Skip to main content
GET
/
cards
/
{id}
Card details
curl --request GET \
  --url https://api.cartevo.co/api/v1/cards/{id} \
  --header 'Authorization: Bearer <token>'
{
  "success": true,
  "statusCode": 200,
  "message": "Data retrieved successfully",
  "data": {
    "id": "91b3c6d6-111b-44da-9f81-16f019bebe8c",
    "status": "ACTIVE",
    "balance": 0.45,
    "currency": "USD",
    "number": "tkAlsp_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2YWx1ZSI6IjUzNjAyNTI0ODM0NjU0MDciLCJpYXQiOjE3NjExNDg5NzR9.7sNid1b1pxmkpseiCR45E8Xj9hdmenZDovBcjVatBF0",
    "masked_pan": "**** **** **** 5407",
    "cvv": "tkAlsp_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2YWx1ZSI6Ijg1NyIsImlhdCI6MTc2MTE0ODk3NH0.K7YHl0nzZTsScjUma_G5fyxYZFNnK-2SczstVtdMK1A",
    "expiry_month": 10,
    "expiry_year": 28,
    "is_virtual": true,
    "is_physical": false,
    "created_at": "2023-11-07T05:31:56Z"
  }
}

Overview

GET /cards/{id} returns full details of a single card. By default, the card number and CVV are returned as masked or as opaque encrypted tokens (PCI DSS requirement). Append ?reveal=true to receive the cleartext PAN and CVV — every reveal call is audit-logged and visible in your dashboard.

When to use it

  • Display a card’s status and balance to the cardholder.
  • One-time reveal of the PAN/CVV for the cardholder to use the card (e.g. in a “show card” UI immediately after creation).
  • Reconcile your local cache against Cartevo’s source of truth (use ?sync=true).

Prerequisites

  • The card must belong to your company.
  • For ?reveal=true: nothing extra — but be aware every reveal is audit-logged.

Request

Headers

NameRequiredDescription
AuthorizationYesBearer <access_token>

Path parameters

NameTypeDescription
idstringCard ID (UUID).

Query parameters

NameTypeDefaultDescription
revealbooleanfalseIf true, the response includes the cleartext number and cvv instead of opaque tokens. Audit-logged.
includeRawbooleanfalseIf true, includes the raw upstream-issuer payload under raw. Useful for debugging; not for production UI.
syncbooleantrueIf true (default), force-refresh from the upstream issuer. Set false to read from Cartevo’s local cache only (faster).

Response

200 — Success (default, masked)

{
  "success": true,
  "statusCode": 200,
  "message": "Data retrieved successfully",
  "data": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "status": "ACTIVE",
    "balance": 100.0,
    "currency": "USD",
    "masked_pan": "**** **** **** 1111",
    "number": "tkMplr_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "cvv": "tkMplr_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "expiry_month": 12,
    "expiry_year": 2028,
    "is_virtual": true,
    "is_physical": false,
    "brand": "VISA",
    "created_at": "2026-05-09T10:15:00.000Z"
  }
}

200 — With ?reveal=true

{
  "success": true,
  "statusCode": 200,
  "message": "Data retrieved successfully",
  "data": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "status": "ACTIVE",
    "balance": 100.0,
    "currency": "USD",
    "masked_pan": "**** **** **** 1111",
    "number": "4111111111111111",
    "cvv": "123",
    "expiry_month": 12,
    "expiry_year": 2028,
    "is_virtual": true,
    "is_physical": false,
    "brand": "VISA",
    "created_at": "2026-05-09T10:15:00.000Z"
  }
}

Field reference

FieldTypeDescription
idstringCard ID (UUID).
statusstringOne of PENDING, ACTIVE, FROZEN, SUSPENDED, TERMINATED, FAILED. See Glossary → Card.
balancenumberAvailable balance in currency.
currencystringAlways USD.
masked_panstringAlways returned. Last 4 digits visible.
numberstringWithout reveal: opaque encrypted token (begins tkMplr_). With reveal: cleartext 16-digit PAN.
cvvstringWithout reveal: opaque encrypted token. With reveal: cleartext 3-digit CVV.
expiry_monthinteger1–12.
expiry_yearinteger4-digit year.
is_virtualbooleanAlways true today.
is_physicalbooleanAlways false today.
brandstringVISA or MASTERCARD.
About the opaque tokens: When reveal is not set, the number and cvv fields contain encrypted tokens (e.g. tkMplr_...). These are not decryptable client-side and not usable as a real card number. They exist so that field shapes are stable across both response variants. Always store them only if you are sure why.

Error responses

StatusTrigger
401Missing or expired Bearer token.
404Card does not exist or belongs to another company.
5xxUpstream issuer unreachable (only when sync=true).

Security and PCI DSS

  • Every call with ?reveal=true is audit-logged.
  • Never store revealed PAN/CVV in your own logs, databases, or analytics.
  • Pass revealed data only over HTTPS, only to the cardholder, and never to third parties.
  • For more details, see the Cards Overview → PCI DSS section.

Code examples

cURL
# Masked
curl https://api.cartevo.co/api/v1/cards/550e8400-e29b-41d4-a716-446655440000 \
  -H "Authorization: Bearer $TOKEN"

# Revealed (audit-logged)
curl 'https://api.cartevo.co/api/v1/cards/550e8400-e29b-41d4-a716-446655440000?reveal=true' \
  -H "Authorization: Bearer $TOKEN"
Node.js (axios)
const { data } = await axios.get(
  `https://api.cartevo.co/api/v1/cards/${cardId}`,
  {
    headers: { Authorization: `Bearer ${token}` },
    params: { reveal: true },
  }
);
const { number, cvv, expiry_month, expiry_year } = data.data;

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

id
string<uuid>
required

Query Parameters

reveal
boolean
default:false

Set to true to reveal unmasked card details (number, CVV). Default is false.

Response

Detailed information for a single card.

success
boolean
Example:

true

statusCode
integer
Example:

200

message
string
Example:

"Data retrieved successfully"

data
object