> ## Documentation Index
> Fetch the complete documentation index at: https://docs.arcuserp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List account payment methods across accounts in this entity

> Returns payment methods (cards + ACH bank accounts) for ALL accounts
in the API key's entity, with optional filters by account, payment
type, default state, or active state. Stripe-style cursor pagination
via `starting_after`.

Use cases:
- Card-expiration reports across all customers in the entity.
- ACH micro-deposit verification dashboards.
- Account-360 sync resolvers (cross-account PM views).

Layer 1 (multi-tenant isolation): unlike `account_addresses` and
`account_contacts`, the `account_payment_methods` table HAS its
own `entity_id` column. Scope is enforced directly via
`WHERE entity_id = $1` (no JOIN), backed by the
`idx_apm_entity_account` composite index. A crafted cursor pointing
at a sister-entity row returns 0 rows from the inner cursor SELECT
(which also binds `entity_id`), so the tuple comparison evaluates
UNKNOWN and no row leak occurs.

Sister of `/v1/account-addresses` and `/v1/account-contacts`.
Cross-refs: `docs/prompts/completed/NEW-GAP-MIGRATION-API-V1-GET-ACCOUNT-PAYMENT-METHODS [COMPLETE].md`.

Note: the `account_payment_methods` table does NOT today carry
`external_source` / `external_id` provenance columns, so migration
back-read by source-system tuple is NOT supported on this endpoint.
See `NEW-GAP-ACCOUNT-PAYMENT-METHODS-EXTERNAL-PROVENANCE-COLS` for
the follow-up to add those columns.

Requires `accounts:read` OR `payments:read` scope.




## OpenAPI

````yaml /openapi.yaml get /account-payment-methods
openapi: 3.1.0
info:
  title: Arcus ERP Public API
  version: 1.0.0
  description: >
    Arcus ERP public REST API. Designed for external integrations and data
    migration.


    **Authentication.** Bearer token (API key) via the `Authorization` header.

    Format: `Authorization: Bearer ark_live_ent_<code>_<random>` (or
    `ark_test_*` for sandbox).

    API keys are issued per-entity in **Settings > Developers > API Keys**.


    **Entity scoping.** The entity is encoded in the API key prefix; routes are
    flat

    (e.g. `/v1/accounts`, `/v1/orders`, `/v1/products`). A small set of platform
    endpoints

    (migration, reconciliation, events, webhook endpoints, API keys) use the

    `/v1/entities/{entity_id}/...` form -- those are noted in their tags.


    **Key capabilities.**
      - Related-resource hydration via `?expand[]=` (see `x-arcus-expand` on each resource).
      - Cursor-based pagination (`starting_after` / `ending_before` / `limit`).
      - Idempotency via the `Idempotency-Key` header.
      - Webhook events for asynchronous notification.
      - Conditional requests / ETag for cache validation.
servers:
  - url: https://api.arcuserp.com/v1
    description: Arcus ERP API (accepts both live `ark_live_*` and test `ark_test_*` keys)
  - url: https://dev-api.arcuserp.com/v1
    description: >-
      Dev sandbox API (test-only data, accepts `ark_test_*` keys against dev
      RDS)
security: []
paths:
  /account-payment-methods:
    get:
      tags:
        - Accounts
      summary: List account payment methods across accounts in this entity
      description: >
        Returns payment methods (cards + ACH bank accounts) for ALL accounts

        in the API key's entity, with optional filters by account, payment

        type, default state, or active state. Stripe-style cursor pagination

        via `starting_after`.


        Use cases:

        - Card-expiration reports across all customers in the entity.

        - ACH micro-deposit verification dashboards.

        - Account-360 sync resolvers (cross-account PM views).


        Layer 1 (multi-tenant isolation): unlike `account_addresses` and

        `account_contacts`, the `account_payment_methods` table HAS its

        own `entity_id` column. Scope is enforced directly via

        `WHERE entity_id = $1` (no JOIN), backed by the

        `idx_apm_entity_account` composite index. A crafted cursor pointing

        at a sister-entity row returns 0 rows from the inner cursor SELECT

        (which also binds `entity_id`), so the tuple comparison evaluates

        UNKNOWN and no row leak occurs.


        Sister of `/v1/account-addresses` and `/v1/account-contacts`.

        Cross-refs:
        `docs/prompts/completed/NEW-GAP-MIGRATION-API-V1-GET-ACCOUNT-PAYMENT-METHODS
        [COMPLETE].md`.


        Note: the `account_payment_methods` table does NOT today carry

        `external_source` / `external_id` provenance columns, so migration

        back-read by source-system tuple is NOT supported on this endpoint.

        See `NEW-GAP-ACCOUNT-PAYMENT-METHODS-EXTERNAL-PROVENANCE-COLS` for

        the follow-up to add those columns.


        Requires `accounts:read` OR `payments:read` scope.
      operationId: listAccountPaymentMethodsCrossAccount
      parameters:
        - name: account_id
          in: query
          required: false
          description: Filter to payment methods belonging to this account.
          schema:
            type: string
            format: uuid
        - name: type
          in: query
          required: false
          description: Filter by payment method type.
          schema:
            type: string
            enum:
              - card
              - ach
        - name: is_default
          in: query
          required: false
          description: Filter by default-PM state.
          schema:
            type: boolean
        - name: is_active
          in: query
          required: false
          description: |
            Filter by active state. Omit to return both active and
            soft-removed PMs.
          schema:
            type: boolean
        - name: limit
          in: query
          required: false
          description: Number of rows to return. Default 25, max 500.
          schema:
            type: integer
            minimum: 1
            maximum: 500
            default: 25
        - name: starting_after
          in: query
          required: false
          description: |
            Cursor: a payment-method `id` from a previous response. Returns
            rows ordered before this cursor by `(created_at DESC, id DESC)`.
          schema:
            type: string
            format: uuid
      responses:
        '200':
          description: List of account payment methods
          content:
            application/json:
              schema:
                type: object
                properties:
                  object:
                    type: string
                    enum:
                      - list
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/AccountPaymentMethod'
                  has_more:
                    type: boolean
                  next_cursor:
                    type: string
                    format: uuid
                    nullable: true
                  url:
                    type: string
                    example: /v1/account-payment-methods
        '400':
          $ref: '#/components/responses/Error'
        '401':
          $ref: '#/components/responses/Error'
        '403':
          $ref: '#/components/responses/Error'
      security:
        - ApiKeyAuth:
            - accounts:read
components:
  schemas:
    AccountPaymentMethod:
      type: object
      description: |
        Row shape returned by `GET /v1/account-payment-methods` (the
        canonical `account_payment_methods` table). Distinct from
        `PaymentMethod` (which is the abstract type used in some
        legacy endpoints). Stripe `pm_*` token plus card or ACH
        details mirrored from Stripe.
      properties:
        id:
          type: string
          format: uuid
        account_id:
          type: string
          format: uuid
        entity_id:
          type: string
          format: uuid
          readOnly: true
        stripe_payment_method_id:
          type: string
          nullable: true
          readOnly: true
        type:
          type: string
          enum:
            - card
            - ach
          description: Payment method type.
        card_brand:
          type: string
          nullable: true
          description: visa, mastercard, amex, etc. (card only).
        last_four:
          type: string
          nullable: true
          description: Last 4 of card or bank account.
        exp_month:
          type: integer
          nullable: true
        exp_year:
          type: integer
          nullable: true
        bank_name:
          type: string
          nullable: true
          description: ACH only.
        account_type:
          type: string
          nullable: true
          description: checking / savings (ACH only).
        routing_last_four:
          type: string
          nullable: true
          description: ACH only.
        funding_type:
          type: string
          nullable: true
          description: credit / debit / prepaid / unknown (card only).
        verification_status:
          type: string
          nullable: true
          description: verified / pending / failed (ACH microdeposit state).
        is_default:
          type: boolean
        is_active:
          type: boolean
        created_at:
          type: string
          format: date-time
          readOnly: true
        updated_at:
          type: string
          format: date-time
          readOnly: true
    ErrorEnvelope:
      type: object
      description: |
        Canonical error response envelope. All API errors use this shape.
      required:
        - error
        - code
      properties:
        error:
          type: string
          description: Machine-readable error key
          example: not_found
        code:
          type: string
          description: Machine-readable error code (often same as error)
          example: not_found
        type:
          type: string
          enum:
            - validation_error
            - permission_error
            - not_found
            - conflict
            - rate_limit
            - internal
            - expand_error
            - not_implemented
          example: not_found
        hint:
          type: string
          description: Human-readable one-sentence explanation (English)
          example: >-
            The requested order does not exist or does not belong to this
            entity.
        param:
          type: string
          description: The parameter that caused the error, if applicable
          example: expand[0]
        required:
          type: string
          description: The scope required (only on insufficient_scope errors)
          example: accounts:read
        request_id:
          type: string
          description: >-
            Unique request ID for support tracing (maps to CloudWatch log
            stream)
          example: req_abc123
  responses:
    Error:
      description: Error response (400/401/403/404/409/422/429/500)
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
  securitySchemes:
    ApiKeyAuth:
      type: http
      scheme: bearer
      description: |
        API key issued per entity via Settings > Developers > API Keys.
        Each key carries scopes (e.g. orders:read, products:write).
        Bearer token format: Authorization: Bearer ark_live_ent_<code>_<random>
        Test keys use ark_test_ent_<code>_<random>. Both are issued per entity
        via Settings > Developers > API Keys.

````