Skip to main content

View sensitive information

The cardUrl available in the card query leads to website that displays the card with its design and its sensitive hidden information.

Consider integrating it into your product with an iframe or a webview. This URL is available for one hour after you query it. After one hour, renew the query to get another cardUrl.

Information not visible

If information fails to become visible despite having the appropriate permissions, it may remain hidden due to regulatory restrictions based on your location.

View physical card numbers​

View the physical card numbers, which is different from the virtual card numbers, by calling the viewPhysicalCardNumbers mutation which returns a consent. When you do this, make sure you are authenticated with a user access token using the name of the card's account member. Then a consentUrl is returned, inviting the user to start the Strong Customer Authentication with Swan.

After the consent is accepted, the card's sensitive information is displayed for five minutes. The link to view the information is also valid for five minutes; the user can close and reopen the link anytime within those five minutes.

The user can click to copy any of the sensitive information to their clipboard. After they're done with the card info, they can click okay to be redirected to the redirectUrl set up during the viewCardNumbers mutation.

Swan card with information masked and revealed

Store consentId

To avoid repeating the Strong Customer Authentication each time the client wants to reveal the card numbers, the same consentUrl can be called anytime for five minutes after the consent. We advise you to store the consentId on your side and run a consent query to check the consent status is Accepted and the updateAt is less than five minutes, before reusing the consentUrl. The consentUrl only works in the cardholder's browser where the consent was completed.

View PIN​

You can display the physical card's PIN by calling the viewPhysicalCardPinmutation which returns a consent. When you do this, make sure you are authenticated with a user access token using the name of the card's account member. Then a consentUrl is returned which invites the user to start the Strong Customer Authentication with Swan.

If your card was created before 19:00 Central European [Summer] Time (CET/CEST), you can call the mutation starting from 19:00 the same day. Otherwise, you'll have to wait until the next day at 19:00 to start calling the mutation.

You can check the isPINReady boolean (true/false) in the physical card's statusInfo, with ToActivate status. It is true when the PIN is available. Refer to the section on PIN availability to understand when a PIN should be ready.

Mutation​

🔎 Open the mutation in API Explorer

mutation viewPin {
  viewPhysicalCardPin(
    input: {
      cardId: "$YOUR_CARD_ID"
      consentRedirectUrl: "$YOUR_REDIRECT_URL"
    }
  ) {
    ... on ViewPhysicalCardPinSuccessPayload {
      __typename
      consent {
        consentUrl
      }
    }
    ... on PINNotReadyRejection {
      __typename
      message
      physicalCardIdentifier
    }
  }
}

Payload​

Open the consentUrl returned by the mutation to provide consent, then view the PIN.

{
  "data": {
    "viewPhysicalCardPin": {
      "__typename": "ViewPhysicalCardPinSuccessPayload",
      "consent": {
        "consentUrl": "$CONSENT_URL"
      }
    }
  }
}