`card-issuing-auth` — Authentication

Download card-issuing-auth.zip · Part of the MVP bundle.

Purpose

Describes the authentication protocol the AI tool must use when generating code that calls EastPay card-issuing APIs.

Current sandbox mode (simplified)

The sandbox at https://march.sandbox.efaka.net/card-api currently uses:

Static Bearer Token — Authorization: Bearer <TOKEN> header, token assigned by Coshine per customer
timestamp header — Unix timestamp in seconds
Plain JSON body — no JWE encryption
Content-Type: application/json; charset=UTF-8

Future migration path

The Skill also documents an OAuth 2.0 private_key_jwt + ES256 + JWE flow matching the target specification in the Coshine API PDF. When Coshine rolls this out, the Skill directs the developer to implement it following the official docs. Until then, the Skill keeps the simpler Bearer-only path as the primary integration.

AI behaviour rules the Skill enforces

Never fabricate Bearer tokens / participantId / tranBranch values — always redirect the developer to Coshine
On HTTP 401/403, do not auto-retry; flag it as a credential/scope problem
Never hardcode tokens — always read from environment variable or config file

Depends on

card-issuing-references (for field definitions and error codes)

Source

See skills/card-issuing-auth/SKILL.md in the repository for the authoritative content.

Purpose​

Current sandbox mode (simplified)​

Future migration path​

AI behaviour rules the Skill enforces​

Depends on​

Source​