Issue, fund, freeze, and delete virtual cards programmatically via REST. Webhooks for every lifecycle event. Built for bot fleets, scraping infrastructure, AI agents, and any system that needs disposable payment surfaces at scale.
Bot operators and automation engineers need a payment primitive that's as ephemeral and disposable as their compute. Manual card issuance through a dashboard doesn't scale; bank-issued virtual cards require KYC and rate-limit issuance to 1-2 per day. CryptoCardy exposes the full card lifecycle as a REST API, with no per-issuance approval, no identity verification, and a $1.50-per-card unit cost.
POST /api/v1/cards — issue a new card. Returns number, expiry, CVV, and the card-id.POST /api/v1/cards/:id/freeze / /unfreeze — toggle the card's authorisation state.DELETE /api/v1/cards/:id — close the card and refund unused balance to the account.POST /api/v1/cards/:id/topup — move funds from the account balance to the card balance.GET /api/v1/cards/:id/transactions — list authorisations and settlements.POST /api/v1/topups — create a deposit address, get back the QR + crypto amount.GET /api/v1/topups/:id — poll the deposit status (or use webhooks).Full reference at /api-docs.
Bearer-token auth. Generate one or more API tokens from the dashboard's settings panel. Each token has its own scope (read-only, card-mgmt, full) and can be rotated or revoked independently.
Rate limit: 60 requests / minute on the read endpoints, 10 / minute on the write endpoints. If you need higher limits, contact support via the dashboard ticket system (requires at least one active card on the account).
For a scraping fleet that needs disposable payment surfaces:
DELETE to close the card. Unused balance refunds to the account instantly.This pattern is the lowest-overhead way to give each worker an isolated payment surface. The $1.50 per-card cost is a fraction of the cost of any other approach.
Subscribe to lifecycle events through the webhooks panel:
card.issued — fires when a card is created.card.authorised — every successful authorisation (transaction approved).card.declined — every declined authorisation with reason code.card.frozen / card.unfrozen / card.deletedtopup.confirmed — when a crypto deposit credits the account.topup.cancelled — when a deposit expires unused.Webhooks deliver HMAC-signed JSON to your endpoint. Replay protection via signed timestamps. Delivery retries 6 times with exponential backoff before giving up.
10 issuance calls per minute per account by default. Sustained higher rates need a support conversation — the platform monitors for abuse patterns.
Yes. There is no minimum lifetime. Issue, transact, delete in under 10 seconds is a supported pattern.
The API runs on the same infrastructure as the dashboard, target 99.9% monthly uptime. Status visible on the public status page (coming soon).
Subscribe to the <code>card.declined</code> webhook. It includes the network reason code and the auth attempt details. Your worker can then issue a fresh card and retry.
Yes. <code>POST /api/v1/topups</code> creates a deposit address; <code>GET /api/v1/topups/:id</code> polls the status. For full automation, subscribe to the <code>topup.confirmed</code> webhook.
Not yet, but the API is small enough to wrap in any HTTP client in a few hundred lines. Python and Node.js examples in <a href="/api-docs">/api-docs</a>.
Sign up with a seed, top up with crypto, generate an API token from the dashboard. Your first card via API in under 10 lines of code.