Customers
- GETGet current customer (auto-creates if needed)
- POSTCreate customer
- GETGet customer wallet balance and IBAN
- GETGet customer by ID
- PATCHUpdate customer
- POSTSubmit KYC verification
- GETCheck KYC verification status
- GETOrg member-seat limit + current usage for the active plan
- POSTInherit KYC from another customer (dashboard-only org bootstrap)
Agents
- GETList agents
- POSTCreate agent (auto-creates virtual card and policy)
- GETGet agent by ID
- DELDelete agent (cascades to card, policy, tokens)
- PATCHUpdate agent
- POSTFund agent card (adds to wallet balance)
- GETGet agent wallet balance and IBAN
- POSTFreeze agent (also freezes card)
- POSTUnfreeze agent (also unfreezes card)
Agent Tokens
Policies
- GETList standalone policies
- POSTCreate standalone policy template
- DELDelete standalone policy (cannot delete agent-bound policies)
- POSTApply a policy template to an agent
- GETGet the effective policy for an agent
- PATCHUpdate agent policy (API key or dashboard only)
- GETList built-in policy presets
- GETGet a single built-in policy preset
- POSTCreate a policy from a built-in preset
- POSTDraft a policy from a natural-language prompt (LLM-assisted)
- PATCHToggle a single policy field on an agent's effective policy
- POSTApply a preset directly to an agent
Intents
Cards
- GETList all cards across all agents
- GETList cards for an agent
- POSTIssue additional card for an agent
- GETGet sensitive card data (PAN, CVC). Agent tokens must provide intentId.
- POSTFreeze card
- POSTUnfreeze card
- POSTPermanently close card
- POSTRotate card (close old, issue new with same limits)
- PUTUpdate card spend limits
- POSTFreeze a single card
- POSTUnfreeze a single card
- POSTClose (terminate) a single card
- POSTActivate a card after physical receipt or first auth
- PATCHUpdate card display label
- GETRetrieve PIN reveal token (sensitive — API key only, rate-limited)
- POSTInstantly issue a virtual card (mock PAN)
- POSTInstant card with sandbox PAN fallback for MPP demo
- POSTBatch fetch metadata for several card ids
- POSTInitiate payout from card account back to wallet
- GETGet effective policy summary with spend stats for a card
Checkout
MPP
- POSTSettle an MPP payment
- POSTOne-shot MPP pay (handle 402 + mint + present + verify)
- POSTMint an MPP credential from a 402 challenge
- POSTVerify and consume an MPP credential
- POSTVerify by challenge ID (merchant-convenience)
- POSTParse an HTTP 402 challenge and create an Ovra intent
- POSTExecute an MPP intent (mint credential and present to merchant)
- GETDiscover MPP-capable merchants for an agent
- GETGet MPP intent status
- GETList protection rules
- POSTAdd an MPP merchant protection rule (allowlist / denylist)
- DELDelete a protection rule
- POSTVerify an MPP receipt (payer-side cross-check)
- GETList MPP settlements
Billing
- POSTCreate Stripe setup session for a payment method
- POSTFund wallet via saved payment method
- GETGet wallet balance and payment method flag
- GETGet saved payment method status
- GETGet SEPA bank transfer details
- POSTCreate Stripe Customer Portal session
- POSTCreate Stripe Checkout Session for plan upgrade or top-up
- POSTCharge an overage amount via the saved payment method
- POSTBatch overage collection (dashboard / cron only)
Transactions
Webhooks
Disputes
GDPR
Merchants
Access Events
Merchants Registry
Well-Known
Credentials
- GETList credentials (one-shot card credentials)
- GETGet credential by id
- GETList credential grants (approved scopes for issuing credentials)
- GETGet a single credential grant
- POSTGrant credential issuance scope for an approved intent
- POSTIssue a credential against a grant
- POSTRedeem a credential — returns plaintext card data ONCE (one-shot)
- POSTRevoke a credential or grant
Risk
- GETList risk events across all agents
- GETList risk events for a single agent
- GETList policy violations (denied intents / blocked authorizations)
- GETList risk alerts
- PATCHUpdate alert state (acknowledge / dismiss / resolve)
- GETGet risk-engine configuration
- PATCHUpdate risk-engine configuration
- POSTManually unfreeze an agent that risk auto-froze
- GETAggregate risk summary
Analytics
- GETCross-agent analytics summary
- GETCost breakdown per agent
- GETTop-spend merchants over a period
- GETSpend trend series
- GETMCC-category breakdown
- GETList spending anomalies
- PATCHUpdate anomaly state (mark resolved / dismissed)
- GETGet anomaly explanation (LLM-generated)
- GETList cost allocations (cost-center mappings)
- POSTCreate cost allocation
- PUTUpdate allocation
- DELDelete allocation
- POSTAssign agents/cards to a cost allocation
- GETSpend forecast (next period projection)
- GETGenerate aggregated spend report PDF
Audit
Outcomes
Wallets
Beneficiaries
Transfers
Receipts
Card Controls
Card Requests
- GETList card-issuance requests
- POSTSubmit a card-issuance request (cardholder workflow)
- GETGet card-request detail
- DELCancel a pending card-request
- POSTApprove a pending card-request
- POSTReject a pending card-request
- GETList card-limit-change requests
- POSTSubmit a card-limit-change request
- GETGet card-limit-request detail
- DELCancel a pending card-limit-request
- POSTApprove a card-limit-change request
- POSTReject a card-limit-change request
Onboarding
KYC
Runs
Delegations
Claim
CLI Auth
Collect
- GETList payment requests
- POSTCreate a payment request (Collect)
- GETGet a payment request
- POSTSettle an internal payment request from a source wallet
- POSTCancel a pending payment request
- POSTRefund a settled inbound payment
- POSTSandbox — simulate an inbound SEPA credit
- POSTPublic demo settle (rate-limited, no auth)
- GETPublic payer-page payload (no auth)
- POSTMint a one-shot payment token
- POSTCharge an agent's wallet for a Collect run
- GETList Verifiable Collect Receipts
- GETGet a Verifiable Collect Receipt
- GETGet receipt as application/ld+json
- GETPublic agent Collect endpoint (HTTP 402 surface)
Pass-Through
Merchant Applications
Push Subscriptions
Security Incidents
Canvas
Sessions
Mandates
Complete passkey enrollment
curl --request POST \
--url https://api.getovra.com/passkeys/enroll \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '
{
"response": {},
"label": "<string>",
"enrollmentNonce": "<string>",
"webauthnAssertion": {
"challengeId": "<string>",
"assertion": {}
}
}
'Passkeys
Complete passkey enrollment
Verifies the RegistrationResponseJSON from navigator.credentials.create().
When the owner already had ≥1 passkey, the WebAuthn assertion bound to
enrollmentNonce MUST be supplied so a session-thief cannot silently
pivot to attacker hardware.
POST
/
passkeys
/
enroll
Complete passkey enrollment
curl --request POST \
--url https://api.getovra.com/passkeys/enroll \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '
{
"response": {},
"label": "<string>",
"enrollmentNonce": "<string>",
"webauthnAssertion": {
"challengeId": "<string>",
"assertion": {}
}
}
'Documentation Index
Fetch the complete documentation index at: https://docs.getovra.com/llms.txt
Use this file to discover all available pages before exploring further.
⌘I