Card state change - Grid API Documentation

{ "id": "Webhook:019542f5-b3e7-1d02-0000-000000000020", "type": "CARD.STATE_CHANGE", "timestamp": "2026-05-08T14:11:00Z", "data": { "id": "Card:019542f5-b3e7-1d02-0000-000000000010", "cardholderId": "Customer:019542f5-b3e7-1d02-0000-000000000001", "platformCardId": "card-emp-aary-001", "state": "ACTIVE", "stateReason": null, "brand": "VISA", "form": "VIRTUAL", "last4": "4242", "expMonth": 12, "expYear": 2029, "panEmbedUrl": "https://embed.lithic.com/iframe/...?t=...", "fundingSources": [ "InternalAccount:019542f5-b3e7-1d02-0000-000000000002" ], "currency": "USD", "issuerRef": "lithic_card_4f8d3a2b1c", "createdAt": "2026-05-08T14:10:00Z", "updatedAt": "2026-05-08T14:11:00Z" } }

Authorizations

X-Grid-Signature

string

header

required

Secp256r1 (P-256) asymmetric signature of the webhook payload, which can be used to verify that the webhook was sent by Grid. To verify the signature:

Get the Grid public key provided to you during integration
Decode the base64 signature from the header
Create a SHA-256 hash of the request body
Verify the signature using the public key and the hash

If the signature verification succeeds, the webhook is authentic. If not, it should be rejected.

Body

application/json

string

required

Unique identifier for this webhook delivery (can be used for idempotency)

Example:

"Webhook:019542f5-b3e7-1d02-0000-000000000007"

type

enum<string>

required

Status-specific event type in OBJECT.EVENT dot-notation (e.g., OUTGOING_PAYMENT.COMPLETED)

Available options:

CARD.STATE_CHANGE

timestamp

string<date-time>

required

ISO 8601 timestamp of when the webhook was sent

Example:

"2025-08-15T14:32:00Z"

data

object

required

Show child attributes

Response

Webhook received successfully

Documentation Index

Authorizations

Body

Response