Issuing authorizations
Learn how to use Issuing to handle authorization requests.
When a card is used to make a purchase, it generates an authorization request, which is approved or declined based on the following steps:
Stripe checks that the balance used for Issuing has sufficient funds, that the card is active, and that your spending controls allow the authorization. Sometimes, Stripe immediately approves or declines the authorization request at this stage.
Stripe sends an
issuing_event. If you don’t have a real-time authorization webhook, we approve the authorization without sending theauthorization. request issuing_.authorization. request Listen for Stripe events
Set up a real-time authorization webhook to listen for this event so you can synchronously approve/decline Authorizations.
You can approve or decline the authorization by responding directly to the webhook event. If you don’t approve or decline the
issuing_within 2 seconds, Stripe uses your webhook timeout settings to approve or decline the authorization.authorization. request Stripe sends an
issuing_event, notifying you of the Authorization creation and decision.authorization. created
Scenarios without a real-time authorization request
Sometimes, Stripe receives an authorization request from the card network and approves or declines it without sending you an issuing_ event:
- If Stripe decides that the authorization request can’t be approved (for example, because the card is inactive or your spending controls don’t allow it), we’ll decline it.
- If you don’t have a real-time authorization webhook configured, and we don’t have a reason to decline the authorization request, we’ll approve it.
When this occurs, Stripe still sends an issuing_ event, notifying you of the Authorization’s creation.
Refunds
Many businesses send real-time authorization requests for refunds. Stripe has default logic in place to process these requests. If the business proceeds with sending the refund, you’ll see a refund transaction object.
Authorization updates
When Stripe receives an authorization request, we send an issuing_ webhook event. If you approve the authorization, we deduct the amount from your Issuing balance and hold it in reserve until the authorization is either captured, voided, or expired without capture. If you decline the authorization, the status is set to closed and we don’t place any holds.
When the authorization is captured, a transaction is created and the status of the authorization is set to closed.
If the authorization request is voided, we send an issuing_ webhook event with its status set to reversed and the amount as 0. We add the voided amount back to your Issuing balance, essentially undoing the balance impact of the original authorization.
Stripe can expire an authorization by releasing the hold on the balance of an authorization after a period of time. If the authorization request expires without capture, we send an issuing_ webhook event with its status set to expired in API versions 2025-03-31.basil or later, or status set to reversed in API versions 2025-03-31.basil or earlier. The amount field represents any remaining amount authorized for possible late captures. We add the expired amount back to your Issuing balance, essentially undoing the balance impact of the original authorization.
This table describes the sequence of operations on an authorization and the status associated with each operation:
| Operations on the authorization object | Status (on versions 2025-03-31.basil and newer) |
|---|---|
| Waiting for response to the real-time authorization request | Pending |
| The authorization is declined on the response associated with the real-time authorization request | Closed |
| The authorization is approved, but pending capture | Pending |
| The authorization is approved and then fully captured | Closed |
| The authorization is approved and then partially captured | Pending |
| The authorization is approved and then fully reversed | Reversed |
| The authorization is approved and then partially reversed | Pending |
| The authorization is approved and then expired by Stripe | Expired |
| The authorization is approved, partially captured, and then the balance is fully reversed | Closed |
| The authorization is approved, partially captured, and then expired by Stripe | Closed |
| The authorization is approved, partially reversed, and then the balance is fully captured | Closed |
| The authorization is approved, partially reversed, and then expired by Stripe | Expired |
| The authorization is approved, expired by Stripe, and then fully captured | Expired |
| The authorization is approved, expired by Stripe, and then partially captured | Expired |
| The authorization is approved, expired by Stripe, and then fully reversed | Reversed |
| The authorization is approved, expired by Stripe, and then partially reversed | Expired |
Purchases in different currencies
Cards can be used for purchases in any currency that the card network supports. Stripe automatically converts the currency of the purchase into the card’s currency when holding funds, using the card network’s daily rate.
The merchant_ represents the cost of the purchase in the local currency. The amount field represents the expected amount of the Transaction in the card’s currency and isn’t final until the Authorization has been captured.
Handling other authorizations
In addition to regular authorizations, there are a few other cases that you should be ready to handle.
Some authorizations are partially authorized to limit spending. This allows you to authorize a specific lower amount and is useful when there aren’t sufficient funds to cover the full purchase.
Fueling stations in the US are a special example of this. Learn more about fuel dispenser authorizations.
When an authorization is partially authorized, the is_ field on the authorization request is set to true. You can specify the amount you want to approve by setting the amount in the webhook response body or the approve call.
If you partially approve a cashback authorization, you must approve the full cashback amount. You can’t set the approved amount lower than the cashback_.
Testing
To simulate the creation of a new partial authorization, you can use the Authorization Create API in the Issuing test helpers.
curl https://api.stripe.com/v1/test_helpers/issuing/authorizations \ -u ":" \ -d "card=sk_test_BQokikJOvBiI2HlWgH4olfQ2" \ -d amount=100 \ -d "merchant_data[category]=automated_fuel_dispensers" \ -d is_amount_controllable=true{{CARD_ID}}
Fuel dispenser authorizations
When a cardholder attempts a purchase at a fuel dispenser (MCC 5542), an issuing_ for 1 USD is sent (called a “status check”). The default amount held is 100 USD to cover the unknown purchase amount. When the cardholder finishes pumping fuel, an issuing_ event is sent to reflect the amount of the purchase.
When the fuel dispenser allows a partial authorization by setting is_ to true, you can respond with a lower approved amount, such as 50 USD, or a higher approved amount. If you respond with a higher amount, you might lose some dispute rights. If a fuel dispenser doesn’t allow partial authorizations, you must either approve the network default amount, and Stripe ignores any amount that you specify, or decline the entire authorization.
For Commercial Fleet programs, Stripe receives some information in the Issuing Authorization fleet and fuel hashes after the fuel has been dispensed. As a result, some of these fields won’t be populated during the issuing_ webhook and will be sent later in the issuing_ webhook.
Recurring authorizations
Stripe permits recurring authorizations on expired cards. Cancel the card or deactivate the cardholder to decline all future recurring authorizations. Captures on previously approved authorizations always succeed.
Using with Treasury for platforms
Authorizations on cards that use funds stored in FinancialAccounts have a treasury field with references to related resources: Transaction, ReceivedCredit, and ReceivedDebit.
Authorization outcomes
When you or Stripe approve or decline an authorization, this field provides additional detail about the reason for the outcome. To find this, click the authorization in the Stripe Dashboard or look at the value in request_history.reason.
| Authorization outcome | Description | Next steps |
|---|---|---|
account_ | The authorization request was declined because your account is disabled. | If the account was disabled due to inactivity, re-enable Issuing on the connected account. For other questions, contact support-issuing@stripe.com. This replaces the deprecated account_ and account_ enums. |
card_ | The authorization was approved according to your default Issuing settings. Authorization outcome wasn’t caused by a real-time authorization webhook or spending controls because neither were configured. | No action required. Authorization approved. |
card_ | The authorization request was declined because the card was canceled. | You can’t undo this action. You need to issue a new card. Although the card is no longer active for new purchases, it can still receive refunds in several scenarios, because these are handled by the card issuer and often routed to your bank account or a replacement card. |
card_ | The authorization request was declined because the card expired. | Learn more about replacing expired cards. |
card_ | The authorization request was declined because the card was inactive. | Learn how to activate the card. |
cardholder_ | The authorization request was declined because the cardholder is blocked. | This status is non-reversible. You need to create a new cardholder. |
cardholder_ | The authorization request was declined because the cardholder was inactive. | You can activate the cardholder in the Dashboard or using the API update endpoint. Learn more about cardholder status. |
cardholder_ | The authorization wasn’t approved because the cardholder still required verification. | Learn more by querying the API and obtaining the requirements field of the Cardholder object, or by navigating to the Cardholder on the Dashboard and checking for any pending requirements. |
insecure_ | The authorization request was declined because an insecure authorization method was used. | You can retry the authorization by inserting the chip into the terminal or entering the PIN at the point of sale. |
insufficient_ | The authorization request was declined because your account had insufficient funds. | Learn about topping up your Issuing balance. If you’re in the Consumer Issuing private preview, refer to this guide instead. |
network_ | Stripe timed out or encountered an error when responding to the card network. | If you have a dedicated BIN and have configured Autopilot, the card network approved or declined the authorization based on your STIP configuration. |
not_ | The charge isn’t allowed on the Stripe network, possibly because it is an ATM withdrawal or cash advance. | Confirm that if you’re a Commercial Issuing user, these aren’t Consumer transactions. |
pin_ | The authorization request was declined because the card’s PIN is blocked. | Learn about managing PINs. For US cards, Stripe configures them to prefer signature verification. If a terminal requests a PIN, that behavior is determined by the terminal’s settings. Try again on a new Terminal device. |
spending_ | The authorization was declined because of your spending controls. | Learn about updating your spending controls. Verify spending controls before processing a transaction when the existing controls match the transaction’s amount or category. The total spent at any given time includes both captures and authorizations. |
suspected_ | The authorization was suspected to be fraud based on Stripe’s risk controls. | Consider implementing Fraud Challenges to avoid this. |
verification_ | The authorization failed required verification checks. | See authorization. for more information in your Dashboard. Possible values include Incorrect PIN, missing expiry date, mismatched expiry, invalid account number, or missing Strong Customer Authentication (when SCA is implemented on the cards). This replaces the deprecated authentication_, incorrect_, and incorrect_ enums. |
webhook_ | The authorization was approved by the real-time authorization webhook. | No action required. Authorization approved. Learn more about real-time authorizations. |
webhook_ | The authorization was declined by the real-time authorization webhook. | Learn more about real-time authorizations. Some reasons include insufficient funds and exceeding approval amount limits. |
webhook_ | The response sent through the real-time authorization webhook is invalid. | Learn more about real-time authorizations. |
webhook_ | The real-time authorization webhook timed out before Stripe received your authorization decision. | Stripe approved or declined the authorization based on what you configured in your Issuing default or Autopilot settings. Confirm your settings and try again. |
Scenarios with no record of declined authorizations in the Dashboard or API
In some cases, an authorization made with an Issuing Card might be declined and neither you or your connected accounts will receive a webhook event or an authorization record (iauth_).
In these cases, make sure that you collect as much information as possible about the declined authorization before reaching out to Stripe support for assistance.
We recommend including the following information:
- The time of the decline
- The cardholder (
ich_) who made the purchase - The card (
ic_) used for the authorization - The merchant involved in the authorization
- Any other circumstances surrounding the authorization
It’s possible that the authorization is declined before any related information is transmitted to Stripe. In these cases, the cardholder involved must directly contact the business to determine the cause of the decline because Stripe hasn’t received a record of the authorization request.
You might encounter additional instances of declines without an associated webhook event or authorization object that Stripe can assist with. To determine the classification of the decline, contact Stripe support with the information provided above. We can help to determine the most appropriate steps to investigate the declines.
