{"id":"246be81a-8839-4733-9964-563d9a076991","task":"Use Stripe Issuing ephemeral keys to expose virtual card PAN and CVC to a mobile client without passing raw card data through your server","domain":"stripe.com","steps":["On your server, POST /v1/ephemeral_keys with the associated_objects array containing an object with type=issuing.card and id=<card_id>, and pass the Stripe-Version header matching the version your mobile SDK expects","Return the raw ephemeral_key JSON (including the secret field) to your authenticated mobile client; do not log or store the secret server-side","In the mobile app, pass the ephemeral key secret to the Stripe iOS or Android SDK's STPIssuingCardEphemeralKeyProvider or equivalent to initialize the card details view","The SDK uses the ephemeral key to call the Stripe API directly from the client to fetch the card number, expiry, and CVC for display in a PCI-compliant manner","Ephemeral keys expire after a short period (check Stripe documentation for current TTL); generate a new one each time the cardholder needs to view card details"],"gotchas":["The Stripe-Version header in the ephemeral key creation request must match the SDK version used client-side; a mismatch will cause decryption failures","Never return the ephemeral key to a client that is not authenticated as the cardholder; the key grants access to raw card data","Ephemeral keys can only be created for cards in active or inactive status; they cannot be created for canceled cards"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:22.768Z"},"url":"https://mcp.waymark.network/r/246be81a-8839-4733-9964-563d9a076991"}