Introduction
Retrieving secure card numbers is the final step in the cards flow. Once an order intent isactive, you exchange the orderIntentId and a merchant descriptor for a secure one-time card number, expiration, and CVC that the agent uses to complete the purchase.
Credentials are scoped to the merchant you specify, so they can only be used where the user authorized the spending. The agent never sees the real card number.
Prerequisites
- An order intent with
phase: "active". See Create an Agent Card if you have not done this yet. - The
orderIntentIdof the active order intent. - An authenticated user with a JWT.
Fetch Credentials
Send aPOST request to /api/unstable/order-intents/{orderIntentId}/credentials with the merchant information. The merchant details are required so that Crossmint can generate credentials scoped to that specific merchant.
Merchant Fields
| Field | Description |
|---|---|
name | Display name of the merchant |
url | The merchant’s website URL |
countryCode | Two-letter ISO country code (for example US, GB, DE) |
orderIntentId when you set up the agent card. See What to persist on the Create an Agent Card page for the full guidance.
List Agent Cards
To see all agent cards (order intents) for the authenticated user, send aGET request to the order intents endpoint:
phase: "active" can have their credentials fetched. Expired order intents return an error.
For the full credentials API schema, see the Get Order Intent Credentials API Reference.
Common Gotchas
Credentials are merchant-scoped
Credentials are merchant-scoped
The
merchant field is required on every credential request. A card number fetched for one merchant will not authorize at another — if the agent needs to spend at a different merchant, create a new agent card.Credentials have their own `expiresAt`
Credentials have their own `expiresAt`
Even within an
active order intent, the returned card data is short-lived. Fetch credentials as close to the purchase as possible rather than caching them.Fetching credentials before the phase is active fails
Fetching credentials before the phase is active fails
If the user has not yet completed the passkey authorization, wait for
onVerificationComplete before calling this endpoint.Next Steps
Remove Cards
Remove saved cards, delete agents, or rotate an agent card.
Cards Quickstart
Revisit how credential retrieval fits into the full cards flow.

