Managed cards

Issue and manage Mastercard or Visa cards for your corporatesCorporates Business entities that can be onboarded as identities on Weavr. Corporate identities represent companies and require Know Your Business (KYB) verification. They can have multiple authorised users and issue cards to card assignees. or consumersConsumers Individual persons who can be onboarded as identities on Weavr. Consumer identities represent individual customers and require Know Your Customer (KYC) verification. For consumers, the card owner and card assignee are typically the same person.. Weavr supports two types:

• Virtual cards - created instantly and ready for e-commerce and online purchases. Automatically enrolled in 3D Secure.
• Physical cards - printed and shipped to your customers. Always created as an upgrade from a virtual cardVirtual Card A payment card that is created instantly and can be used for e-commerce and online purchases. Virtual cards are issued through the Mastercard network and are automatically enrolled in the 3D Secure program for increased security and limited fraud risk. They can be created in prepaid or debit mode..

Card journey

A card is owned by an identity and assigned to a card user. Before you can issue cards, onboard a corporate or consumer and an Authorized User for the user the card will belong to.

1. Configure a card profile - choose the card type, mode, currencies, 3D Secure behaviour, and spend controls.
2. Create a virtual card - call POST /managed_cards with the profileProfile A template defining the configuration for one type of object - corporate identity, consumer identity, managed account, managed card, transfer, or outgoing wire transfer. When you create one of these objects you reference its Profile ID, which tells Weavr which limits, currencies, supported countries, branding, and fees to apply. Your programme ships with one or more Profile IDs per supported object type. ID and the linked user's userId.
3. Upgrade to a physical card (optional) - print and ship a physical cardPhysical Card A payment card that is printed or embedded in wearables and sent to customers directly. Physical cards are created by first creating a virtual card and then upgrading it to a physical card. They are sent in an inactive state and must be activated by the card assignee before first use. on top of an existing virtual one. Customise the card stock to your brand.
4. Manage the lifecycle - activate physical cardsPhysical Card A payment card that is printed or embedded in wearables and sent to customers directly. Physical cards are created by first creating a virtual card and then upgrading it to a physical card. They are sent in an inactive state and must be activated by the card assignee before first use., block or destroy cards, replace lost or stolen or damaged cards, and handle renewals.
5. Operate the card - retrieve the transaction statement, subscribe to webhook events, and configure authorization forwarding.

Card owners and card users

A card ownerCard Owner The individual or business entity that owns the cards and the funds available to be spent via card purchases. Before cards can be issued, the card owner must be onboarded on Weavr, including completing a KYB process for business card owners or a KYC process for individual card owners. is the identity (corporate or consumer) whose funds are spent. A card userCard User The person that a card is assigned to and who will use the card for purchases. Weavr does not support anonymous cards, and therefore all cards must be linked to a card user before a card can be used. For consumers, the card owner and the card user is typically the same person. For corporates, the card users are employees or individuals authorised to spend the corporate's funds. is the person the card is assigned to and who makes purchases. We don't support anonymous cards - every card must be linked to a user.

For a card to be usable, the linked user must have:

1. First and last name
2. A verified email address
3. A mobile number enrolled for an authentication factor
4. Date of birth
5. Country of residence (optional, but speeds up compliance checks)

A card created without a fully-set-up user stays in NOT_ENABLED state and becomes ACTIVE automatically once the missing information is provided. See Create a virtual card for the full enablement rules.

Mandatory user linking by October 31, 2026

For programmesProgramme A programme represents your application within Weavr. Everything you create - Identities, Instruments, Transactions - sits beneath a Programme. When you register as an Embedder, you receive a Programme in the Sandbox and, once approved, one in Production. that issue cards to corporate identities, every active managed cardManaged Card A payment card (virtual or physical) that can be created and managed through the Weavr platform. Cards can operate in prepaid mode (with their own balance) or debit mode (linked to a managed account). All cards must be assigned to a card assignee who is an Authorised User. must be linked to a user via the userId field on create or update. This applies across all card schemes and is required for sanctions screening and channel enrolment compliance. Contact our support team to enable the feature on your sandbox account.

User roles for card users

Our pre-configured Card AssigneeCard Assignee The person that a card is assigned to and who will use the card. For consumers, the card owner and card assignee are the same person. For corporates, the card assignee and card owner are different entities - the corporate is the card owner and the person using the card is the card assignee. Card assignees must be created as Authorised Users. role lets you onboard a card userCard User The person that a card is assigned to and who will use the card for purchases. Weavr does not support anonymous cards, and therefore all cards must be linked to a card user before a card can be used. For consumers, the card owner and the card user is typically the same person. For corporates, the card users are employees or individuals authorised to spend the corporate's funds. without granting them access to the rest of the corporate's financial or administrative functions.

Card modes

A card's mode determines how it accesses funds. You set the mode on the card profile - it can't be changed after the card is created.

• Prepaid - the card has its own balance and is topped up with funds.
• Debit - the card draws from the balance of a linked managed account.

Handling sensitive card data

The full card number, CVVCVV Card Verification Value - the 3-digit security code printed on a payment card, used to authenticate card-not-present transactions. Weavr returns CVV in tokenized form on `GET /managed_cards/{id}` (with a stepped-up token); the value is only detokenized inside the SDK's secure CVV display component., and PINPIN Personal Identification Number - the numeric code a cardholder enters to authorize chip-and-PIN purchases and ATM withdrawals. PIN is only present on physical managed cards. Weavr returns it tokenized on `GET /managed_cards/{id}` (with a stepped-up token), and the SDK detokenizes it inside a secure PIN display component. are PCI-sensitive. Weavr's tokenisationTokenize Replace a card's primary account number (PAN) with a unique digital token that stands in for the real card during a transaction. When a cardholder adds a card to Apple Pay or Google Pay via push provisioning, the wallet provider stores a device-specific token rather than the underlying PAN, so the real card number isn't exposed on the device or shared with merchants. model keeps this data off your servers so you can comply with the lowest level of PCI compliance. See tokenisation for how it works.

Card response fields and step-up

The shape of a GET /managed_cards/{id} response depends on whether your auth token is stepped up:

Field	Without step-up	With step-up
cardNumberFirstSix	Present	Present
cardNumberLastFour	Present	Present
cardNumber	Absent or null	{ "value": "<token>" }
cvv	Absent or null	{ "value": "<token>" }

The { "value": "<token>" } wrapper holds a secure token, not the raw value. Pass that token into the matching SDK component — Web, iOS, Android, or React Native — and the value renders inside the SDK's sandboxed view without entering your app's memory.

Always check for the field before reading it

Because cardNumber and cvv are absent without step-up, defensive client code should guard the access (response.cardNumber?.value). Triggering step-up and re-fetching the card returns the tokenisedTokenize Replace a card's primary account number (PAN) with a unique digital token that stands in for the real card during a transaction. When a cardholder adds a card to Apple Pay or Google Pay via push provisioning, the wallet provider stores a device-specific token rather than the underlying PAN, so the real card number isn't exposed on the device or shared with merchants. fields on the next response.