m2pfintech
API LibraryCard Management

Get full card details by kit number

Retrieve complete card details including full card number (PAN), name on card, expiry date, and CVV using the kit number. This API returns sensitive card data and must be used only for authorized operations.

Both kitNo and token are explicitly validated by the backend. The token is a security token unique to your tenant, provided by M2P during onboarding. It is validated against the m2pBitUrlKey configuration.

Ensure secure storage and transmission of the response data in compliance with PCI DSS.

This is the recommended API for retrieving card details in external integrations, replacing the older deprecated generateCVV endpoint.

When Click to Pay (CTP) is enabled for the tenant, the response includes additional fields: ctpStatus (card-level CTP enrollment status) and ctpPaymentInstrumentId (Visa CTP payment instrument identifier). These fields are only present when CTP is enabled via the BUSINESSCUSTOMFIELD click.to.pay.enable configuration.

POST
/Yappay/business-entity-manager/getDetailsByKitNo

Authorization

BearerAuth TenantHeader
AuthorizationBearer <token>

JWT Bearer token obtained from the /auth/login endpoint

In: header

TENANT<token>

Tenant identifier provided by M2P (e.g. ENBDTABBY)

In: header

Request Body

application/json

kitNo*string

Kit number of the card

Lengthlength <= 20
token*string

Security token unique to your tenant, provided by M2P. Validated against the m2pBitUrlKey configuration on the server.

Lengthlength <= 100

Response Body

application/json

application/json

application/json

curl -X POST "https://api.m2p.com/Yappay/business-entity-manager/getDetailsByKitNo" \  -H "Content-Type: application/json" \  -d '{    "kitNo": "10000001",    "token": "S1H0AJON4DRPNNJ8G6BKG0D94N0DR5UFSVS4R4LI"  }'

{
  "result": {
    "expiryDate": "2804",
    "actualExpiryDate": "2028-04-30",
    "cvv": "123",
    "nameOnCard": "ABCDEF",
    "cardNo": "1111111111111111",
    "status": "ALLOCATED"
  },
  "exception": null,
  "pagination": null
}

{
  "result": null,
  "exception": {
    "detailMessage": "Mandatory field kitNo is missing",
    "shortMessage": "Missing mandatory field",
    "errorCode": "Y105",
    "languageCode": "en"
  },
  "pagination": null
}
{
  "result": null,
  "exception": {
    "detailMessage": "Token Verification Failed",
    "shortMessage": "Token Verification Failed",
    "errorCode": "Y303",
    "languageCode": "en"
  },
  "pagination": null
}

Fetch card transaction channel preferences POST

Retrieve the current preference configuration for a customer card. Returns the enabled or disabled status for each transaction channel (ATM, POS, ECOM, CONTACTLESS, INTERNATIONAL, DCC). Also returns advanced rule configurations if configured for the tenant, including allowed and disallowed rules for transaction origins, MCC (Merchant Category Code) groupings, and country groupings. Transaction limits, cash limits, and category-specific limit configurations are included when configured for the customer.

Get masked card list for a customer (deprecated) POST

DEPRECATED - Use the getDetailsByKitNo API instead for new integrations. Retrieve a customer card list with masked or full card numbers depending on your PCI DSS certification status. Only PCI DSS certified partners can view full card numbers. Others receive masked card numbers in the format 5123XXXXXX1234. All arrays in the response are index-aligned. Index 0 in cardList corresponds to index 0 in kitList, expiryDateList, cardStatusList, cardTypeList, and networkTypeList. Only the entityId field is used by this API. Other fields from the BlockCardDto schema (kitNo, flag, reason) are ignored by the backend.