CHANGELOG
Discover the latest features, enhancements, and bug fixes that we've implemented to improve your Onepay experience.
APRIL 22, 2026
Card on File - Automated Charging API

OnePay now supports Card on File — a fully tokenized automated charging API that allows businesses to save a customer's card once and charge it programmatically at any future point, with no customer interaction required at payment time.
Think of how a ride-hailing app charges a passenger's card automatically at the end of every trip — the customer approves once, and every charge after that is seamless and invisible to them. That is exactly what this API enables.
HOW IT WORKS — 3 STEPS
cus_ customer ID. ›
tok_ token from the List Cards endpoint. Store it in your database. This is the only identifier you need for all future charges. ›
customer_id, token_id, and amount. No customer action required. ›
ENDPOINTS INCLUDED
- POST /v3/customers/: Create a customer profile and request a card tokenization session.
- GET /v3/customers/: List all customers associated with your application.
- GET /v3/customers/{customer_id}/: Retrieve full customer details including saved cards and transaction history.
- GET /v3/customers/{customer_id}/cards/: List all saved card tokens for a customer.
- GET /v3/customers/{customer_id}/cards/{token_id}/: Retrieve a specific saved card.
- DELETE /v3/customers/{customer_id}/cards/{token_id}/: Soft-delete a card token. Irreversible.
- POST /v3/customers/{customer_id}/payments/: Charge a saved card token for any amount and currency.
- GET /v3/customers/{customer_id}/transactions/: Retrieve full billing history for a customer.
BILLING MODELS SUPPORTED
- Fixed billing: Charge the same amount on a predictable schedule. Ideal for SaaS monthly plans.
- Variable billing: Calculate usage at period-end and charge exactly what was consumed. Ideal for pay-as-you-go and API platforms.
Security: Card numbers never touch your server. All tokenization is handled via the card network and issuing bank. Tokens are merchant-specific and have no exploitable value outside the issuing system.