What you can control
Policies fall into two families.Restrictions
Block transactions by merchant (category, specific merchant, or country) or by channel (in-store, online, ATM, push-to-card). Evaluated against the single transaction in front of it.
Limits
Cap a single transaction amount, total spend over a period, or the number of transactions over a period. Periods are calendar windows from daily through yearly, plus lifetime.
How policies work
Every policy has three parts:- A type, which decides what it checks (a merchant restriction, a spend limit, and so on).
- A scope, which decides what it applies to: your whole program, one cardholder, or one card. See Scopes.
- A configuration, the values specific to the type (the merchants to block, the amount cap, the window).
When a policy declines a transaction
A blocked transaction is recorded asDECLINED with a declineReason code that identifies which kind of rule stopped it, and a policy reference that names the exact policy responsible. The reference is captured on the transaction at decline time, so it stays accurate even if you later edit or remove that policy.
Managing policies
Editing a policy
Most of a policy can be changed in place. A few properties are fixed at creation, because changing them would change what the policy fundamentally is.Editable
- Name, with
PATCH /policies/{id} - Status, via enable / disable
- Amounts, counts, merchants, and channels, with
PUT /policies/{id}/config
Fixed at creation
- Type
- Scope
- A limit’s calendar window
$500 to $1,000 mid-day does not reset what has already been spent, it just raises the ceiling.
Turning a policy off
To stop enforcing a policy, disable it withPOST /policies/{id}/disable. A disabled policy is skipped during authorization but keeps its recorded usage, so re-enabling it with POST /policies/{id}/enable resumes from where it left off. Enabling an already-enabled policy, or disabling an already-disabled one, returns it unchanged.
Seeing what applies and what remains
GET /policies lists the policies you created. To see the full set actually in force for one card, cardholder, or your program - including the policies inherited from a higher scope - use List effective policies. This is also how you read how much of each limit is left.
Pass the scope as query parameters: scopeType (CARD, USER, or PROJECT) plus, for CARD and USER, the scopeId. The response lists every active policy that applies, most specific first. Each spend or transaction count limit carries a usage object with the headroom remaining in the window and a resetsAt timestamp for when it rolls over; restrictions and per-transaction caps report usage: null. This is the endpoint behind a “how much can I still spend today?” view, and only active policies are returned. See List effective policies for the full request and response shape.
Next
Control types
Every policy type and the configuration it takes.
Scopes
Where policies attach and how the effective set is resolved.