Skip to main content
Ovra
[ VIRTUAL CARDS ]

A new card for every agent.

Per-agent virtual Visa cards, scoped to a merchant, an amount, a window. The PAN never reaches the model. The card revokes itself when the job is done.

ACTIVE
4242 •••• •••• 8917
agent · procurement-v2
VISA
01[ CARD LIFECYCLE ]

From request to revoke in five states.

Every Ovra card moves through the same lifecycle. Each state is observable, auditable, and reversible — except the last one.

01·REQUEST
PENDING
•••• ••••
awaiting issuance
VISA

Agent asks for a card via API or MCP. Intent is captured before any credential exists.

02·ISSUE
ACTIVE
4242 •••• •••• 8917
agent · ag_4f8a
VISA

DPAN minted. PAN encrypted at rest with AES-256-GCM. Card is alive, but locked open.

03·SCOPE
SCOPED
4242 •••• •••• 8917
vendor.io · €500 · 24h
VISA
merchant_lock
amount_cap

Policy attaches: merchant lock, amount cap, TTL, MCC. Enforced at the network, not in your code.

04·CHARGE
AUTHORIZED
4242 •••• •••• 8917
vendor.io · €342.00
VISA
AUTHORIZED · 12ms

Network token presented to checkout. Single-use cryptogram. Authorization in milliseconds.

05·REVOKE
REVOKED
4242 •••• •••• 8917
terminated · 24h elapsed
VISA
audit logged

TTL expires or job completes. Card is terminated, audit log sealed. Zero residual exposure.

02[ ZERO-KNOWLEDGE ]

The agent never sees the number.

Real card credentials are tokenized into a Visa Network Token (DPAN) at issuance. The funding PAN stays inside Ovra, encrypted at rest with AES-256-GCM. Agents transact against the DPAN and a single-use cryptogram — not against your card.

  • DPAN, not PAN, in every checkout payload
  • PAN/CVV reveal capped at 3 r/s, audit-logged
  • Cryptogram is single-use — replay = decline
  • Encryption keys rotate; ciphertext is portable
EU data residency · GDPR by design
[ FPAN ]funding card
4929 1842 7763 0091
never leaves Ovra
[ DPAN ]network token
4242 •••• •••• 8917
cryptogramsingle-use
scopeagent + merchant
at restAES-256-GCM
Agent context never sees PAN or CVV.
03[ NETWORK CONTROLS ]

Enforced at the rails. Not your code.

Every guardrail is checked by the issuer before authorization clears. If your application crashes, the card still won't overspend.

merchant_id
mcc
country
ttl
≤ €500 / tx

Amount caps

Per-transaction, daily, and lifetime ceilings enforced before authorization clears the network.

ENFORCED AT NETWORK
merchant_id = 4f8a

Merchant lock

Bind a card to a single merchant ID. Anything else is declined at the rails — not by your code.

ENFORCED AT NETWORK
mcc ∈ allow_set

MCC restrictions

Allow- or block-list Merchant Category Codes. Categorical guardrails: SaaS yes, gambling no.

ENFORCED AT NETWORK
country = DE,AT,CH

Country rules

Lock cards to ISO country codes. Cross-border attempts get blocked before the issuer responds.

ENFORCED AT NETWORK
ttl = 24h

Time windows

Cards only authorize inside defined TTLs. After the window closes, every charge is rejected.

ENFORCED AT NETWORK
≤ 5 tx / hour

Velocity caps

Cap charges per minute, hour, or day. Stops a runaway agent from hammering the same vendor.

ENFORCED AT NETWORK

Issue a card to your first agent.

Get sandbox access in the private beta.

Join the waitlistRead the API docs