Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.crossmint.com/llms.txt

Use this file to discover all available pages before exploring further.

Introduction

This page covers the independent lifecycle operations for the cards flow. Pick the section that matches what you need to do — each operation is self-contained.
If you need to…See
Stop a saved card from being used for any future card permissionsRemove a saved card
Cut off an agent’s ability to create new card permissionsDelete an agent
Immediately invalidate a single active card permissionRevoke a card permission
Replace a card permission whose credentials may be compromisedRotate a card permission

Prerequisites

  • An authenticated user with a valid JWT.
  • The ID of the resource you want to modify (paymentMethodId for a card, agentId for an agent).

Remove a Saved Card

Send a DELETE request with the paymentMethodId. The card can no longer be used to create new card permissions. 
const BASE_URL = "https://staging.crossmint.com/api/unstable";

async function removePaymentMethod(jwt: string, paymentMethodId: string) {
    const response = await fetch(
        `${BASE_URL}/payment-methods/${paymentMethodId}`,
        {
            method: "DELETE",
            headers: {
                "Content-Type": "application/json",
                "X-API-KEY": CROSSMINT_CLIENT_API_KEY,
                Authorization: `Bearer ${jwt}`,
            },
        }
    );

    if (!response.ok) {
        throw new Error(`Failed to remove payment method (${response.status})`);
    }
}
Removing a saved card does not cancel card permissions already created against it. Active order intents keep working until their internal expiration is reached. To cut off an in-flight order intent immediately, revoke it or delete the agent.

Delete an Agent

Send a DELETE request with the agentId. The agent loses the ability to create new card permissions, and any active order intents tied to it stop working. 
const BASE_URL = "https://staging.crossmint.com/api/unstable";

async function deleteAgent(jwt: string, agentId: string) {
    const response = await fetch(
        `${BASE_URL}/agents/${agentId}`,
        {
            method: "DELETE",
            headers: {
                "Content-Type": "application/json",
                "X-API-KEY": CROSSMINT_CLIENT_API_KEY,
                Authorization: `Bearer ${jwt}`,
            },
        }
    );

    if (!response.ok) {
        throw new Error(`Failed to delete agent (${response.status})`);
    }
}
Deletion is permanent. To restore the agent’s ability to spend, register a new agent by following Register an Agent.

Revoke a Card Permission

To immediately invalidate a single card permission — for example if its credentials may have been compromised — send a DELETE request with the orderIntentId. The order intent transitions to the revoked phase and its credentials can no longer be used for purchases. Only order intents currently in the active or requires-verification phase can be revoked. Already-expired or already-revoked order intents return an error. 
const BASE_URL = "https://staging.crossmint.com/api/unstable";

async function revokeOrderIntent(jwt: string, orderIntentId: string) {
    const response = await fetch(
        `${BASE_URL}/order-intents/${orderIntentId}`,
        {
            method: "DELETE",
            headers: {
                "Content-Type": "application/json",
                "X-API-KEY": CROSSMINT_CLIENT_API_KEY,
                Authorization: `Bearer ${jwt}`,
            },
        }
    );

    if (!response.ok) {
        throw new Error(`Failed to revoke order intent (${response.status})`);
    }
}
A successful revoke returns 204 No Content. The underlying saved card and agent are untouched — only the targeted order intent is affected. To replace it with a new card permission, see Rotate a card permission. For the full schema, see the Revoke Card Permission API Reference.

Rotate a Card Permission

To rotate a card permission — for example if its credentials may have been compromised — revoke the old order intent and create a replacement:
  1. Revoke the old order intent so its credentials can no longer be used.
  2. Create a new order intent against the same saved card with the same (or updated) spending rules. See Give Card Permission.
  3. Have the user authorize the new intent via passkey.
  4. Use the new credentials in your checkout flow.
await revokeOrderIntent(jwt, oldOrderIntentId);

// Create a replacement card permission against the same payment method
const newOrderIntent = await createOrderIntent(jwt, agentId, paymentMethodId, mandates);

// If requires-verification, prompt the user for passkey authorization,
// then fetch credentials for the new card
const newCredentials = await fetchCardCredentials(jwt, newOrderIntent.orderIntentId, merchant);
To cut off an agent’s access to all of its card permissions immediately, delete the agent instead. For the full list of order intent phases — including revoked and expired — see the Get Order Intent API Reference.

Next Steps

Give Card Permission

Set up a new scoped card permission with updated spending rules.

Register an Agent

Create a new agent after deleting one.