Docs

API Reference

Updated: 29 March 2026 Base URL: mcp.themeridian.cards v1
Contents
  1. 01 Introduction
  2. 02 MCP Protocol
  3. 03 MCP Tools
  4. 04 REST API
  5. 05 Webhooks
  6. 06 Error Handling
Section 01

Introduction

The Meridian Cards API lets you create and manage virtual Visa cards programmatically — either through your AI agent via the MCP endpoint, or directly via the REST API from your application or dashboard.

Base URL

Base https://mcp.themeridian.cards

Authentication

All requests must be authenticated. Two methods are supported:

  • Bearer token (OAuth 2.1 with PKCE) — the primary authentication method. Obtain tokens via the magic-link flow at /auth/magic-link and /auth/verify. Include in requests as Authorization: Bearer <token>.
  • API key — coming soon. Will allow direct programmatic access without the OAuth flow.

MCP authentication: When connecting through an AI agent (Claude Desktop, Cursor, etc.), authentication is handled automatically by the MCP setup flow. Your OAuth token is securely passed with each tool call.

Response Format

All API responses are JSON. The Content-Type header is always application/json. MCP tool responses follow the JSON-RPC 2.0 format used by the Model Context Protocol.

Rate Limits

Endpoint group Limit Window
General REST API 100 req/min Rolling 60 seconds
MCP endpoint (/mcp) 20 req/min Rolling 60 seconds

Exceeding rate limits returns 429 Too Many Requests. Implement exponential back-off in your clients.

Section 02

MCP Protocol

Meridian Cards exposes a Model Context Protocol (MCP) endpoint that allows AI agents — including Claude Desktop, Cursor, and any other MCP-compatible client — to create and manage virtual cards on your behalf.

Endpoint

POST https://mcp.themeridian.cards/mcp

This is a standard MCP-over-HTTP endpoint. You do not call it directly — your AI agent does. Simply add the URL to your agent's MCP server configuration.

Setup

To connect your AI agent, add the following to your MCP configuration:

// Claude Desktop config (claude_desktop_config.json)
{
  "mcpServers": {
    "meridian": {
      "url": "https://mcp.themeridian.cards/mcp",
      "type": "http"
    }
  }
}

For a full step-by-step walkthrough, see the setup tutorial on the main page. Authentication is handled via the browser-based OAuth 2.1 + PKCE flow the first time you connect.

Protocol Details

The MCP endpoint implements the Model Context Protocol specification. Requests and responses use JSON-RPC 2.0 framing. All tool operations are user-scoped: the server derives your identity from the OAuth token in the session and only operates on cards and data that belong to your account.

Security note: Never share your MCP OAuth token. Each authenticated session is bound to your account. If you suspect a session has been compromised, re-authenticate to invalidate existing tokens.

Section 03

Available MCP Tools

The following tools are registered on the MCP server. Your AI agent can call them by name. All monetary amounts are in cents (e.g. 5000 = €50.00).

create_virtual_card
Creates a new virtual Visa card with a spending limit. Returns the card ID, last 4 digits, status, brand, currency, and expiry date.

Parameters

Name Type Required Description
amount integer Required Spending limit in cents. e.g. 5000 = €50.00
currency string Optional ISO 4217 currency code. Defaults to "eur"
description string Optional Human-readable label for this card, e.g. "OpenAI API key"

Example Input

{
  "amount": 5000,
  "currency": "eur",
  "description": "OpenAI API key"
}

Example Response

{
  "id": "ic_xxx",
  "last4": "7291",
  "brand": "Visa",
  "status": "active",
  "currency": "eur",
  "spending_limit_cents": 5000,
  "exp_month": 3,
  "exp_year": 2029
}
get_balance
Retrieves the Stripe Issuing balance — how much funding is available to back virtual cards. No parameters required.

Parameters

This tool takes no parameters.

Example Response

[
  {
    "available_cents": 150000,
    "currency": "eur"
  }
]
list_cards
Lists your virtual cards. Optionally filter by status and control how many results are returned.

Parameters

Name Type Required Description
status enum Optional Filter by status. One of: active, inactive, canceled
limit integer Optional Max cards to return. Range 1–100. Defaults to 10

Example Response

[
  {
    "id": "ic_xxx",
    "last4": "7291",
    "brand": "Visa",
    "status": "active",
    "currency": "eur",
    "spending_limit_cents": 5000,
    "description": "OpenAI API key",
    "created_at": "2026-03-29T14:00:00Z"
  }
]
get_card_details
Retrieves the full card number, CVC, and expiry for a virtual card. Handle this data carefully — it is sensitive payment information.

Parameters

Name Type Required Description
card_id string Required Stripe card ID in the format ic_xxx

Example Response

{
  "id": "ic_xxx",
  "last4": "7291",
  "number": "4242 4242 4242 7291",
  "cvc": "123",
  "exp_month": 3,
  "exp_year": 2029,
  "status": "active"
}

Sensitive data: The full card number and CVC returned by this tool are live payment credentials. Do not log, store, or transmit them beyond what is necessary to complete the intended payment.

close_card
Permanently cancels a virtual card. This cannot be undone — the card will no longer work for any transactions. Unused balance is returned to your wallet.

Parameters

Name Type Required Description
card_id string Required Stripe card ID in the format ic_xxx to cancel

Example Response

{
  "id": "ic_xxx",
  "last4": "7291",
  "status": "canceled",
  "message": "Card ending in 7291 has been canceled."
}
update_card_limit
Updates the all-time spending limit on an existing virtual card. Use this to increase or decrease the amount available on a card.

Parameters

Name Type Required Description
card_id string Required Stripe card ID in the format ic_xxx
amount integer Required New spending limit in cents. Must be a positive integer.

Example Response

{
  "id": "ic_xxx",
  "last4": "7291",
  "status": "active",
  "spending_limit_cents": 10000,
  "currency": "eur"
}
Section 04

REST API (Dashboard)

The REST API powers the Meridian Cards dashboard and is available for direct integration. All endpoints require a valid Bearer token obtained via the magic-link authentication flow. Pass it in every request:

Authorization: Bearer <your_access_token>

Access tokens expire after 1 hour. Use the refresh endpoint to obtain a new one without re-authenticating.

Authentication
POST /auth/magic-link Send a magic link to an email address. Creates the user if they don't exist.
GET /auth/verify?token=xxx Verify a magic link token. Returns access_token, refresh_token, and user info.
POST /auth/refresh Refresh an expired access token using a valid refresh_token. Returns a new access_token.
GET /auth/me Get the current authenticated user's ID, email, plan, and plan status.
Cards
GET /api/cards List the authenticated user's cards. Supports ?status=, ?page=, and ?limit= query params.
GET /api/cards/:id Get full details for a single card, including recent transactions.
Transactions
GET /api/transactions Paginated transaction history. Filter by ?card_id=, ?status=, ?from=, and ?to= (ISO 8601 dates).
Account
GET /api/balance Retrieve the available wallet balance for the authenticated user.
GET /api/plan Get the current plan details, subscription status, and monthly usage stats (cards created, spend).
POST /api/plan/upgrade Initiate a plan upgrade. Body: {"plan_id": "pro", "currency": "eur"}. Returns a Stripe Checkout URL.
POST /api/plan/cancel Cancel the current subscription. The plan reverts to free at the end of the billing period.

Pagination: List endpoints return a pagination object with page, limit, total, and pages. Default page size is 20, maximum is 100.

Section 05

Webhooks

Meridian Cards uses Stripe webhooks to stay in sync with card and billing events. If you are building on top of the platform, these are the events you should be aware of.

Stripe Webhook Endpoint

Configure the following URL in your Stripe dashboard as a webhook endpoint:

POST https://mcp.themeridian.cards/webhooks/stripe

Handled Events

The following Stripe event types are processed by Meridian Cards:

issuing_transaction.created issuing_card.updated customer.subscription.created customer.subscription.updated customer.subscription.deleted invoice.payment_failed
Event Description
issuing_transaction.created A transaction was made on one of your virtual cards. Used to update spend tracking and transaction history.
issuing_card.updated A card's status or limit changed in Stripe Issuing. Keeps local card records in sync.
customer.subscription.* Subscription lifecycle events (created, updated, deleted). Updates user plan status accordingly.
invoice.payment_failed A subscription renewal payment failed. May trigger account downgrade after grace period.

Webhook security: All incoming webhook requests are verified using Stripe's webhook signature (stripe-signature header). Requests with invalid signatures are rejected with 400 Bad Request.

Section 06

Error Handling

Meridian Cards uses standard HTTP status codes. Errors always include a JSON body with a human-readable message. MCP tool errors additionally follow the JSON-RPC 2.0 error format.

HTTP Status Codes

Code Status Meaning
200 OK Request succeeded.
201 Created Resource created successfully (e.g. a new card).
400 Bad Request Missing or invalid parameters. Check the error message for details.
401 Unauthorized Missing, invalid, or expired authentication token.
403 Forbidden Authenticated but not permitted to access this resource.
404 Not Found The requested resource does not exist or does not belong to your account.
429 Too Many Requests Rate limit exceeded. Wait before retrying. Use exponential back-off.
500 Internal Server Error An unexpected server error occurred. Retry after a short delay. If persistent, contact support.

REST Error Format

{
  "error": "Card not found"
}

MCP Error Format

MCP tool errors follow the JSON-RPC 2.0 format, wrapped in the MCP content block:

{
  "content": [
    {
      "type": "text",
      "text": "{\"error\": true, \"message\": \"No such card\", \"code\": \"resource_missing\", \"http_status\": 404}"
    }
  ],
  "isError": true
}

Your AI agent will surface the message field in its response. The code and http_status fields are available for programmatic handling if you build custom MCP client logic.

Questions or issues? Contact us at support@themeridian.cards. We respond within 2 business days.