Skip to main content

Card Payments

Conto supports connecting existing payment cards to the policy engine, giving you spend limits, merchant controls, time windows, and MCC-based restrictions for agent card usage.
Issuing new cards directly through Conto is not yet generally available. Today, you can connect any existing card manually and enforce policies through the SDK approve/confirm flow.

Connecting a Card

Register an existing card by providing its last 4 digits, brand, and spend limits. Card management routes currently use the signed-in dashboard session; they do not accept agent SDK keys. Set CONTO_DASHBOARD_COOKIE to the full Cookie header from a signed-in dashboard request.
Response:
You can also create cards from the dashboard at Cards > Create Card.

Assigning Cards to Agents

After connecting a card, assign it to an agent with per-agent limits:
Agent-level limits cannot exceed card-level limits. One card can be assigned to multiple agents, each with their own spend controls.

Card State Management

Pause, resume, or cancel cards from the dashboard or API:

Linking Policies to Cards

Beyond the per-agent field-based limits, you can link named policies to cards. This uses the same Policy / PolicyRule framework as wallets and agents.
Card policies support all standard rule types plus card-specific ones: See Advanced Policies for value formats.

Policy Enforcement

Card payments are evaluated through two layers:

Layer 1: Agent-Card Limits

Field-based limits set when assigning a card to an agent:
  • Per-transaction, daily, weekly, monthly spend limits
  • Time windows (allowed days and hours)
  • MCC category allow/block lists
  • Merchant allow/block lists

Layer 2: Policy Rule Engine

Database-defined policies linked to the card or agent:
  • All standard rule types (velocity, geographic, approval thresholds)
  • Card-specific MCC and merchant rules
  • Priority-ordered evaluation with AND logic
Both layers run together. The first violation from either layer denies the payment.

SDK Approve/Confirm Flow

Agents use the approve/confirm pattern before charging a connected card:
1

Request Approval

Agent calls POST /api/sdk/cards/approve before charging the card.
2

Receive Approval

Conto evaluates both policy layers and returns an approval token (valid 5 minutes).
3

Charge the Card

Agent processes the card charge through its own payment integration.
4

Confirm Payment

Agent calls POST /api/sdk/cards/{requestId}/confirm with the transaction reference.
You can also include merchantDetails if the card processor returns the settled merchant name, MCC, or location after authorization.

API Reference

Card Alert Types

Card transactions are monitored for anomalies after each confirmed payment. These alerts are created automatically:
Card alerts require sufficient transaction history for statistical detection. CARD_SPEND_VELOCITY needs at least 5 days of history and 10 prior transactions. CARD_LARGE_TX needs at least 10 prior transactions.

Next Steps

Card Management Guide

Dashboard walkthrough for managing cards

Advanced Policies

Card-specific policy rule types

Standard Payments

Stablecoin payment flow

Spend Limits

Configure spending controls