Authenticate requests by including your API key in the Authorization header as a bare key value (not Bearer-prefixed) per docs.lithic.com/docs/api-basics.
POST to https://api.lithic.com/v1/cards with a body specifying type: VIRTUAL and optionally spend_limit, spend_limit_duration, and state: OPEN to create an active virtual card.
Optionally attach Authorization Rules via the Authorization Rules endpoints (docs.lithic.com/docs/authorization-rules-v2) to restrict the card to specific MCCs, merchants, or apply velocity limits.
In sandbox, simulate a card authorization by calling the simulations endpoint with the card token and a transaction amount; inspect the returned authorization decision.
Retrieve card PAN and CVV in sandbox (or in production only for PCI-compliant clients) via the card details endpoint.
Subscribe to card-related events using the Events API (docs.lithic.com/docs/events-api) to receive webhook notifications for authorizations, clearings, and disputes.
Known gotchas
Lithic's base URL is https://api.lithic.com/v1 (versioned path) and authentication uses the raw API key in the Authorization header — no Bearer prefix and no separate version header.
Card types VIRTUAL, PHYSICAL, and SINGLE_USE have different state lifecycle rules; SINGLE_USE cards close after the first authorization and cannot be reopened.
PAN and CVV fields are available in all sandbox responses but in production are only returned to clients that have verified PCI compliance — plan your cardholder display flow accordingly.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp