Update card references
Update the list of references (references) for a company or auto-issued card.
References can be amended up to 10 times. Reference names must be unique.
References are only supported for cards owned by the business (i.e. company or auto-issued cards).
They can't be added to team member cards (i.e. with holder_id present).
The references recorded on a transaction are those assigned to the card at the time the transaction took place. If the references are amended, they will only be applied to future transactions. Existing transaction are not affected.
This operation overrides the existing references. This means that it removes the current list completely, and replaces it with the new one provided in this request.
If you want to add references to the card instead of replacing the existing ones, make sure that you fetch the existing references first, and include them in your request.
To delete existing references without adding new ones, simply provide an empty list.
On success, the updated list of references is returned.
This feature is available in the UK, US, the EEA, and SG.
This feature is not available in Sandbox.
To use the Cards API, please contact Revolut API Support.
For more information, see the guides: Manage cards.
Access Token
Each Business API request must contain an authorization header in the following format to make a call: Bearer <your_access_token>.
The access token will be obtained the first time you set up your application and has an expiration of 40 minutes.
During setup, a refresh_token will also be obtained which allows to obtain a new access_token.
Never share your client-assertion JWT (JSON web token), access_token and refresh_token with anyone, as these can be used to access your banking data and initiate transactions.
Access tokens can be issued with four security scopes and require a JWT (JSON Web Token) signature to be obtained:
READ: Permissions forGEToperations.WRITE: Permissions to update counterparties, webhooks, and issue payment drafts.PAY: Permissions to initiate or cancel transactions and currency exchanges.READ_SENSITIVE_CARD_DATA: Permissions to retrieve sensitive card details.cautionIf you enable the
READ_SENSITIVE_CARD_DATAscope for your access token, you must set up IP whitelisting. Failing to do so will prevent you from accessing any Business API endpoint.IP whitelisting means that you must specify an IP or a set of IPs which will be the only IPs from which requests to the API will be accepted. To do so:
- Go to the Revolut Business web app settings → APIs → Business API.
- Select the corresponding API certificate.
- In Production IP whitelist, provide the IP(s) which should be whitelisted, and save.
To configure your JWT and obtain the refresh and first access tokens, complete the following steps:
Request
References for the card. Up to 5 name-value pairs assigned to the card for tracking.
This will override the existing references.
Response
Updated list of references.
Up to 5 name-value pairs assigned to the card for tracking.