Documentation

Guides, API reference, and resources for the mCards Developer Platform

Getting Started

Authentication

Core Resources

Features

Webhooks

Sandbox

Security

Quick Start Guide

Get up and running with the mCards API in under 5 minutes. This guide walks you through authentication, making your first API call, and setting up a sandbox environment.

1Get Your API Credentials

After your developer application is approved, you'll receive HMAC API credentials (API key + secret). These are used for server-to-server authentication and managing OAuth applications.

Your credentials include:

HMAC API Key — identifies your developer partner account
HMAC Secret — used to sign requests (keep this secure!)

2Create an OAuth Application

Use your HMAC credentials to register an OAuth application. This gives you a client_id and client_secret for the OAuth2 client credentials flow.

bash

curl -X POST https://api.mcards.com/api/v2/oauth/applications \
  -H "Authorization: HMAC_SHA256 YOUR_KEY;YOUR_SIGNATURE" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My App",
    "scopes": "wallets:read cards:read transactions:read",
    "sandbox": true
  }'

3Exchange for a Bearer Token

Use the client credentials to get a Bearer token. This token is used for all subsequent API calls.

bash

curl -X POST https://api.mcards.com/api/v2/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_SECRET"

# Response:
{
  "access_token": "eyJhbGciOi...",
  "token_type": "Bearer",
  "expires_in": 7200,
  "scope": "wallets:read cards:read transactions:read"
}

4Make Your First API Call

Use the Bearer token to access API resources:

bash

curl https://api.mcards.com/api/v2/programs \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

# Response:
{
  "programs": [
    {
      "uuid": "prg_abc123",
      "name": "Rewards Debit",
      "type": "debit",
      "status": "active",
      "created_at": "2026-01-15T10:30:00Z"
    }
  ],
  "meta": { "total": 1, "page": 1, "per_page": 25 }
}

Changelog

v2.5.0

Sandbox Environment

March 2026

Full simulation engine for transactions, KYC, and webhooks in sandbox mode.

v2.4.0

Rate Limiting

March 2026

Per-endpoint rate limiting with X-RateLimit headers and 429 responses.

v2.3.0

Scoped Permissions

March 2026

Fine-grained API scopes for OAuth applications (22 scopes + 3 shorthands).

v2.2.0

OAuth2 Client Credentials

March 2026

Bearer token authentication via client credentials grant flow.

v2.1.0

OpenAPI/Rswag Specs

March 2026

Full Rswag request specs for all v2 API endpoints.

v2.0.0

API v2 Foundation

March 2026

13 controllers, 22 serializers covering wallets, cards, transactions, and more.