Generate an API token in the Brex dashboard under Settings > Developer; tokens are long-lived bearer tokens scoped to specific resource categories — select the minimum required scopes.
Set the base URL to https://platform.brexapis.com and include 'Authorization: Bearer {token}' and 'Content-Type: application/json' headers on all requests.
List cash transactions with GET /v2/transactions/cash/primary; use query parameters 'cursor' for pagination and 'expand[]' to inline related objects such as merchant details.
For card transactions, GET /v2/transactions/card/primary with similar pagination; note that cash and card transactions are separate resources with different schemas.
Register a webhook by POSTing to /v1/webhooks with a body containing 'url' and 'event_types' array (e.g., 'TRANSACTION_CREATED', 'CARD_LIMIT_CHANGED'); the response includes a signing secret.
Validate webhook payloads by computing HMAC-SHA256 of the raw body using the signing secret returned at registration and comparing to the 'Brex-Signature' header.
Known gotchas
Brex API tokens are not scoped to individual users — they represent the company account; a single compromised token has access to all financial data for that Brex entity, so secret management is critical.
The cash and card transaction endpoints use cursor-based pagination, not offset-based; storing and resuming from a cursor is required for reliable full-history exports, as offset-based approaches can miss or duplicate records if new transactions arrive during pagination.
Brex enforces a transaction data retention window accessible via the API; very old historical transactions may not be available through the standard transaction endpoints — contact Brex support for bulk historical exports.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp