Credit Cards Marketplace

This page covers prefilling Engine's cards marketplace by using our Prefill API.

It builds on the shared concepts in the Prefill API overview (how the flow works, token lifecycle, frontend options, best practices). Please start there if you haven't already!

API Request

Before you start: you'll need a bearer token from your Engine team scoped to your Cards subaccount, and your cards experience configured and enabled by Engine.

Authentication

Every request must be authenticated with the bearer token provided by your Engine team.

Authorization: Bearer <YOUR_ACCESS_TOKEN>

Your token is scoped to a specific subaccount by product category (Loans, Credit Cards, etc.). Use the token your Engine team directs you to use for each product — the markup you get back is determined by the marketplace tied to that token plus the productTypes you send.

Request Body

Send a POST to the prefill endpoint with a JSON body. The body carries the consumer's data plus a productTypes array that tells Engine which experience to return.

productTypes is required. Without it, Engine can't determine which embed snippet and partner page URL to return, and the request will fail.

Request Component

Value

Endpoint

POST https://api.engine.tech/originator/prefills

Auth

Authorization: Bearer <YOUR_ACCESS_TOKEN>

Content type

application/json

Accepted Fields

Credit cards use productTypes:"credit_card". The accepted fields and the embed markup differ from lending, so use this page when integrating cards.

Parameter

Required

Notes

productTypes

Yes

Array. Accepted values: credit_card. Tells Engine which hosted experience (embed snippet + partner page URL) to return.

Group your data into the objects below. Send only what you have - omitted fields are collected from the consumer in-flow:

Object

Fields

Notes

personalInformation

firstName

String

personalInformation

lastName

String

personalInformation

email

String

personalInformation

primaryPhone

String, 10-digit "0123456789"

personalInformation

address1

String

personalInformation

address2

Optional Address Field

personalInformation

city

String

personalInformation

state

String, standard two-lettercode "NY"

personalInformation

zipcode

String

personalInformation

dateOfBirth

String, "YYYY-MM-DD"

financialInformation

annualIncome

Integer

Sample Request Payload

{
  "productTypes": ["credit_card"],
  "personalInformation": {
    "firstName": "John",
    "lastName": "Doe",
    "email": "[email protected]",
    "city": "New York",
    "state": "NY",
    "primaryPhone": "2125556789",
    "address1": "45 West 21st Street",
    "address2": "5th Floor",
    "zipcode": "10010",
    "dateOfBirth": "1993-10-09"
  },
  "financialInformation": {
    "annualIncome": 120000
  }
}

API Response

A successful request returns 200 OK with the token and the markup you need to render the experience.

Field

Description

productTypes

Echoes the product types from your request.

prefillToken

The short-lived token that unlocks the prefilled data.

expiresInSeconds

Token time-to-live, in seconds (currently 180).

maxUses

How many times the token can be redeemed (currently 3).

partnerPageUrl

Hosted Engine landing page, with the prefillToken already appended.

embedSnippet

HTML/JS markup to embed the experience on your own site.

The exact shape of partnerPageUrl and embedSnippet depends on the product — see the product pages for examples.

Prefill Token Lifecycle

To keep consumer data secure, tokens have strict time and usage limits.

Time to live: tokens are valid for expiresInSeconds (currently ~3 minutes / 180s). Generate the token immediately before the consumer interacts with the flow.
Usage: tokens can be redeemed up to maxUses times (currently 3) to support retries. Do not cache or reuse a token across sessions.

If the token's TTL or use limit is exceeded, the consumer simply isn't prefilled — they'll fill out the required fields themselves to complete the product search. Nothing breaks.

Sample Response

A successful request returns the token plus the credit card markup:

{
  "productTypes": ["credit_card"],
  "prefillToken": "e9c6b1a2-4f8d-4d2c-b9e6-91f2a6d8b0a4",
  "expiresInSeconds": 180,
  "maxUses": 3,
  "partnerPageUrl": "https://www.moneylion.com/network/<your-marketplace>/credit-cards?prefillToken=e9c6b1a2-4f8d-4d2c-b9e6-91f2a6d8b0a4",
  "embedSnippet": "<script type=\"application/javascript\" async src=\"https://www.moneylion.com/network/<your-marketplace>/credit-cards/web-component/credit-cards/index.js\"></script><moneylion-credit-cards data-prefill-token=\"e9c6b1a2-4f8d-4d2c-b9e6-91f2a6d8b0a4\"></moneylion-credit-cards>"
}

Frontend Integration Options

Engine must configure and enable your experiences before they can render, regardless of which path you choose. The only dynamic value in the returned markup is the prefillToken — everything else is scoped to your marketplace and the productTypes you sent. You can extract and use any of:

the full partnerPageUrl,
the full embedSnippet, or
just the prefillToken value (to drop into markup you already maintain).

Partner Page (Linkout)

Best for partners who want to hand the consumer off to a hosted MoneyLion landing page, or who want a lighter-lift integration.

Extract partnerPageUrl from the response.
Redirect the consumer there with a standard HTTP 302 or a client-side location change.

Embedded Experience

Best for partners who want to keep the consumer on their own property.

Extract embedSnippet from the response.
Unescape the snippet.
Inject the snippet into your page where the component should appear.
The script initializes automatically using the prefillToken to load the consumer's data.

The embed markup is not the same for every product — lending uses an auto-mounting script tag, while credit cards use a script plus a custom element. Use the snippet returned for your product, and see the product pages for the exact shape.

Credit cards use a loader script plus a <moneylion-credit-cards> custom element. The custom element carries data-prefill-token and renders where you place it on the page.

<script
  type="application/javascript"
  async
  src="https://www.moneylion.com/network/<your-marketplace>/credit-cards/web-component/credit-cards/index.js"
></script>
<moneylion-credit-cards
  data-prefill-token="e9c6b1a2-4f8d-4d2c-b9e6-91f2a6d8b0a4"
></moneylion-credit-cards>

This differs from the lending embed, which is a single auto-mounting script tag with no custom element. Always use the embedSnippet returned in your response.

The Consumer Experience

After the experience redeems the prefillToken, it patches the lead with the PII you sent and collects only what's missing:

If everything is missing, the consumer fills out all required fields.
If some data is missing, the consumer is prompted only for the missing required fields.
If nothing is missing, the consumer skips straight to a review screen for consent.

Review Screen

For compliance and security, the consumer is always shown a review screen before submission. It is fully editable, so they can correct anything that was prefilled.

Masking: sensitive fields like SSN are masked (e.g. ***-**-6789).
Confirmation: the consumer must explicitly confirm the prefilled information.

Fallback Behavior

If a token is invalid, expired, or fails to redeem, the consumer is not shown an error. The flow gracefully falls back to the standard manual application — they enter their information as if no data prefill had occurred.

Reporting

Please note: actual prefillToken values are temporary and cannot be reported on. They are not stored permanently within Engine's platform.

You can include Client Tags exactly as you would for a standard embedded experience; see Engine's Client Tags & Reporting documentation:

Partner Page Linkout: Client Tags & Prefilling Customer Data
Embedded Marketplace: Client Tags & Prefilling Customer Data

Best Practices

These practices keep consumer PII secure and prevent the most common integration mistakes. They apply to every Prefill API call, regardless of product.

Request Timing

Generate a token immediately before the consumer enters the Engine experience. It's only bvalid for 3 minutes and up to 3 uses.

Never Place PII in the Browser

You must never pass PII in query parameters or embed codes on the client side.

Don't append query-string parameters such as &firstName=Jane to URLs.
Don't print user data into the HTML source.
Always use the server-side API to exchange data for a prefillToken.

Omit Missing Data from Requests

Any field you omit won't be prefilled. If you omit a field that shares a screen with other fields, none of the fields on that screen are prefilled — they're all collected from the consumer instead.

For example, if you omit zipcode, the consumer is prompted for the full address in-flow, rather than being asked only for a ZIP code. This is a deliberate product decision to avoid confusing, partially-filled screens.

FAQ & Troubleshooting

For credentials, enabling experiences, or integration support, contact your Engine account team.

What happens if the token expires before the consumer loads the page?

The consumer lands on the standard application and enters their information manually. The experience doesn't break — it reverts to a non-prefilled state.

Can I update the data after generating a token?

No. If the consumer's data changes, call the endpoint again to generate a new token.

Why did I get a 400 Bad Request?

Make sure your JSON payload is well-formed and that productTypes is present and set to a valid value (loan or credit_card). If it still fails, confirm with your Engine team that you're using the correct bearer token for the product.

PreviousLoans Marketplaces NextPersonal Loans

Last updated 3 hours ago

Was this helpful?