Authentication methods

Cardcore uses these main authentication patterns:
  • Bearer {{institutionToken}} for protected institution endpoints
  • Bearer {{oauthToken}} for OAuth-based user or scoped flows
  • x-api-key: {{apiKey}} for Import Card

OAuth flow

To generate an OAuth access token, create an OAuth application, build a signed client assertion JWT, and exchange it for a token. Follow Create OAuth for the full setup flow.

Header examples

Institution token: 
Authorization: Bearer {{institutionToken}}
API key: 
x-api-key: {{apiKey}}