id you use to retrieve or delete the card later.
Rinne stores card credentials as ciphertext only — it never receives or persists a raw card number, and never stores a CVC. Supply the card number as an encrypted value, the same way you do for card transactions.
Access levels (self vs merchant)
Cards on file are available at two access levels, mirroring transactions:| Context | Base path |
|---|---|
| Self (company acting on its own cards) | /v1/cards |
| Organization on behalf of a merchant | /v1/merchants/{merchantId}/cards |
{merchantId}; otherwise the request returns 404.
Every operation exists at both levels. The merchant routes take the same request and response shapes as the self routes, under /v1/merchants/{merchantId}/cards.
Endpoints
| Method | Path | Permission | Description |
|---|---|---|---|
POST | /v1/cards | card.create | Store a card |
GET | /v1/cards | card.list | List stored cards |
GET | /v1/cards/{cardId} | card.view | Get a stored card |
DELETE | /v1/cards/{cardId} | card.delete | Delete a stored card |
POST | /v1/merchants/{merchantId}/cards | merchant.card.create | Store a card for a merchant |
GET | /v1/merchants/{merchantId}/cards | merchant.card.list | List a merchant’s stored cards |
GET | /v1/merchants/{merchantId}/cards/{cardId} | merchant.card.view | Get a merchant’s stored card |
DELETE | /v1/merchants/{merchantId}/cards/{cardId} | merchant.card.delete | Delete a merchant’s stored card |
Supplying the card number
Rinne’s API only accepts card numbers in encrypted form. Sendcard.number as an encrypted value — you can recognize encrypted values by their ev: prefix — exactly as you do for card transactions. A request where number arrives in plain text is rejected with 400 VALIDATION_ERROR before any processing happens.
These encrypted values come from the rinne-js Card Element, which encrypts the card number in the customer’s browser so raw card data never touches your servers.
What to send
A stored card needs the encryptednumber, its expiry_month and expiry_year, and the card’s last_digits. You can optionally include display metadata such as the card brand. The Card Element returns brand and last_digits for you.
For the complete request and response schema — every field, type, and constraint — see the Cards API reference.
No CVC is sent or stored when you store a card, and expiry is validated for format only — a card with a past expiry date can still be stored.
Store a card
201 Created
id — the reference you use to retrieve or delete it — along with its stored metadata and timestamps. The encrypted number is never returned by any endpoint.
Keep the
id you get back — it’s how you reference the stored card later. To change a stored card’s details, delete it and store it again.List stored cards
Returns the company’s stored cards, newest first, paginated.cURL
200 OK
page (default 1) and limit (default 20, max 100) to page through results.
Get a stored card
cURL
404.
Delete a stored card
cURL
204 No Content. Deletion is permanent: a deleted card is excluded from all subsequent reads and cannot be restored.
Scope and isolation
- A stored card is only visible to the company that owns it. A request for a card outside the caller’s scope — another company, or a sibling merchant — returns
404. - On merchant routes, the authenticated organization must own
{merchantId}; otherwise the request returns404.
Errors
400 VALIDATION_ERROR— the request failed validation, most commonly a plain-textnumber(send it encrypted) orlast_digitsthat isn’t exactly 4 digits.404— the card, or the merchant on a merchant route, isn’t found within the caller’s scope.
Next steps
Card transactions
Process credit and debit card payments with 3DS.
Card Element
Capture encrypted card data in the browser with rinne-js.
Authentication
Authenticate API requests with your API key.
Error handling
Handle validation and API errors consistently.

