> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cbpayapp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create a card

> Issues a card (virtual or physical) that spends Just-In-Time from the account's central balance in the card's spending asset (`spending_asset`: USDT/USDC 1:1 with the USD, or BTC/GOLD converted at the price of the moment of each event; USDT by default) — no prefunding: every purchase is authorized in real time against the available balance and the card's own limits. Person accounts can hold **1 virtual + 1 physical** card; company accounts can create **unlimited** cards, for the company itself or for designated persons (e.g. employees, passing their identity documents). Issuance bills the `card_creation_virtual` / `card_creation_physical` fee when configured (0 = free); the charge is refunded automatically if issuance fails. Physical cards are born `pending_activation` until the holder confirms reception.



## OpenAPI

````yaml /openapi.yaml post /v1/cards
openapi: 3.1.0
info:
  title: CBPay API
  version: '1.89'
  description: |
    CBPay is a multi-currency payment platform: fiat payouts and collections
    across Latin America, internal transfers, on-chain funding and
    withdrawals, and KYC screening. Every account holds four independent
    virtual balances — USDT (the operating currency), USDC, BTC and GOLD
    (grams of fine gold) — that never mix or convert automatically.
    Payouts and service fees can be paid from any of the four balances:
    set a default with `PUT /v1/settlement` or override per payout with
    `settlement_asset`.

    All amounts are decimal strings in each currency's precision (6 decimals
    for USDT/USDC/GOLD, 8 for BTC). Errors always return
    `{"error": "<code>", "message": "<detail>"}`.
servers:
  - url: https://api.qbank.cl/platform
    description: Live (production, real money)
  - url: https://cryptobank.qbank.cl/platform
    description: Test (sandbox, simulated money — pk_test_ keys)
security:
  - bearerAuth: []
tags:
  - name: Receipts
    description: >-
      Branded PDF receipt per operation, with a public signed-QR authenticity
      check, receipt_url on every response/webhook and automatic email delivery
      on final states.
  - name: Authentication
    description: Register and log in account members. Sessions last 24 hours.
  - name: Account
    description: Profile, members and API keys of the calling account.
  - name: Balances
    description: Balances, movement history and FX rates.
  - name: Payouts
    description: >-
      Fiat dispersals debited from the settlement balance of your choice (USDT
      by default).
  - name: Payins
    description: Fiat top-ups credited to the USDT balance.
  - name: Transfers
  - name: Contacts
  - name: Swaps
    description: >-
      Free internal transfers between CBPay accounts (person or company, any
      combination).
  - name: Crypto
    description: On-chain funding and withdrawals (TRON, Ethereum and Bitcoin).
  - name: Segregated wallets
    description: >-
      On-chain wallets with their own balance (companies unlimited; persons 1
      per network+asset pair) — create, import, send, export the private key and
      auto-forward. The balance lives on-chain, never in the ledger.
  - name: QR Crypto POS
    description: >-
      Amount-bearing crypto QR charges for processors with physical POS
      terminals (company accounts): verified merchants, exclusive address + QR
      per charge, early payment detection, per-merchant reconciliation and
      refunds over the crypto withdrawal rail.
  - name: KYC / KYB
  - name: AML screening
    description: >-
      Identity verification: KYC for persons, KYB for companies, with AML
      screening, rescreening and continuous monitoring.
  - name: Wallet screening
    description: >-
      AML risk assessment of blockchain addresses (sanctions, illicit-fund
      exposure) with a per-scan fee, plus free automatic protection on
      withdrawals and deposits.
  - name: Analytics
  - name: Webhooks
    description: Subscriptions to receive signed event notifications.
  - name: Status
    description: Service availability.
  - name: Banking
    description: >-
      Real bank accounts: receive, hold and send money over international
      banking rails.
  - name: Cards
    description: >-
      Virtual and physical cards that spend Just-In-Time from the account's USDT
      balance, with per-card spending limits.
  - name: Security (OTP)
    description: >-
      One-time verification codes over SMS/WhatsApp/email protecting sensitive
      actions, plus self-service 2FA preferences. Applies to user sessions only
      — API keys are exempt.
  - name: Passkeys
    description: >-
      Passwordless sign-in with the device's biometrics (Face ID, Touch ID,
      Windows Hello, security keys) via WebAuthn, authenticator apps (TOTP) with
      backup codes, and session/device management.
  - name: Social login
    description: >-
      Passwordless sign up and sign in with Google, Apple, Microsoft and
      Facebook via token exchange. The front end obtains the provider
      credential; the API verifies it and issues the CBPay session.
paths:
  /v1/cards:
    post:
      tags:
        - Cards
      summary: Create a card
      description: >-
        Issues a card (virtual or physical) that spends Just-In-Time from the
        account's central balance in the card's spending asset
        (`spending_asset`: USDT/USDC 1:1 with the USD, or BTC/GOLD converted at
        the price of the moment of each event; USDT by default) — no prefunding:
        every purchase is authorized in real time against the available balance
        and the card's own limits. Person accounts can hold **1 virtual + 1
        physical** card; company accounts can create **unlimited** cards, for
        the company itself or for designated persons (e.g. employees, passing
        their identity documents). Issuance bills the `card_creation_virtual` /
        `card_creation_physical` fee when configured (0 = free); the charge is
        refunded automatically if issuance fails. Physical cards are born
        `pending_activation` until the holder confirms reception.
      operationId: createCard
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - idempotency_key
              properties:
                physical:
                  type: boolean
                  default: false
                idempotency_key:
                  type: string
                  description: >-
                    Required (also accepted as the Idempotency-Key header). A
                    retry with the same key returns the original card and never
                    double-charges the issuance fee.
                spending_asset:
                  type: string
                  enum:
                    - USDT
                    - USDC
                    - BTC
                    - GOLD
                  default: USDT
                  description: >-
                    Balance the card spends from. USDT/USDC are at par with the
                    USD (exact 1:1, no conversion fee). BTC/GOLD convert at the
                    effective price of the moment of each event, with a reserve
                    cushion at authorization (fail-closed pricing, per-operation
                    and 24h volatile limits shared with payouts).
                limits:
                  type: object
                  description: >-
                    Optional spending limits in USD (enforced at authorization
                    time; 0 or omitted = no limit).
                  properties:
                    per_transaction:
                      type: string
                    daily:
                      type: string
                    monthly:
                      type: string
                cardholder:
                  type: object
                  description: >-
                    Cardholder data. On the account's FIRST issuance the holder
                    is created at the issuer: identity data and documents
                    AUTO-FILL from the account's approved identity verification
                    (explicit fields win); you only add the issuer-specific
                    fields (occupation catalog code, salary_usd). Omit it on
                    subsequent cards: the verified holder is reused. Company
                    accounts can also set kind "person" plus the verification_id
                    of THAT person's APPROVED KYC to issue for a designated
                    person (their identity and documents come from the
                    verification).
                  properties:
                    verification_id:
                      type: string
                      format: uuid
                      description: >-
                        REQUIRED for designated persons (kind "person" on
                        company accounts): submission_id of the person's
                        APPROVED third-party KYC verification.
            examples:
              person_first_card:
                summary: >-
                  Person — FIRST card (identity auto-fills from the
                  verification)
                value:
                  physical: false
                  idempotency_key: card-v-1
                  cardholder:
                    occupation: '52201'
                    salary_usd: 1800
              subsequent_card:
                summary: Subsequent card — holder already verified (no data needed)
                value:
                  physical: true
                  idempotency_key: card-f-ops-1
                  spending_asset: USDC
                  limits:
                    per_transaction: '500.00'
                    monthly: '5000.00'
              company_for_employee:
                summary: Company — card for a designated person (approved KYC required)
                value:
                  physical: false
                  idempotency_key: card-emp-77
                  limits:
                    monthly: '1500.00'
                  cardholder:
                    kind: person
                    verification_id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
                    occupation: '52201'
                    salary_usd: 1800
      responses:
        '201':
          description: Card created.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CardObject'
              example:
                card_id: 3c2b1a09-8d7e-6f5a-4b3c-2d1e0f9a8b7c
                account_id: 9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d
                physical: false
                cardholder_kind: account
                cardholder_name: Client X SpA
                status: active
                spending_asset: USDT
                limits:
                  monthly: '5000.000000'
                created_at: '2026-07-08T12:00:00Z'
                updated_at: '2026-07-08T12:00:00Z'
                creation_fee: '3.000000'
        '400':
          description: idempotency_key_required / invalid_amount
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                error: idempotency_key_required
                message: provide idempotency_key (body or Idempotency-Key header)
        '401':
          $ref: '#/components/responses/Unauthorized'
        '402':
          description: Balance cannot cover the issuance fee (insufficient_funds).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                error: insufficient_funds
                message: account balance is not enough for this operation
        '403':
          $ref: '#/components/responses/AccountRequired'
        '409':
          description: card_limit_reached (person accounts) / cardholder_kyc_pending
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                error: card_limit_reached
                message: >-
                  person accounts can hold at most 1 virtual card (cancel the
                  existing one first)
        '422':
          description: >-
            verification_required / verification_not_approved /
            verification_kind_mismatch (designated persons need an approved
            third-party KYC verification_id).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                error: verification_required
                message: >-
                  an approved identity verification of the third party is
                  required: pass verification_id
components:
  schemas:
    CardObject:
      type: object
      properties:
        card_id:
          type: string
        account_id:
          type: string
        physical:
          type: boolean
        cardholder_kind:
          type: string
          enum:
            - account
            - person
        cardholder_name:
          type: string
        status:
          type: string
          enum:
            - pending_activation
            - active
            - frozen
            - cancelled
        spending_asset:
          type: string
          enum:
            - USDT
            - USDC
            - BTC
            - GOLD
          description: >-
            Balance the card's purchases spend from. USDT/USDC 1:1 with the USD;
            BTC/GOLD converted at the price of the moment of each event. USDT by
            default. Changing it only affects future purchases.
        limits:
          type: object
          description: >-
            Spending limits, always measured in USD regardless of the spending
            asset.
          properties:
            per_transaction:
              type: string
            daily:
              type: string
            monthly:
              type: string
        creation_fee:
          type: string
        cancellation_fee:
          type: string
        created_at:
          type: string
          format: date-time
        updated_at:
          type: string
          format: date-time
    Error:
      type: object
      properties:
        error:
          type: string
          description: Machine-readable error code (snake_case).
          example: insufficient_funds
        message:
          type: string
          description: Human-readable explanation.
  responses:
    Unauthorized:
      description: Missing or invalid credential (`unauthorized`).
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            error: unauthorized
            message: invalid or missing credentials
    AccountRequired:
      description: This endpoint requires an account credential (`account_required`).
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            error: account_required
            message: this endpoint requires an account credential
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: |
        Session JWT (from register/login) or API key (`pk_...`).
        `X-API-Key: <token>` is accepted as an alternative header.

````