What you can build

Six patterns this API was built for

The endpoints below are the foundation — the patterns are what agent builders actually ship.

Autonomous spend agents

Agents that decide what to buy and execute the purchase without human approval. The API issues a fresh card per transaction, charges it, then deletes it — leaving no reusable payment surface in the wild.

Ad-campaign automation

Programmatic issuance of one BIN-471938 (Visa Business) card per Meta / Google / TikTok ad account. Rotate cards every 30-60 days to keep accounts clean.

Per-user disposable cards

Marketplaces or platforms that need a unique card per end-user transaction. Issue, charge, delete in under 10 seconds — no PCI scope, no card-storage burden.

Free-trial harvesters

Sign up to free trials at scale. Each trial gets a card with the minimum load; deletion before renewal blocks the auto-charge cleanly.

SaaS billing per workspace

Multi-tenant agents that bill upstream SaaS (AWS, OpenAI, Cloudflare, GitHub) on a per-workspace card. Costs become attributable to the customer without leaking your master billing identity.

Scraping / signup workers

Each worker requests a card via the API the moment it needs a payment surface, uses it for the intended action, then closes it. The $1.50 unit cost is a fraction of any alternative approach.

Quick start

From zero to issued card in 4 calls

Four API calls take an agent from "no account" to "card ready to charge." Replace TOKEN with your bearer, CARD_ID with the integer returned at step 3.

OpenAPI 3.1 /.well-known/openapi.json AI plugin manifest /.well-known/ai-plugin.json MCP endpoint POST /api/v1/mcp

1. Sign up (creates an anonymous account + bearer token)

# Create an anonymous account. Returns seed + Bearer token (ONE TIME).
curl -X POST https://cryptotopcard.com/api/v1/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"name":"my-agent"}'

import requests
r = requests.post(
    "https://cryptotopcard.com/api/v1/auth/signup",
    json={"name": "my-agent"},
).json()
TOKEN = r["data"]["token"]
SEED  = r["data"]["seed"]    # persist both!
auth  = {"Authorization": f"Bearer {TOKEN}"}

const r = await fetch("https://cryptotopcard.com/api/v1/auth/signup", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ name: "my-agent" }),
}).then(r => r.json());
const TOKEN = r.data.token;       // persist!
const SEED  = r.data.seed;
const auth  = { "Authorization": `Bearer ${TOKEN}` };

2. Create a top-up (returns the deposit address + exact crypto amount)

# Create a top-up: request $100 net in USDT (TRC-20).
# Returns the deposit address + exact crypto amount (gross, includes 2% fee).
curl -X POST https://cryptotopcard.com/api/v1/topups \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"coin":"USDTTRC","amount":100}'
# {... "deposit_address":"T...", "crypto_amount":"102.92", "net_credit_usd":100}

t = requests.post(
    "https://cryptotopcard.com/api/v1/topups",
    json={"coin": "USDTTRC", "amount": 100},
    headers=auth,
).json()["data"]
# Send t["crypto_amount"] USDT-TRC20 to t["deposit_address"].
# When confirmed (poll GET /topups/<id>), $100 lands on the balance.

const t = (await fetch("https://cryptotopcard.com/api/v1/topups", {
  method: "POST",
  headers: { ...auth, "Content-Type": "application/json" },
  body: JSON.stringify({ coin: "USDTTRC", amount: 100 }),
}).then(r => r.json())).data;
// Send t.crypto_amount USDT-TRC20 to t.deposit_address.

3. Issue a card (returns number, exp, CVV)

# Once the balance shows the credited amount, issue a card.
curl -X POST https://cryptotopcard.com/api/v1/cards \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"bin_id":"471938","amount":150,"label":"meta-acct-7"}'
# {... "card_number":"4719 ...", "card_exp":"02/29", "card_cvv":"136"}

c = requests.post(
    "https://cryptotopcard.com/api/v1/cards",
    json={"bin_id": "471938", "amount": 150, "label": "meta-acct-7"},
    headers=auth,
).json()["data"]
print(c["card_number"], c["card_exp"], c["card_cvv"])

const c = (await fetch("https://cryptotopcard.com/api/v1/cards", {
  method: "POST",
  headers: { ...auth, "Content-Type": "application/json" },
  body: JSON.stringify({ bin_id: "471938", amount: 150, label: "meta-acct-7" }),
}).then(r => r.json())).data;
console.log(c.card_number, c.card_exp, c.card_cvv);

4. Use the card. When done, delete it (refunds the remaining balance instantly)

# When the card has served its purpose, delete it. Remaining balance refunds instantly.
curl -X DELETE https://cryptotopcard.com/api/v1/cards/$CARD_ID \
  -H "Authorization: Bearer $TOKEN"

requests.delete(
    f"https://cryptotopcard.com/api/v1/cards/{c['card_id']}",
    headers=auth,
).json()  # {"ok":true,"data":{"deleted":true,"refunded_usd":150.0}}

await fetch(`https://cryptotopcard.com/api/v1/cards/${c.card_id}`, {
  method: "DELETE", headers: auth,
}).then(r => r.json());

MCP integration

Native tool calling in Claude, ChatGPT, Cursor

The same Bearer tokens work on the MCP endpoint at /api/v1/mcp. Once configured, the LLM calls `list_bins`, `create_topup`, `issue_card`, `freeze_card` as native tools — no code wrapping required.

Claude Desktop / Claude Code

Add to ~/Library/Application Support/Claude/claude_desktop_config.json under mcpServers:

"cryptotopcard": {
  "command": "npx",
  "args": ["-y", "mcp-remote",
    "https://cryptotopcard.com/api/v1/mcp",
    "--header", "Authorization:Bearer ctk_live_..."]
}

ChatGPT Custom GPT

In your custom GPT settings, add an Action and import the OpenAPI spec:

Import OpenAPI from:
https://cryptotopcard.com/.well-known/openapi.json
Auth: API Key (Bearer)

Cursor / Continue / Cline

In Cursor settings → Features → Model Context Protocol, add a new server with HTTP transport:

HTTP transport:
url: https://cryptotopcard.com/api/v1/mcp
authorization: Bearer ctk_live_...

After connecting, ask the model "issue a Visa Business card for $200 funded with USDT" and it will chain `list_bins → list_coins → create_topup → issue_card` automatically, surfacing the deposit address and waiting for your confirmation.

API surface

All endpoints at a glance

Nineteen routes total. Public (no auth) for discovery + signup; everything else requires a Bearer token scoped to its operation.

Method	Path	Description
GET	/api/v1/coins	List the 20 supported cryptocurrencies (public).
GET	/api/v1/bins	List the 7 BIN tiers + fees (public).
POST	/api/v1/auth/signup	Create an anonymous account. Returns seed + first API token (one-time).
POST	/api/v1/auth/login	Trade a seed phrase for a fresh API token.
GET	/api/v1/me	Current account info: balance, card count, scopes.
POST	/api/v1/topups	Create a crypto deposit invoice. Customer pays gross (incl. 2% fee), net is credited.
GET	/api/v1/topups/:id	Get a top-up's current status.
POST	/api/v1/topups/:id/cancel	Cancel a pending top-up (no effect once paid).
GET	/api/v1/cards	List active + frozen cards (last4 only).
POST	/api/v1/cards	Issue a new card. Debits $1.50 + amount from the balance.
GET	/api/v1/cards/:id	Full card details (PAN, exp, CVV) for one card.
POST	/api/v1/cards/:id/freeze	Block all charges on the card. Reversible.
POST	/api/v1/cards/:id/unfreeze	Re-enable a frozen card.
POST	/api/v1/cards/:id/topup	Move funds from account balance to card balance.
DELETE	/api/v1/cards/:id	Close a card. Refunds the remaining balance to the account instantly.
GET	/api/v1/keys	List the caller's API keys (metadata only, no token).
POST	/api/v1/keys	Mint a new API key. Token returned once.
DELETE	/api/v1/keys/:id	Revoke an API key.
POST	/api/v1/mcp	MCP server (JSON-RPC 2.0). Same bearer auth.

Security model

Per-key scopes, sliding rate limits, no recoverable secrets

Every request is authenticated with a per-user Bearer token (ctk_live_…). Tokens are sha256-hashed at rest; we never store the raw value. Each token carries a comma-separated scope list (read, topups, cards) — a token without "cards" cannot issue a card.

Rate limits

60 read calls per minute per token (GETs, list endpoints).
10 write calls per minute per token (POST/DELETE — topups, cards, freeze).
3 signups per hour per source IP.

Scopes

Three scopes available. Default for new tokens is read,topups,cards — drop scopes when creating a token (POST /keys with scopes: "read") to limit blast radius.

read — GET endpoints (account info, list cards, list topups).
topups — POST /topups, /topups/:id/cancel.
cards — POST /cards, /cards/:id/freeze, /cards/:id/unfreeze, /cards/:id/topup, DELETE /cards/:id, GET /cards/:id (sensitive).

Recovery model

There is no email-based recovery. The seed phrase returned at signup is the only credential — if lost, the account and its balance are unrecoverable. Persist it in a secrets manager. Rotate API tokens freely with POST /keys.

Wire up your first agent in under 5 minutes

Public endpoints work without an account. Sign up takes one POST. Try the quickstart end-to-end before integrating.

Read the quick start

Build agents that issue payment cards