/v3/spend/profiles/123456/cards?pageSize=10&pageNumber=1' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

List of cards retrieved successfully.

Bodyapplication/json
cardsArray of objects

Collection of cards for this profile.

cards[].​tokenstring

Unique identifier for the card.

Example: "ca0c8154-1e14-4464-a1ce-dcea7dc3de52"
cards[].​profileIdinteger(int64)

Profile ID that owns this card.

Example: 123456
cards[].​clientIdstring

Client ID of the partner that issued the card.

Example: "wise_api_docs"
cards[].​statusobject

Current status of the card.

cards[].​cardHolderNamestring

Name of the card holder.

Example: "John Smith"
cards[].​expiryDatestring(date-time)

Date when the card will expire.

Example: "2028-05-31T00:00:00Z"
cards[].​lastFourDigitsstring

Last 4 digits of the card number.

Example: "6320"
cards[].​bankIdentificationNumberstring

Bank identification number (BIN) of the card.

Example: "459661"
cards[].​phoneNumberstring

Phone number associated with the card.

Example: "+441234567890"
cards[].​cardProgramobject

Card program details.

cards[].​unlockSpendingPermissionsstring

Method with which physical card spending permissions can be unlocked. One of:

  • WITH_PARTNER_API - Unlock via Partner API
  • WITH_FIRST_CHIP_AND_PIN_TRANSACTION - Unlock with first chip and PIN transaction
  • NONE - Not applicable (for virtual cards)
Enum"WITH_PARTNER_API""WITH_FIRST_CHIP_AND_PIN_TRANSACTION""NONE"
Example: "WITH_PARTNER_API"
cards[].​creationTimestring(date-time)

Time when the card was created.

Example: "2022-05-31T01:43:24.596321434Z"
cards[].​modificationTimestring(date-time)

Time when the card was last modified.

Example: "2022-05-31T01:43:24.596321825Z"
totalCountinteger(int64)

The total number of cards for this profile.

Example: 1
Response
application/json
{
  "cards": [
    {
      "token": "ca0c8154-1e14-4464-a1ce-dcea7dc3de52",
      "profileId": 123456,
      "clientId": "wise_api_docs",
      "status": {},
      "cardHolderName": "John Smith",
      "expiryDate": "2028-05-31T00:00:00Z",
      "lastFourDigits": "6320",
      "bankIdentificationNumber": "459661",
      "phoneNumber": "+441234567890",
      "cardProgram": {},
      "unlockSpendingPermissions": "WITH_PARTNER_API",
      "creationTime": "2022-05-31T01:43:24.596321434Z",
      "modificationTime": "2022-05-31T01:43:24.596321825Z"
    }
  ],
  "totalCount": 1
}

Get card details

Request

Retrieves details for a specific card by its token.

Security
UserToken
Path
profileIdinteger(int64)required

The ID of the profile that owns the card.

Example: 123456
cardTokenstring(uuid)required

The unique token identifying the card.

Example: ca0c8154-1e14-4464-a1ce-dcea7dc3de52
curl -i -X GET \
  https://api.wise.com/v3/spend/profiles/123456/cards/ca0c8154-1e14-4464-a1ce-dcea7dc3de52 \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

Card details retrieved successfully.

Bodyapplication/json
tokenstring

Unique identifier for the card.

Example: "ca0c8154-1e14-4464-a1ce-dcea7dc3de52"
profileIdinteger(int64)

Profile ID that owns this card.

Example: 123456
clientIdstring

Client ID of the partner that issued the card.

Example: "wise_api_docs"
statusobject

Current status of the card.

status.​valuestring

Status value. One of:

  • ACTIVE - Card is active and can be used
  • INACTIVE - Card is inactive and all transactions will be declined
  • BLOCKED - Card is blocked and cannot be reversed back to any state
  • FROZEN - Card is temporarily blocked
  • PARTNER_SUSPENDED - Card is suspended by Wise temporarily (do not display to end customers)
  • EXPIRED - Card is expired
  • PURGED - Cardholder data (e.g. PAN, PIN) has been purged after the retention period (555 days after the card's expiry date)
Enum"ACTIVE""INACTIVE""BLOCKED""FROZEN""PARTNER_SUSPENDED""EXPIRED""PURGED"
Example: "ACTIVE"
cardHolderNamestring

Name of the card holder.

Example: "John Smith"
expiryDatestring(date-time)

Date when the card will expire.

Example: "2028-05-31T00:00:00Z"
lastFourDigitsstring

Last 4 digits of the card number.

Example: "6320"
bankIdentificationNumberstring

Bank identification number (BIN) of the card.

Example: "459661"
phoneNumberstring

Phone number associated with the card.

Example: "+441234567890"
cardProgramobject

Card program details.

cardProgram.​namestring

Name of the card program.

Example: "VISA_DEBIT_BUSINESS_UK_1"
cardProgram.​schemestring

Card network scheme.

Enum"VISA""MASTERCARD"
Example: "VISA"
cardProgram.​defaultCurrencystring

Default currency of the card.

Example: "GBP"
cardProgram.​cardTypestring

Type of the card. E.g. PHYSICAL or VIRTUAL.

Example: "VIRTUAL"
unlockSpendingPermissionsstring

Method with which physical card spending permissions can be unlocked. One of:

  • WITH_PARTNER_API - Unlock via Partner API
  • WITH_FIRST_CHIP_AND_PIN_TRANSACTION - Unlock with first chip and PIN transaction
  • NONE - Not applicable (for virtual cards)
Enum"WITH_PARTNER_API""WITH_FIRST_CHIP_AND_PIN_TRANSACTION""NONE"
Example: "WITH_PARTNER_API"
creationTimestring(date-time)

Time when the card was created.

Example: "2022-05-31T01:43:24.596321434Z"
modificationTimestring(date-time)

Time when the card was last modified.

Example: "2022-05-31T01:43:24.596321825Z"
Response
application/json
{
  "token": "ca0c8154-1e14-4464-a1ce-dcea7dc3de52",
  "profileId": 123456,
  "clientId": "wise_api_docs",
  "status": {
    "value": "ACTIVE"
  },
  "cardHolderName": "John Smith",
  "expiryDate": "2028-05-31T00:00:00Z",
  "lastFourDigits": "6320",
  "bankIdentificationNumber": "459661",
  "phoneNumber": "+441234567890",
  "cardProgram": {
    "name": "VISA_DEBIT_BUSINESS_UK_1",
    "scheme": "VISA",
    "defaultCurrency": "GBP",
    "cardType": "VIRTUAL"
  },
  "unlockSpendingPermissions": "WITH_PARTNER_API",
  "creationTime": "2022-05-31T01:43:24.596321434Z",
  "modificationTime": "2022-05-31T01:43:24.596321825Z"
}

Update card status

Request

Update the status of a card. For cards issued with an INACTIVE status, updating to ACTIVE will activate the card and move the card order status to COMPLETED.

Available status transitions:

  • ACTIVE - The card is active and usable
  • FROZEN - The card is temporarily frozen; all authorization requests will be declined
  • BLOCKED - The card is irreversibly blocked and is no longer usable
Security
UserToken
Path
profileIdinteger(int64)required

The ID of the profile that owns the card.

Example: 123456
cardTokenstring(uuid)required

The unique token identifying the card.

Example: ca0c8154-1e14-4464-a1ce-dcea7dc3de52
Bodyapplication/jsonrequired
statusstringrequired

The status to update the card to.

Enum"ACTIVE""FROZEN""BLOCKED"
Example: "ACTIVE"
curl -i -X PUT \
  https://api.wise.com/v3/spend/profiles/123456/cards/ca0c8154-1e14-4464-a1ce-dcea7dc3de52/status \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "status": "ACTIVE"
  }'

Responses

Card status updated successfully.

Bodyapplication/json
tokenstring

Unique identifier for the card.

Example: "ca0c8154-1e14-4464-a1ce-dcea7dc3de52"
profileIdinteger(int64)

Profile ID that owns this card.

Example: 123456
clientIdstring

Client ID of the partner that issued the card.

Example: "wise_api_docs"
statusobject

Current status of the card.

status.​valuestring

Status value. One of:

  • ACTIVE - Card is active and can be used
  • INACTIVE - Card is inactive and all transactions will be declined
  • BLOCKED - Card is blocked and cannot be reversed back to any state
  • FROZEN - Card is temporarily blocked
  • PARTNER_SUSPENDED - Card is suspended by Wise temporarily (do not display to end customers)
  • EXPIRED - Card is expired
  • PURGED - Cardholder data (e.g. PAN, PIN) has been purged after the retention period (555 days after the card's expiry date)
Enum"ACTIVE""INACTIVE""BLOCKED""FROZEN""PARTNER_SUSPENDED""EXPIRED""PURGED"
Example: "ACTIVE"
cardHolderNamestring

Name of the card holder.

Example: "John Smith"
expiryDatestring(date-time)

Date when the card will expire.

Example: "2028-05-31T00:00:00Z"
lastFourDigitsstring

Last 4 digits of the card number.

Example: "6320"
bankIdentificationNumberstring

Bank identification number (BIN) of the card.

Example: "459661"
phoneNumberstring

Phone number associated with the card.

Example: "+441234567890"
cardProgramobject

Card program details.

cardProgram.​namestring

Name of the card program.

Example: "VISA_DEBIT_BUSINESS_UK_1"
cardProgram.​schemestring

Card network scheme.

Enum"VISA""MASTERCARD"
Example: "VISA"
cardProgram.​defaultCurrencystring

Default currency of the card.

Example: "GBP"
cardProgram.​cardTypestring

Type of the card. E.g. PHYSICAL or VIRTUAL.

Example: "VIRTUAL"
unlockSpendingPermissionsstring

Method with which physical card spending permissions can be unlocked. One of:

  • WITH_PARTNER_API - Unlock via Partner API
  • WITH_FIRST_CHIP_AND_PIN_TRANSACTION - Unlock with first chip and PIN transaction
  • NONE - Not applicable (for virtual cards)
Enum"WITH_PARTNER_API""WITH_FIRST_CHIP_AND_PIN_TRANSACTION""NONE"
Example: "WITH_PARTNER_API"
creationTimestring(date-time)

Time when the card was created.

Example: "2022-05-31T01:43:24.596321434Z"
modificationTimestring(date-time)

Time when the card was last modified.

Example: "2022-05-31T01:43:24.596321825Z"
Response
application/json
{
  "token": "ca0c8154-1e14-4464-a1ce-dcea7dc3de52",
  "profileId": 123456,
  "clientId": "wise_api_docs",
  "status": {
    "value": "ACTIVE"
  },
  "cardHolderName": "John Smith",
  "expiryDate": "2028-05-31T00:00:00Z",
  "lastFourDigits": "6320",
  "bankIdentificationNumber": "459661",
  "phoneNumber": "+441234567890",
  "cardProgram": {
    "name": "VISA_DEBIT_BUSINESS_UK_1",
    "scheme": "VISA",
    "defaultCurrency": "GBP",
    "cardType": "VIRTUAL"
  },
  "unlockSpendingPermissions": "WITH_PARTNER_API",
  "creationTime": "2022-05-31T01:43:24.596321434Z",
  "modificationTime": "2022-05-31T01:43:24.596321825Z"
}

Reset PIN count

Request

If the wrong PIN has been entered more than 3 times, future transactions on the card will be blocked with a PIN_ENTRY_TRIES_EXCEEDED error message.

Use this endpoint to reset the PIN count to 0 and unblock transactions.

In some cases, you may also need to reset the PIN count directly at the ATM.

Security
UserToken
Path
profileIdinteger(int64)required

The ID of the profile that owns the card.

Example: 123456
cardTokenstring(uuid)required

The unique token identifying the card.

Example: ca0c8154-1e14-4464-a1ce-dcea7dc3de52
curl -i -X POST \
  https://api.wise.com/v3/spend/profiles/123456/cards/ca0c8154-1e14-4464-a1ce-dcea7dc3de52/reset-pin-count \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

PIN count reset successfully.

Get card spending permissions

Request

Retrieves the current spending permissions configured for a card.

Security
UserToken
Path
profileIdinteger(int64)required

The ID of the profile that owns the card.

Example: 123456
cardTokenstring(uuid)required

The unique token identifying the card.

Example: ca0c8154-1e14-4464-a1ce-dcea7dc3de52
curl -i -X GET \
  https://api.wise.com/v3/spend/profiles/123456/cards/ca0c8154-1e14-4464-a1ce-dcea7dc3de52/spending-permissions \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

Card permissions retrieved successfully.

Bodyapplication/json
permissionsArray of objects

List of spending permissions for this card.

permissions[].​typestring

The type of transaction this permission controls:

  • ECOM - Online transactions
  • POS_CHIP - Physical point-of-sale transactions with chip
  • POS_MAGSTRIPE - Physical point-of-sale transactions with magnetic stripe
  • POS_CONTACTLESS - Physical point-of-sale contactless transactions
  • ATM_WITHDRAWAL - ATM withdrawals
  • MOBILE_WALLETS - Digital wallet payments (Apple Pay, Google Pay)
Enum"ECOM""POS_CHIP""POS_MAGSTRIPE""POS_CONTACTLESS""ATM_WITHDRAWAL""MOBILE_WALLETS"
Example: "ECOM"
permissions[].​isEnabledboolean

Indicates if this permission type is enabled.

Example: false
permissions[].​isLockedboolean

Indicates if this permission is locked. If locked, the permission cannot be enabled.

Example: false
Response
application/json
{
  "permissions": [
    {
      "type": "ECOM",
      "isEnabled": false,
      "isLocked": false
    },
    {
      "type": "POS_CHIP",
      "isEnabled": true,
      "isLocked": false
    },
    {
      "type": "ATM_WITHDRAWAL",
      "isEnabled": false,
      "isLocked": false
    },
    {
      "type": "MOBILE_WALLETS",
      "isEnabled": true,
      "isLocked": false
    },
    {
      "type": "POS_CONTACTLESS",
      "isEnabled": false,
      "isLocked": true
    },
    {
      "type": "POS_MAGSTRIPE",
      "isEnabled": false,
      "isLocked": true
    }
  ]
}

Update a single card permission

Request

Enable or disable a single spending permission on a card.

For bulk updates, use the v4 endpoint instead.

Security
UserToken
Path
profileIdinteger(int64)required

The ID of the profile that owns the card.

Example: 123456
cardTokenstring(uuid)required

The unique token identifying the card.

Example: ca0c8154-1e14-4464-a1ce-dcea7dc3de52
Bodyapplication/jsonrequired
typestringrequired

The permission type to update.

Enum"ECOM""POS_CHIP""POS_MAGSTRIPE""POS_CONTACTLESS""ATM_WITHDRAWAL""MOBILE_WALLETS"
Example: "ECOM"
isEnabledbooleanrequired

Whether to enable or disable this permission.

Example: true
curl -i -X PATCH \
  https://api.wise.com/v3/spend/profiles/123456/cards/ca0c8154-1e14-4464-a1ce-dcea7dc3de52/spending-permissions \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "type": "ECOM",
    "isEnabled": true
  }'

Responses

Permission updated successfully.

Bulk update card permissions

Request

Enable or disable multiple spending permissions on a card in a single request.

This is the recommended endpoint for updating card permissions as it allows updating multiple permissions atomically.

Security
UserToken
Path
profileIdinteger(int64)required

The ID of the profile that owns the card.

Example: 123456
cardTokenstring(uuid)required

The unique token identifying the card.

Example: ca0c8154-1e14-4464-a1ce-dcea7dc3de52
Bodyapplication/jsonrequired
permissionsArray of objectsrequired

List of permissions to update.

permissions[].​typestringrequired

The permission type to update.

Enum"ECOM""POS_CHIP""POS_MAGSTRIPE""POS_CONTACTLESS""ATM_WITHDRAWAL""MOBILE_WALLETS"
permissions[].​isEnabledbooleanrequired

Whether to enable or disable this permission.

curl -i -X PATCH \
  https://api.wise.com/v4/spend/profiles/123456/cards/ca0c8154-1e14-4464-a1ce-dcea7dc3de52/spending-permissions \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "permissions": [
      {
        "type": "ECOM",
        "isEnabled": true
      },
      {
        "type": "POS_CHIP",
        "isEnabled": true
      }
    ]
  }'

Responses

Permissions updated successfully.

Fetch RSA encryption key

Request

Fetches Wise's RSA public key required for encrypting sensitive card data requests.

This key is used in the sensitive card details flow to create JWE (JSON Web Encryption) payloads.

Security
UserToken
curl -i -X GET \
  https://twcard.wise.com/twcard-data/v1/clientSideEncryption/fetchEncryptingKey \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>'

Responses

RSA encryption key retrieved successfully.

Bodyapplication/json
versioninteger(int32)

Version of the encryption key.

Example: 1
keystring

The RSA public key.

Example: "<encryption key>"
Response
application/json
{
  "version": 1,
  "key": "<encryption key>"
}

Get sensitive card details

Request

Fetches the card's Primary Account Number (PAN), security code (CVV2), expiry date, and cardholder name.

Requires an encrypted JWE payload for security. See the sensitive card details guide for implementation details.

To retrieve sensitive card details, the card must be in either ACTIVE or FROZEN status. A 403 response will be returned for cards in any other status.

This endpoint is SCA protected when applicable. If your profile is registered within the UK and/or EEA, SCA most likely applies. For more information, see implementing SCA.

Security
UserToken
Headers
x-tw-twcard-card-tokenstring(uuid)required

The card token identifying which card to retrieve details for.

Example: ca0c8154-1e14-4464-a1ce-dcea7dc3de52
Bodyapplication/jsonrequired
keyVersioninteger(int32)required

The version of the encryption key to use. Always set to 1.

Example: 1
encryptedPayloadstringrequired

Your JWE encrypted payload.

Example: "<your JWE>"
curl -i -X POST \
  https://twcard.wise.com/twcard-data/v1/sensitive-card-data/details \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'x-tw-twcard-card-token: ca0c8154-1e14-4464-a1ce-dcea7dc3de52' \
  -d '{
    "keyVersion": 1,
    "encryptedPayload": "<your JWE>"
  }'

Responses

Sensitive card details retrieved successfully.

Bodyapplication/json
noncestring(uuid)

An arbitrary UUID issued from the cryptographic communication.

Example: "33d51227-9ad6-4624-b4b7-7853b56076dd"
cvv2string

The card CVV2 security code.

Example: "111"
panstring

The card Primary Account Number.

Example: "4396910000012345"
expiryDatestring

The card expiry date in MM/YY format.

Example: "10/31"
cardholderNamestring

Name on the card.

Example: "John Smith"
Response
application/json
{
  "nonce": "33d51227-9ad6-4624-b4b7-7853b56076dd",
  "cvv2": "111",
  "pan": "4396910000012345",
  "expiryDate": "10/31",
  "cardholderName": "John Smith"
}

Get card PIN

Request

Fetches the card's PIN.

Requires an encrypted JWE payload for security. See the sensitive card details guide for implementation details.

This endpoint is SCA protected when applicable. If your profile is registered within the UK and/or EEA, SCA most likely applies. For more information, see implementing SCA.

Security
UserToken
Headers
x-tw-twcard-card-tokenstring(uuid)required

The card token identifying which card to retrieve the PIN for.

Example: ca0c8154-1e14-4464-a1ce-dcea7dc3de52
Bodyapplication/jsonrequired
keyVersioninteger(int32)required

The version of the encryption key to use. Always set to 1.

Example: 1
encryptedPayloadstringrequired

Your JWE encrypted payload.

Example: "<your JWE>"
curl -i -X POST \
  https://twcard.wise.com/twcard-data/v1/sensitive-card-data/pin \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'x-tw-twcard-card-token: ca0c8154-1e14-4464-a1ce-dcea7dc3de52' \
  -d '{
    "keyVersion": 1,
    "encryptedPayload": "<your JWE>"
  }'

Responses

Card PIN retrieved successfully.

Bodyapplication/json
noncestring(uuid)

An arbitrary UUID issued from the cryptographic communication.

Example: "33d51227-9ad6-4624-b4b7-7853b56076dd"
pinstring

The card PIN.

Example: "1234"
Response
application/json
{
  "nonce": "33d51227-9ad6-4624-b4b7-7853b56076dd",
  "pin": "1234"
}