Authenticate using HTTP Basic Auth with your application token as username and admin access token as password against the Marqeta sandbox or production base URL
Create a Card Product: POST /cardproducts with a config object specifying fulfillment (type: 'VIRTUAL_PAN'), card_life_cycle (activate_upon_issue: true or false), controls (spending limits, velocity), and a unique name and token
Create a User if not already created: POST /users with first_name, last_name, email, and any required KYC fields; receive a user token
Create a GPA Order to fund the user's account: POST /gpaorders with user_token, amount, currency_code, and funding_source_token
Create the virtual card: POST /cards with user_token, card_product_token, and optionally fulfillment.shipping fields; receive the card token and, if activate_upon_issue is true, a pan, cvv_number, and expiration
Known gotchas
PAN, CVV, and expiration are only returned in the card creation response if configured to do so; subsequent GETs mask the PAN — use the /cards/{token}/showpan endpoint with appropriate authorization for subsequent PAN retrieval
Spending controls on the card product apply at issuance; changes to the card product after issuance do not retroactively update existing cards unless you also update the card directly
Marqeta sandbox transactions require using the simulate transaction endpoint (POST /simulate/authorization) to generate test activity; no live network traffic reaches the sandbox
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp