Resources/The Agent API Atlas/Finance/Ramp

Everything an AI agent can do with the Ramp API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints30

API versionv1

Last updated23 June 2026

Orientation

How the Ramp API works.

The Ramp API is how an app or AI agent works with a Ramp account: listing card transactions, issuing a virtual card, setting a spend limit, or reading reimbursements and bills. Access is granted through an OAuth 2.0 access token, and each method requires a scope named like transactions:read or cards:write that sets which resources a call can read or write. Ramp serves a single version of the API and can push events, like a transaction clearing or a bill being paid, to a subscribed endpoint.

30Endpoints

10Capability groups

17Read

13Write

21Permissions

Authentication

Ramp authenticates with OAuth 2.0 Bearer access tokens. The client-credentials flow exchanges a client id and secret for an application token, the route for server-to-server use and the MCP server. The authorization-code flow sends a user to consent and returns a user token plus a refresh token. Both obtain the token from the same token endpoint, and every call carries the token as a Bearer credential.

Permissions

Access is governed by OAuth scopes named resource:permission, like transactions:read, cards:write, or users:read. A token only carries the scopes granted to its client, and a call to a method whose scope is missing returns a 403. Sensitive card numbers sit behind a separate, narrower cards:read_vault scope, distinct from cards:read.

Versioning

Ramp serves a single version of its developer API, identified as v1 in the path. There is no dated version string to pin; changes ship to v1 in place and are published in a dated changelog. An integration tracks the changelog rather than choosing between versions.

Data model

Ramp is resource-oriented REST with predictable /developer/v1/ paths, JSON responses, and cursor-paginated lists. Spend revolves around transactions, cards, spend limits, and spend programs, with users, departments, and locations as the org structure that scopes them, and bills, reimbursements, and receipts covering payables. Some writes, like creating or terminating a card, are processed asynchronously and return a task id to poll.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Ramp determines what it can reach. There is a route for making calls, a route for receiving events, and a hosted server that exposes Ramp tools to agents, and each is governed by the access token behind it and the scopes that token carries.

Ways to connect

REST API

The REST API returns JSON and pages through lists with a cursor, at https://api.ramp.com/developer/v1. A call authenticates with an OAuth 2.0 Bearer access token, and each method requires a specific scope like transactions:read or cards:write. A request that runs longer than 60 seconds is cut off with a 504.

Best forConnecting an app or AI agent to Ramp.

Governed byThe access token and the scopes it carries.

Docs ↗

MCP server

Ramp publishes a first-party, open-source Model Context Protocol server, ramp_mcp, that exposes Ramp Developer API data and tasks to AI agents and LLM clients. It loads data into an in-memory SQLite database so an agent can query and analyze spend in natural language. It authenticates with an OAuth client-credentials token and is governed by the scopes granted to that token.

Best forConnecting an AI agent to Ramp through MCP.

Governed byThe OAuth token and the scopes it carries.

Docs ↗

Webhooks

Ramp POSTs event payloads to an HTTPS endpoint registered through the webhooks API. The receiver verifies the X-Ramp-Signature header, an HMAC-SHA256 of the raw request body signed with the subscription's secret, to confirm the request came from Ramp. Subscriptions are scoped to event types like transactions.cleared and bills.paid.

Best forReceiving Ramp events at an app or AI agent.

Governed byThe signing secret on the subscription.

Docs ↗

Authentication

OAuth 2.0 client credentials

The client-credentials flow exchanges a client id and secret for an access token at https://api.ramp.com/developer/v1/token, with no user present. The token represents the application itself and carries the scopes granted to the client. It is the route for server-to-server integrations and for the MCP server.

TokenBearer access token (application-level)

Best forServer-to-server integrations acting as the app.

Docs ↗

OAuth 2.0 authorization code

The authorization-code flow sends a user to https://api.ramp.com/v1/authorize to consent, then exchanges the returned code for an access token at the token endpoint. The token represents that user and the scopes they approved, and a refresh token lets the app obtain new access tokens without re-prompting.

TokenBearer access token (user-delegated) plus refresh token

Best forApps acting on behalf of a specific Ramp user.

1 endpoint

Methods for reading merchant reference data.

Read-only reference data.

View endpoints →

Endpoint reference

Every Ramp API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Transactions Methods for reading and annotating card transactions.3
GET	`/developer/v1/transactions`	List card transactions, filterable by date, amount, card, user, merchant, and state.	read	`transactions:read`	Current
Read-only. Acts ontransaction Permission (capability)`transactions:read` VersionAvailable since the API’s base version Webhook event`transactions.cleared` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/developer/v1/transactions/{transaction_id}`	Fetch a single transaction by id.	read	`transactions:read`	Current
Read-only. Acts ontransaction Permission (capability)`transactions:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/developer/v1/transactions/{transaction_id}`	Update a transaction, for example to set accounting fields or a memo.	write	`transactions:write`	Current
Changes accounting and memo data on a real transaction. Acts ontransaction Permission (capability)`transactions:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Cards Methods for listing, issuing, and controlling cards.6
GET	`/developer/v1/cards`	List cards in the business.	read	`cards:read`	Current
Read-only; returns card metadata, not full numbers. Acts oncard Permission (capability)`cards:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/developer/v1/cards/{card_id}`	Fetch a single card by id.	read	`cards:read`	Current
Read-only metadata; sensitive numbers need cards:read_vault. Acts oncard Permission (capability)`cards:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/developer/v1/cards/deferred/virtual`	Create a virtual card. The call returns a task id and the card is created asynchronously.	write	`cards:write`	Current
Issues a real spending card; resolve the task to get the card. Acts oncard Permission (capability)`cards:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/developer/v1/cards/{card_id}`	Update a card, for example its display name or spending controls.	write	`cards:write`	Current
Changes controls on a live card. Acts oncard Permission (capability)`cards:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/developer/v1/cards/{card_id}/deferred/termination`	Terminate a card permanently. Processed asynchronously and returns a task id.	write	`cards:write`	Current
Irreversible; the card can no longer be used. Acts oncard Permission (capability)`cards:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/developer/v1/vault/cards/{card_id}`	Fetch a card's sensitive details, like the full number, from the vault.	read	`cards:read_vault`	Current
Returns full card numbers; a separate, narrower scope than cards:read. Acts oncard Permission (capability)`cards:read_vault` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Users Methods for listing, inviting, and managing users.4
GET	`/developer/v1/users`	List users in the business.	read	`users:read`	Current
Read-only; returns names, emails, roles, and department. Acts onuser Permission (capability)`users:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/developer/v1/users/{user_id}`	Fetch a single user by id.	read	`users:read`	Current
Read-only. Acts onuser Permission (capability)`users:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/developer/v1/users/deferred`	Invite a new user. Processed asynchronously and returns a task id.	write	`users:write`	Current
Adds a person to the business with a role. Acts onuser Permission (capability)`users:write` VersionAvailable since the API’s base version Webhook event`users.invite_accepted` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/developer/v1/users/{user_id}/deactivate`	Deactivate a user so they can no longer access the business.	write	`users:write`	Current
Revokes a person's access. Acts onuser Permission (capability)`users:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Spend limits Methods for creating and adjusting spend limits.3
GET	`/developer/v1/limits`	List spend limits.	read	`limits:read`	Current
Read-only. Acts onspend_limit Permission (capability)`limits:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/developer/v1/limits/deferred`	Create a spend limit. Processed asynchronously and returns a task id.	write	`limits:write`	Current
Sets how much can be spent and by whom. Acts onspend_limit Permission (capability)`limits:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/developer/v1/limits/{spend_limit_id}`	Update a spend limit.	write	`limits:write`	Current
Changes a live spending allowance. Acts onspend_limit Permission (capability)`limits:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Spend programs Methods for working with spend programs.2
GET	`/developer/v1/spend-programs`	List spend programs, the reusable templates that govern spending.	read	`spend_programs:read`	Current
Read-only. Acts onspend_program Permission (capability)`spend_programs:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/developer/v1/spend-programs`	Create a spend program.	write	`spend_programs:write`	Current
Defines a reusable spending policy. Acts onspend_program Permission (capability)`spend_programs:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Reimbursements Methods for reading and creating reimbursements.3
GET	`/developer/v1/reimbursements`	List reimbursements.	read	`reimbursements:read`	Current
Read-only. Acts onreimbursement Permission (capability)`reimbursements:read` VersionAvailable since the API’s base version Webhook event`reimbursements.ready_for_review` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/developer/v1/reimbursements/{reimbursement_id}`	Fetch a single reimbursement by id.	read	`reimbursements:read`	Current
Read-only. Acts onreimbursement Permission (capability)`reimbursements:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/developer/v1/reimbursements/mileage`	Create a mileage reimbursement.	write	`reimbursements:write`	Current
Creates a real reimbursement claim. Acts onreimbursement Permission (capability)`reimbursements:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Bills Methods for creating, reading, and paying bills.3
GET	`/developer/v1/bills`	List bills.	read	`bills:read`	Current
Read-only. Acts onbill Permission (capability)`bills:read` VersionAvailable since the API’s base version Webhook event`bills.created` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/developer/v1/bills`	Create a bill.	write	`bills:write`	Current
Creates a real bill payable to a vendor. Acts onbill Permission (capability)`bills:write` VersionAvailable since the API’s base version Webhook event`bills.created` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/developer/v1/bills/{bill_id}`	Fetch a single bill by id.	read	`bills:read`	Current
Read-only. Acts onbill Permission (capability)`bills:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Receipts Methods for reading and uploading receipts.2
GET	`/developer/v1/receipts`	List receipts.	read	`receipts:read`	Current
Read-only. Acts onreceipt Permission (capability)`receipts:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/developer/v1/receipts`	Upload a receipt.	write	`receipts:write`	Current
Adds a receipt to the account. Acts onreceipt Permission (capability)`receipts:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Departments & locations Methods for the org structure used to scope spend.3
GET	`/developer/v1/departments`	List departments.	read	`departments:read`	Current
Read-only. Acts ondepartment Permission (capability)`departments:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/developer/v1/departments`	Create a department.	write	`departments:write`	Current
Changes the org structure. Acts ondepartment Permission (capability)`departments:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/developer/v1/locations`	List locations.	read	`locations:read`	Current
Read-only. Acts onlocation Permission (capability)`locations:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Merchants Methods for reading merchant reference data.1
GET	`/developer/v1/merchants`	List merchants, the reference data behind transactions.	read	`merchants:read`	Current
Read-only reference data. Acts onmerchant Permission (capability)`merchants:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Ramp can notify an app when something happens in an account, like a transaction clearing or a bill being paid. It posts an event to a subscribed endpoint, so an integration learns about activity without polling.

Event	What it signals	Triggered by
`transactions.cleared`	A card transaction cleared and settled.	`/developer/v1/transactions`
`transactions.authorized`	A card transaction was authorized, before it clears.	In-app only
`transactions.declined`	A card transaction was declined.	In-app only
`bills.created`	A bill was created.	`/developer/v1/bills` `/developer/v1/bills`
`bills.paid`	A bill was paid.	In-app only
`reimbursements.ready_for_review`	A reimbursement is ready for review.	`/developer/v1/reimbursements`
`users.invite_accepted`	An invited user accepted the invite and joined the business.	`/developer/v1/users/deferred`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Ramp limits how fast an app can call, by a request count measured over a short rolling window, and cuts off any single request that runs too long.

Request rate

Ramp meters requests by a count over a short rolling window rather than by a per-method cost. The documented limit is 200 requests per 10-second rolling window per source IP address, roughly 1,200 per minute. Going over returns HTTP 429. Separately, any single request that runs longer than 60 seconds is terminated with a 504, so large reads should be narrowed and paged.

Pagination

A list endpoint is cursor-based. The page_size parameter sets how many results come back, between 2 and 100 with a default of 20, and the start parameter takes the id of the last item from the previous page to fetch the next one. The response carries a next-page reference so an integration can walk through all results.

Request size

A list page returns at most 100 items, the maximum value of page_size. Reads are bounded by the 60-second request timeout rather than a fixed result cap, so very large pulls are paged.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`invalid_request`	The request was malformed or a parameter was missing or invalid.	Read the error body, fix the parameters, and resend. The request is not retryable as-is.
401	`unauthorized`	The access token is missing, expired, or invalid.	Obtain a fresh token through the OAuth flow, and confirm it is sent as a Bearer token.
403	`forbidden`	The token is valid but lacks the scope the request needs, like a transactions:read token calling a write method.	Grant the missing scope to the client and re-issue the token.
404	`not_found`	The requested object does not exist or is not visible to this token.	Verify the object id and that it belongs to the authenticated business.
422	`unprocessable_entity`	The request was well-formed but failed a validation rule on the data.	Correct the values flagged in the response and resend.
429	`too_many_requests`	The rate limit was exceeded for the calling source.	Back off and retry with exponential backoff, and smooth the request rate under the rolling-window limit.
504	`gateway_timeout`	The request took longer than 60 seconds and was terminated.	Narrow filters or page sizes so the request completes within the limit, then retry.

Versioning & freshness

Version history.

Ramp serves one version of its developer API, identified as v1, and ships dated changes to it through a public changelog rather than minting a new version string.

Version history

What changed, and when

Latest versionv1

v1Current version

Developer API v1 (current, continuously updated)

Ramp serves a single version of its developer API, identified as v1 in the path, with no dated version string to pin. Changes ship to v1 in place and are published in a public, dated changelog, so an integration tracks the changelog rather than migrating between versions.

What changed

OAuth 2.0 with client-credentials and authorization-code flows and resource:permission scopes.
Coverage across transactions, cards, users, spend limits, spend programs, reimbursements, bills, receipts, departments, locations, and merchants.
Webhook subscriptions with HMAC-SHA256 signature verification.

2026-06-09Feature update

Recent changelog activity (2026)

The v1 API received frequent dated updates through the first half of 2026, published in the changelog. Each ships additively to the single v1 surface rather than minting a new version.

What changed

Ongoing additive changes published on dated changelog entries through June 2026.
No version string change; updates apply to v1 in place.

2024-05

May 2024 update batch

A documented batch of additive changes across several resources, shipped to v1.

What changed

Transactions and reimbursements: new fund_id field replacing the deprecated limit_id.
Bills: a new bills.updated webhook event.
Funds API and Treasury endpoints introduced in beta.
Entity-level scoping added for GL accounts, vendors, and tax codes.

Track the changelog, since changes ship to the single v1 API in place.

Ramp API changelog ↗

Questions

Ramp API, answered.

What is the difference between the client-credentials and authorization-code flows?+

Client credentials exchanges a client id and secret for a token that represents the application itself, with no user present, which suits server-to-server integrations and the MCP server. Authorization code sends a user to consent at the authorize endpoint and returns a token that represents that user, plus a refresh token. Both end at the same token endpoint and produce a Bearer access token; the difference is whether the token acts as the app or as a specific person.

How do scopes work in the Ramp API?+

Each method requires an OAuth scope named resource:permission, such as transactions:read or cards:write. A token carries only the scopes granted to its client, and a request to a method whose scope is missing returns a 403. Scopes split read from write per resource, so a token can be limited to reading transactions without any power to issue cards or move money.

Why do some card and limit writes return a task id instead of the object?+

Creating or terminating a card, and creating a spend limit, are processed asynchronously. The call returns a task id, and a follow-up request to the deferred-status endpoint reports whether the task finished and returns the resulting object. This lets Ramp run the underlying issuance or termination work without blocking the original request.

How are webhooks verified as genuinely from Ramp?+

Each delivery carries an X-Ramp-Signature header, an HMAC-SHA256 of the raw request body signed with the secret returned when the subscription was created. The receiver computes the same HMAC over the unparsed body and compares it, rejecting any mismatch. The check runs on the raw body to avoid spoofed events.

What are the rate limits?+

Ramp allows 200 requests per 10-second rolling window per source IP address, about 1,200 per minute, and returns HTTP 429 when that is exceeded. Separately, any single request that runs longer than 60 seconds is terminated with a 504, so large reads should be narrowed with filters and walked page by page.

Does Ramp have an official MCP server?+

Yes. Ramp publishes a first-party, open-source Model Context Protocol server, ramp_mcp, that exposes Developer API data and tasks to AI agents. It loads data into an in-memory SQLite database so an agent can analyze spend in natural language, and it authenticates with an OAuth client-credentials token governed by the scopes granted to it.

How does pagination work?+

Lists are cursor-based. The page_size parameter sets the number of results, between 2 and 100 with a default of 20, and the start parameter takes the id of the last item from the previous page to fetch the next one. The response includes a next-page reference so an integration can walk through every result.

What is Bollard AI?

Control what every AI agent can do in Ramp.

Bollard AI sits between a team's AI agents and Ramp. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Ramp token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Ramp access in Bollard Browse all APIs →

Ramp

Spend Agent

View transactions ResourceOffReadFull use

Issue virtual cards ActionOffReadFull use

Set spend limits ActionOffReadFull use

Reimbursements ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in Ramp

How the Ramp API works.

Connection & authentication methods.

REST API

MCP server

Webhooks

OAuth 2.0 client credentials

OAuth 2.0 authorization code

What an AI agent can do in Ramp.

Transactions

Cards

Users

Spend limits

Spend programs

Reimbursements

Bills

Receipts

Departments & locations

Merchants

Every Ramp API method.

Transactions

Cards

Users

Spend limits

Spend programs

Reimbursements

Bills

Receipts

Departments & locations

Merchants

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Ramp API, answered.

More finance API guides for agents

Stripe

FreshBooks

Chargebee

Razorpay

Recurly

Square

Control what every AI agent can do in Ramp.