Card Sessions

Abstract

Card sessions are the secure mechanism for accessing virtual card details (number, CVV, expiry) in Flowglad Pay. A session is created against a payment method, which returns a short-lived scoped JWT token. That token is then used to redeem the session and retrieve card details. This two-step flow ensures card details never leak into MCP tool contexts or long-lived API key scopes.

Table of Contents

1. Security Model — CRITICAL
2. Create a Card Session — CRITICAL
3. Redeem a Card Session — CRITICAL
4. Check Session Status — MEDIUM
5. Audit Redemptions — MEDIUM
6. Session Lifecycle — LOW