Skip to main content

Registering your authorization endpoint

Your authorization endpoint is a webhook registered in REQUEST mode. Call Create a webhook endpoint with an HTTPS url and mode set to REQUEST. The response returns a signingSecret once. Store it - you need it to verify request signatures.
  • One per project. Registering a second REQUEST endpoint returns a 409. To change the URL, update it in place.
  • Rotate-only. You can rotate the URL and signing secret, but the endpoint cannot be disabled or deleted, so your card program always has a live authorization endpoint.
  • Signed. Requests are signed with the same scheme as your other webhooks - verify the signature before trusting a payload.
  • Required before issuing cards. In an External project, card creation fails until this endpoint is registered. This guarantees every card in the program has a live decision endpoint behind it.
The authorization endpoint is separate from your notification webhooks. It receives only CARD_AUTHORIZATION_REQUEST and never the asynchronous event stream. Register your notification endpoints separately to receive the transaction lifecycle you reconcile against.

Testing in sandbox

In a sandbox External project, Simulate authorization fires a real signed CARD_AUTHORIZATION_REQUEST to your registered endpoint and authorizes based on the decision you return, so you can exercise your decisioning end to end - signature verification, your balance check, and the approve/decline response. A full run-through, including the follow-on lifecycle webhooks you reconcile against, is in Testing in Sandbox.