pin_set: false. Cardholders must set their PIN before card details (card number, CVV) can be viewed, and before chip-and-PIN or ATM transactions will work.
To let a cardholder set their PIN, call the view-token endpoint with enabled_views: ["pin-set"]. The API always returns 200 OK with a secure_view_url for PIN setup — regardless of whether pin_set is true or false. Open that URL in an iframe or WebView and the cardholder can set (or change) their PIN directly.
The
422 PIN_NOT_SET error only occurs when you request card data or PIN reveal (enabled_views: ["data"], ["pin-view"]) while pin_set is still false. It does not occur when requesting ["pin-set"] to set the PIN.How it works
Your backend requests a PIN view token
Call
POST /v1/yativo-card/customers/{yativoCardId}/cards/{cardId}/view-token with enabled_views: ["pin-set"] for initial setup or PIN change, or ["pin-view"] to reveal the current PIN. Pass your brand theme to customise the page.You receive a secure_view_url
The API returns 200 OK with a short-lived
secure_view_url and the current pin_set status. This always succeeds for ["pin-set"] requests — even when pin_set is false.Show the hosted page to the cardholder
Open the URL in an
<iframe>, mobile WebView, or a new browser tab in your app. The cardholder enters and confirms their 4-digit PIN inside the hosted page.enabled_views: ["pin-set"] in both cases.
Request a PIN view token
Call this from your backend using your issuer access token.The customer’s
yativo_card_id.The card ID — works for both virtual and physical cards.
Controls which tabs appear on the hosted page. Accepted values:
Pass
| Value | Tab shown |
|---|---|
"pin-set" | Set or change PIN |
"pin-view" | Reveal current PIN (requires pin_set: true) |
"data" | Card number, CVV, expiry (requires pin_set: true) |
["pin-set"] for initial setup or PIN change. Pass ["data", "pin-view", "pin-set"] to show all three tabs at once.
The legacy value "pin" is accepted as an alias for "pin-set".Brand the hosted page with your colours and logo. All fields optional.
| Field | Type | Description |
|---|---|---|
accent_color | string | Hex colour for buttons and highlights |
background_color | string | Page background |
panel_color | string | Card panel background |
text_color | string | Primary text |
logo_url | string | Your logo at the top of the page |
border_radius | number | Corner radius in px (8–36) |
font_family | string | CSS font-family string |
Embed the hosted PIN page
Passsecure_view_url directly as the src of an iframe. No SDK or client-side JavaScript required.
Checking PIN status
pin_set is updated when Yativo receives the physical.card.pin.changed webhook from Gnosis Pay. It is not sourced from the Gnosis API — treat it as the last known state.
You can read it from:
Per-card, in GET /v1/card-issuer/customers/{customerId}:
data.pin_set is returned every time you call the view-token endpoint.
To list all customers who still need to set a PIN:
pin_set: false.
pin_set reflects the last state received via webhook and may lag if a webhook was delayed. If a cardholder reports unexpected PIN_NOT_SET errors after completing PIN setup, they can retry — the server will re-evaluate when the webhook catches up.Webhook confirmation
Subscribe tophysical.card.pin.changed on your webhook endpoint. Yativo updates pin_set: true automatically when this event arrives — no polling needed.
Payload example
Notes
| Detail | Value |
|---|---|
| Works for | Virtual and physical cards |
| PIN format | Exactly 4 digits (0000–9999) |
| Initial setup & change | Same enabled_views: ["pin-set"] flow for both |
| PIN never touches your server | Entered directly in the Yativo-hosted iframe |
| Brand customisation | Pass theme in the token request — applies to the hosted PIN page |
| Confirmation | physical.card.pin.changed webhook → pin_set: true |
pin_set source | Webhook only — not from Gnosis API |
| Online vs chip PIN | PSE updates the online PIN. The chip syncs on first ATM use (physical cards) |