> ## Documentation Index
> Fetch the complete documentation index at: https://docs.yativo.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Card View Token

> Issue a short-lived token for a hosted secure card view — embed the returned URL in an iframe

<Note>
  Card details and PIN are both served from a single hosted page. Control which views appear using `enabled_views`. The returned `secure_view_url` is ready to use as an iframe `src` — no additional SDK is required.
</Note>

<ParamField header="Authorization" type="string" required>
  Bearer token: `Bearer YOUR_ACCESS_TOKEN`
</ParamField>

<ParamField path="yativoCardId" type="string" required>
  The Yativo Card account ID (`yativo_card_id`) from onboarding.
</ParamField>

<ParamField path="cardId" type="string" required>
  The card ID from card creation.
</ParamField>

<ParamField body="enabled_views" type="array">
  Which views to enable. Accepted values: `"data"` (PAN, CVV, expiry), `"pin"` (view/set PIN). Omit to show all.
</ParamField>

<ParamField body="access_code" type="string">
  Optional unlock code the user must enter before card details are revealed.
</ParamField>

<ParamField body="theme" type="object">
  Optional theme overrides: `accent_color`, `background_color`, `panel_color`, `text_color`, `muted_color`, `border_radius`, `font_family`, `logo_url`.
</ParamField>

<Warning>
  Never cache or log `secure_view_url`. Always request a fresh token immediately before rendering.
</Warning>

<RequestExample>
  ```bash Card data only theme={null}
  curl -X POST 'https://crypto-api.yativo.com/api/v1/yativo-card/yc_01HX9KZMB3F7VNQP8R2WDGT4E5/cards/card_01HX9KZMB3F7VNQP8R2WDGT4E5/view-token' \
    -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
    -H 'Content-Type: application/json' \
    -d '{ "enabled_views": ["data"] }'
  ```

  ```bash Card data + PIN theme={null}
  curl -X POST 'https://crypto-api.yativo.com/api/v1/yativo-card/yc_01HX9KZMB3F7VNQP8R2WDGT4E5/cards/card_01HX9KZMB3F7VNQP8R2WDGT4E5/view-token' \
    -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
    -H 'Content-Type: application/json' \
    -d '{ "enabled_views": ["data", "pin"] }'
  ```
</RequestExample>

<ResponseExample>
  ```json Success theme={null}
  {
    "status": "success",
    "data": {
      "secure_view_url": "https://crypto-api.yativo.com/card-view?token=eyJhbGciOiJIUzI1NiIs...",
      "expires_at": "2026-03-26T12:01:00Z",
      "last_four": "4242",
      "enabled_views": ["data", "pin"],
      "requires_access_code": false
    }
  }
  ```
</ResponseExample>

<Accordion title="Response Type Definitions">
  ```typescript theme={null}
  interface ViewTokenResponse {
    secure_view_url: string;        // Hosted page URL — use as iframe src
    expires_at: string;             // ISO 8601 expiry
    last_four: string;              // Safe to display without the iframe
    enabled_views: string[];        // Active views: ["data"] | ["pin"] | ["data", "pin"]
    requires_access_code: boolean;  // User must enter access_code before details are shown
  }
  ```
</Accordion>

## Embedding the URL

```html theme={null}
<iframe
  src="SECURE_VIEW_URL"
  title="Secure Card View"
  width="420"
  height="740"
  style="border:0;border-radius:16px;"
  allow="clipboard-read; clipboard-write">
</iframe>
```

<Tip>
  See the full integration guide — backend proxy pattern, React/vanilla JS examples, access code flow, and testing — in [Secure Card Display](/yativo-crypto/cards/secure-display).
</Tip>
