> ## Documentation Index
> Fetch the complete documentation index at: https://docs.machines.cash/llms.txt
> Use this file to discover all available pages before exploring further.

# Retrieve encrypted card secrets

> Requires a secrets sessionId and cards.secrets.read scope.



## OpenAPI

````yaml openapi.yaml post /partner/v1/cards/{cardId}/secrets
openapi: 3.1.0
info:
  title: Machines Cash API
  version: 0.3.0
  description: >
    API for KYC, cards, encryption, balances, deposits, transactions, and
    withdrawals.

    All responses use a consistent envelope by default: { ok, data, summary,
    errors[], next }.

    Set X-Open-Responses: 1 to receive Open Responses-style response objects.
servers:
  - url: https://api.machines.cash
    description: production
  - url: https://dev-api.machines.cash
    description: sandbox
security: []
tags:
  - name: users
  - name: sessions
  - name: kyc
  - name: kycValues
  - name: agreements
  - name: cards
  - name: encryption
  - name: balances
  - name: deposits
  - name: transactions
  - name: withdrawals
paths:
  /partner/v1/cards/{cardId}/secrets:
    parameters:
      - $ref: '#/components/parameters/OpenResponses'
      - $ref: '#/components/parameters/OpenResponsesCallId'
    post:
      tags:
        - cards
      summary: Retrieve encrypted card secrets
      description: Requires a secrets sessionId and cards.secrets.read scope.
      operationId: api.cards.secrets.get
      parameters:
        - $ref: '#/components/parameters/CardId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CardSecretsRequest'
      responses:
        '200':
          description: Encrypted card secrets
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CardSecretsResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
      security:
        - Session: []
components:
  parameters:
    OpenResponses:
      name: X-Open-Responses
      in: header
      required: false
      schema:
        type: string
        enum:
          - '1'
          - 'true'
      description: >-
        Return Open Responses-compatible output when set (replaces the default
        response envelope).
    OpenResponsesCallId:
      name: X-Open-Responses-Call-Id
      in: header
      required: false
      schema:
        type: string
        minLength: 1
      description: >-
        Tool call id used for function_call_output items when Open Responses
        mode is enabled.
    CardId:
      name: cardId
      in: path
      required: true
      schema:
        type: string
        minLength: 8
      description: Machines card id.
  schemas:
    CardSecretsRequest:
      type: object
      additionalProperties: false
      required:
        - sessionId
      properties:
        sessionId:
          type: string
          description: SessionId returned from the secrets session helper.
    CardSecretsResponse:
      type: object
      additionalProperties: false
      required:
        - ok
        - data
        - summary
        - errors
      properties:
        ok:
          type: boolean
          const: true
        data:
          $ref: '#/components/schemas/CardSecrets'
        summary:
          type: string
        errors:
          type: array
          items:
            $ref: '#/components/schemas/ErrorDetail'
        next:
          $ref: '#/components/schemas/NextHint'
    CardSecrets:
      type: object
      additionalProperties: false
      required:
        - encryptedPan
        - encryptedCvc
        - expirationMonth
        - expirationYear
        - last4
      properties:
        encryptedPan:
          $ref: '#/components/schemas/CardSecretBlob'
        encryptedCvc:
          $ref: '#/components/schemas/CardSecretBlob'
        expirationMonth:
          type: integer
        expirationYear:
          type: integer
        last4:
          type: string
        brand:
          type: string
        keyId:
          type: string
    ErrorDetail:
      type: object
      additionalProperties: false
      required:
        - code
        - message
      properties:
        code:
          type: string
          example: invalid_request
        message:
          type: string
          example: missing required field
        field:
          type: string
          description: Optional field name that caused the error.
    NextHint:
      type: object
      additionalProperties: false
      properties:
        pollAfterMs:
          type: integer
          minimum: 0
        suggestedTool:
          type: string
        suggestedArgs:
          type: object
          additionalProperties: true
    ErrorResponse:
      type: object
      additionalProperties: false
      required:
        - ok
        - summary
        - errors
      properties:
        ok:
          type: boolean
          const: false
        summary:
          type: string
          example: invalid request
        errors:
          type: array
          items:
            $ref: '#/components/schemas/ErrorDetail'
        next:
          $ref: '#/components/schemas/NextHint'
    CardSecretBlob:
      type: object
      additionalProperties: false
      required:
        - data
        - iv
      properties:
        data:
          type: string
          description: Base64-encoded ciphertext + auth tag.
        iv:
          type: string
          description: Base64-encoded IV.
  responses:
    BadRequest:
      description: Invalid request
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized:
      description: Unauthorized
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Forbidden:
      description: Forbidden
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotFound:
      description: Not found
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
  securitySchemes:
    Session:
      type: http
      scheme: bearer
      bearerFormat: JWT

````