Registering your authorization endpoint
Your authorization endpoint is a webhook registered inREQUEST mode. Call Create a webhook endpoint with an HTTPS url and mode set to REQUEST. The response returns a signingSecret once. Store it - you need it to verify request signatures.
- One per project. Registering a second
REQUESTendpoint returns a409. To change the URL, update it in place. - Rotate-only. You can rotate the URL and signing secret, but the endpoint cannot be disabled or deleted, so your card program always has a live authorization endpoint.
- Signed. Requests are signed with the same scheme as your other webhooks - verify the signature before trusting a payload.
- Required before issuing cards. In an External project, card creation fails until this endpoint is registered. This guarantees every card in the program has a live decision endpoint behind it.
CARD_AUTHORIZATION_REQUEST and never the asynchronous event stream. Register your notification endpoints separately to receive the transaction lifecycle you reconcile against.
Testing in sandbox
In a sandbox External project, Simulate authorization fires a real signedCARD_AUTHORIZATION_REQUEST to your registered endpoint and authorizes based on the decision you return, so you can exercise your decisioning end to end - signature verification, your balance check, and the approve/decline response.
A full run-through, including the follow-on lifecycle webhooks you reconcile against, is in Testing in Sandbox.