For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Logo
Get supportSee a Demo
HomeAPI Reference
HomeAPI Reference
    • Authentication
  • API Reference
Get supportSee a Demo

Authentication

Was this page helpful?
Edit this page

Create Incoming Transaction

Next
Built with

Kard API

The Kard API supports authentication via OAuth2.0’s client credentials. Issuer client will be provided client_id and client_secret by Kard.

Issuer client sends a POST request with the following headers to the Cognito URL below to retrieve the access_token. See sample request:

$curl -X POST https://rewards-api.auth.us-east-1.amazoncognito.com/oauth2/token?grant_type=client_credentials
$     -H "Content-Type: application/x-www-form-urlencoded"
$     -H "Authorization: {base64 encoded copy of "client_id:client_secret"}"

See the GET a Session Token for more details.

The returned access token must be used in the Authorization header as a bearer token in subsequent requests.

Kard’s Earned Rewards Webhook

For the earned rewards webhook, Kard will be posting outbound to a URL provided by the issuer client. This webhook is validated via HMAC signature.

An issuer client will be provided with a webhook key that is used to generate an HMAC of the webhook body. The HMAC is calculated by Kard and will be sent in the notify-signature header. Note that header request attributes are processed as case-insensitive.

To validate, the issuer client should generate the HMAC with the provided key, body and SHA-256 hashing algorithm and compare against the HMAC provided in the header.

See the HMAC Signature Verification sub-section under the Transaction CLO Matching section for more details on ingesting an earned rewards webhook.