Create a card via POST /cards with type=VIRTUAL and an optional spend_limit and spend_limit_duration; the response immediately returns the card number, CVV, and expiry for a virtual card.
Configure your Auth Stream Enrollment (ASA) webhook URL in the Lithic dashboard; this endpoint will receive real-time authorization requests for all cards in your account.
Implement the ASA endpoint — Lithic sends a POST request with a JSON payload describing the transaction (amount, merchant, card token, etc.); your server must respond within 2 seconds.
In your ASA handler, apply your business logic (balance check, fraud rules, merchant category controls) and return a JSON response with decision=APPROVE or decision=DECLINE.
Handle the case where your ASA endpoint is unreachable or times out — Lithic falls back to the card's configured default_authorization_code (typically DECLINE); set this appropriately for your risk tolerance.
Reconcile settled transactions by consuming Lithic's transaction webhooks or by polling GET /transactions, noting that settled amounts may differ from authorized amounts.
Known gotchas
The 2-second response window for ASA decisions is strict; any latency in your handler (database lookups, external API calls) risks a timeout and automatic fallback to the card's default — design the handler to be synchronous and in-memory where possible.
Lithic sandbox cards do not interact with real networks; use Lithic's simulated transaction endpoints to test ASA logic, and make sure you test the timeout and unreachability fallback paths explicitly.
Card state management (OPEN, PAUSED, CLOSED) is separate from ASA decisions; a card in OPEN state with a restrictive ASA is fine, but a PAUSED or CLOSED card is declined before ASA is even invoked.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp