m2pfintech
API LibraryCard Management

Lock, unlock, or permanently block a card

Change the status of a customer card. Supports temporary locking, unlocking a locked card, and permanent blocking.

Lock (L) is a reversible action that temporarily disables the card. The card can be re-enabled by calling this API with Unlock (UL).

Block (BL) is a PERMANENT action. Once a card is blocked, it cannot be reactivated. The customer will need a card replacement through the replaceCard API.

Either entityId or kitNo must be provided to identify the card. The flag field is the only truly mandatory field with controller-level validation.

Always provide a meaningful reason for audit trail purposes.

POST
/Yappay/business-entity-manager/block

Authorization

BearerAuth TenantHeader
AuthorizationBearer <token>

JWT Bearer token obtained from the /auth/login endpoint

In: header

TENANT<token>

Tenant identifier provided by M2P (e.g. ENBDTABBY)

In: header

Request Body

application/json

entityId?string

Customer ID. Required if kitNo is not provided. At least one of entityId or kitNo must be present.

Lengthlength <= 16
kitNo?string

Kit number. Required if entityId is not provided.

Lengthlength <= 20
flag*string

Action flag that determines the operation to perform. L = Lock (temporary, reversible). UL = Unlock (restore a previously locked card). BL = Block (permanent, irreversible, requires card replacement). Additional values include B, U, FL, FB, SU for internal operations.

Lengthlength <= 16
Value in"L" | "UL" | "BL" | "B" | "U" | "FL" | "FB" | "SU"
reason?string

Reason for the action. Optional but strongly recommended for audit purposes.

Lengthlength <= 30

Response Body

application/json

application/json

curl -X POST "https://api.m2p.com/Yappay/business-entity-manager/block" \  -H "Content-Type: application/json" \  -d '{    "entityId": "ABCDEF",    "kitNo": "10000001",    "flag": "L",    "reason": "Test Lock Card 10000001"  }'
{
  "result": true,
  "exception": null,
  "pagination": null
}

{
  "result": null,
  "exception": {
    "detailMessage": "The Entity ABCDEF is Blocked",
    "shortMessage": "Entity is Blocked",
    "errorCode": "Y224",
    "languageCode": "en"
  },
  "pagination": null
}

Get masked card list for a customer (deprecated) POST

DEPRECATED - Use the getDetailsByKitNo API instead for new integrations. Retrieve a customer card list with masked or full card numbers depending on your PCI DSS certification status. Only PCI DSS certified partners can view full card numbers. Others receive masked card numbers in the format 5123XXXXXX1234. All arrays in the response are index-aligned. Index 0 in cardList corresponds to index 0 in kitList, expiryDateList, cardStatusList, cardTypeList, and networkTypeList. Only the entityId field is used by this API. Other fields from the BlockCardDto schema (kitNo, flag, reason) are ignored by the backend.

Replace a lost or damaged card POST

Initiate card replacement when a card is lost, stolen, or damaged. Important - The old card MUST be blocked (using the block API with flag BL) before calling this API. The system automatically transfers the balance and transaction history from the old card to the new card. Digital wallet tokens remain linked to the customer. The new card inherits the same customer preferences as the old card. Card replacement process - Step 1: Block the old card using the lock/unlock/block API with flag BL. Step 2: Call this API with old and new kit numbers. Step 3: System automatically transfers balance and transaction history. Step 4: Digital wallet tokens are updated automatically.