> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rinne.com.br/llms.txt
> Use this file to discover all available pages before exploring further.

# Store a card

> Requires the card.create permission.

Stores a card for the authenticated company and returns a reusable card
reference. The card number must be encrypted ciphertext (`ev:` prefix);
Rinne never receives the raw PAN and never stores CVC.




## OpenAPI

````yaml /api-spec.yaml post /v1/cards
openapi: 3.1.0
info:
  title: Rinne API
  version: 1.0.0
  description: >
    **Rinne API** is a robust payment platform that offers integration with
    multiple payment providers.


    ## Authentication


    The API uses API Key authentication via the `x-api-key` header. Each company
    has a unique key to access resources.


    ## Response Format


    All responses follow a consistent format:

    - **Success**: Returns the requested data directly

    - **Error**: Returns an `error` object with detailed information


    ## Pagination


    Endpoints that return lists support pagination through parameters:

    - `page`: Page number (default: 1)

    - `limit`: Items per page (default: 20, maximum: 100)


    ## Supported Providers


    The API supports multiple payment providers:

    - **Rinne**: Internal provider

    - **Celcoin**: PIX integration and other financial services


    ## Raw Card Data (PCI Endpoints)


    Card credential fields (`card_data.number`, `card_data.cvv`,
    `card_data.network_token`,

    `card_data.cryptogram`, and the 3DS `card.number`) must always be sent
    encrypted —

    values start with the `ev:` prefix. Plaintext values are rejected with

    `400 VALIDATION_ERROR` on every host.


    There are two ways to send encrypted values:

    - **rinne-js**: card forms and wallet buttons (Apple Pay / Google Pay)
    encrypt
      credentials client-side before they leave the browser.
    - **PCI API host**: server-to-server integrations that handle raw card data
    must call
      `https://pci.api.rinne.com.br/core` (sandbox: `https://pci.api-sandbox.rinne.com.br/core`)
      instead of the regular host. This endpoint encrypts `number` and `cvv` in transit
      before the request reaches the API; all other fields pass through unchanged.

    The PCI host serves only transaction creation and 3DS session creation (both
    the

    self and merchant variants); use the regular host for everything else.
  contact:
    name: Rinne API Support
    email: suporte@rinne.com.br
servers:
  - url: https://api-sandbox.rinne.com.br/core
    description: Sandbox
  - url: https://api.rinne.com.br/core
    description: Production
security: []
tags:
  - name: System
    description: System and API health endpoints
  - name: Authentication
    description: User authentication and authorization endpoints
  - name: Management
    description: >-
      Merchant management endpoints - create, list, get specific, overview,
      update
  - name: Transactions
    description: Transaction operations for merchants - create, list, overview, refunds
  - name: Affiliations
    description: Affiliation management for merchants
  - name: Banking
    description: Banking operations for merchants - balance, cashout, statements
  - name: Bank Accounts
    description: Bank account management for merchants
  - name: Pix Keys
    description: PIX key management for merchants
  - name: Company Transactions
    description: Direct transaction management and query endpoints for companies
  - name: Companies
    description: Company management
  - name: Company Affiliations
    description: Payment provider affiliation management
  - name: Company Banking
    description: Company banking endpoints (balance, etc.)
  - name: Company Pix
    description: Company PIX key management
  - name: Company Ledger
    description: Company ledger entry query endpoints
  - name: Ledger
    description: Ledger entry query endpoints (company and merchants)
  - name: Cards
    description: Stored card management (self and merchant)
  - name: Webhooks
    description: Endpoints for receiving webhooks from external providers
  - name: Pricing
    description: Fee and cost policy management for transaction pricing
  - name: Users
    description: User management endpoints
  - name: Roles
    description: Role management endpoints
  - name: Permissions
    description: Permission management endpoints
paths:
  /v1/cards:
    post:
      tags:
        - Cards
      summary: Store a card
      description: |
        Requires the card.create permission.

        Stores a card for the authenticated company and returns a reusable card
        reference. The card number must be encrypted ciphertext (`ev:` prefix);
        Rinne never receives the raw PAN and never stores CVC.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/StoreCardRequest'
      responses:
        '201':
          description: The stored card
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CardResponse'
        '400':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationErrorResponse'
        '401':
          description: Unauthorized - Invalid or missing API key
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthenticationErrorResponse'
        '403':
          description: Insufficient permissions to access this resource
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthorizationErrorResponse'
        '404':
          description: Authenticated company not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/NotFoundErrorResponse'
        '500':
          description: Internal server error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InternalServerErrorResponse'
      security:
        - ApiKeyAuth: []
components:
  schemas:
    StoreCardRequest:
      type: object
      description: |
        Store a card for later reuse. The number is encrypted ciphertext;
        metadata that cannot be derived from ciphertext (last_digits, brand, BIN
        data) is supplied by the caller.
      required:
        - card
      properties:
        card:
          type: object
          required:
            - number
            - expiry_month
            - expiry_year
            - last_digits
          properties:
            number:
              type: string
              description: >-
                Encrypted card number ciphertext ('ev:' prefix). Raw PAN must be
                sent through the PCI API host or encrypted client-side with
                rinne-js.
              example: ev:abc123...
            expiry_month:
              type: string
              pattern: ^(0[1-9]|1[0-2])$
              description: Two-digit expiry month (01-12)
              example: '12'
            expiry_year:
              type: string
              pattern: ^\d{4}$
              description: Four-digit expiry year
              example: '2030'
            last_digits:
              type: string
              pattern: ^\d{4}$
              description: Last 4 digits of the card
              example: '4242'
            brand:
              type: string
              enum:
                - VISA
                - MASTERCARD
                - AMEX
                - ELO
                - HIPERCARD
                - DINERS
                - DISCOVER
                - JCB
                - AURA
                - CABAL
                - OTHER
            funding:
              type: string
              maxLength: 64
            issuer:
              type: string
              maxLength: 64
            country:
              type: string
              maxLength: 64
            bin:
              type: string
              pattern: ^\d{6,8}$
              description: First 6 to 8 digits of the card
            segment:
              type: string
              maxLength: 64
            currency:
              type: string
              maxLength: 64
    CardResponse:
      type: object
      description: A stored card. The encrypted number is never returned.
      properties:
        id:
          type: string
          example: 123e4567-e89b-12d3-a456-426614174000
        source:
          type: string
          enum:
            - API
            - TRANSACTION
        status:
          type: string
          enum:
            - ACTIVE
            - REPLACED
            - CLOSED
            - INVALID
        brand:
          type: string
          nullable: true
          enum:
            - VISA
            - MASTERCARD
            - AMEX
            - ELO
            - HIPERCARD
            - DINERS
            - DISCOVER
            - JCB
            - AURA
            - CABAL
            - OTHER
        last_digits:
          type: string
          example: '4242'
        expiry_month:
          type: string
          example: '12'
        expiry_year:
          type: string
          example: '2030'
        funding:
          type: string
          nullable: true
        issuer:
          type: string
          nullable: true
        country:
          type: string
          nullable: true
        bin:
          type: string
          nullable: true
        segment:
          type: string
          nullable: true
        currency:
          type: string
          nullable: true
        created_at:
          type: string
          format: date-time
        updated_at:
          type: string
          format: date-time
      required:
        - id
        - source
        - status
        - brand
        - last_digits
        - expiry_month
        - expiry_year
        - funding
        - issuer
        - country
        - bin
        - segment
        - currency
        - created_at
        - updated_at
    ValidationErrorResponse:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
              example: VALIDATION_ERROR
            message:
              type: string
              example: Validation error
            status:
              type: integer
              example: 400
            details:
              type: object
              properties:
                issues:
                  type: array
                  items:
                    type: object
                    properties:
                      field:
                        type: string
                        example: email
                      type:
                        type: string
                        example: REQUIRED
                      message:
                        type: string
                        example: Field 'email' is required
                      value:
                        anyOf:
                          - type: string
                          - type: number
                          - type: boolean
                        example: invalid_value
                      constraints:
                        type: object
                        example:
                          min: 18
                          max: 120
            path:
              type: string
              example: /companies
            timestamp:
              type: string
              format: date-time
              example: '2023-12-01T10:00:00.000Z'
            requestId:
              type: string
              example: req_123456789
    AuthenticationErrorResponse:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
              example: AUTHENTICATION_ERROR
            message:
              type: string
              example: Authentication required to access this resource
            status:
              type: integer
              example: 401
            details:
              type: object
              properties:
                reason:
                  type: string
                  example: Invalid API key
            path:
              type: string
              example: /companies/me
            timestamp:
              type: string
              format: date-time
              example: '2023-12-01T10:00:00.000Z'
            requestId:
              type: string
              example: req_123456789
    AuthorizationErrorResponse:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
              example: AUTHORIZATION_ERROR
            message:
              type: string
              example: You need 'admin' permissions to access this resource
            status:
              type: integer
              example: 403
            path:
              type: string
              example: /companies
            timestamp:
              type: string
              format: date-time
              example: '2023-12-01T10:00:00.000Z'
            requestId:
              type: string
              example: req_123456789
    NotFoundErrorResponse:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
              example: RESOURCE_NOT_FOUND
            message:
              type: string
              example: Company with ID '123' not found
            status:
              type: integer
              example: 404
            path:
              type: string
              example: /companies/me
            timestamp:
              type: string
              format: date-time
              example: '2023-12-01T10:00:00.000Z'
            requestId:
              type: string
              example: req_123456789
    InternalServerErrorResponse:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
              example: INTERNAL_SERVER_ERROR
            message:
              type: string
              example: An unexpected error occurred
            status:
              type: integer
              example: 500
            path:
              type: string
              example: /companies
            timestamp:
              type: string
              format: date-time
              example: '2023-12-01T10:00:00.000Z'
            requestId:
              type: string
              example: req_123456789
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key
      description: Company API key for authentication

````