Skip to main content

Set up Spend Controls

Spend Controls let you define policy-based rules that Open Fabric evaluates during authorization.

You can:

  • set a default policy that applies broadly across all your customer accounts;
  • assign a policy to a specific account;
  • scope a policy to specific tokens (or token types) under an account.

When a transaction is authorized, Open Fabric evaluates all applicable rules before the final authorization decision.

What Spend Controls can enforce

Spend Controls support:

  • per-transaction amount limits;
  • velocity limits (count and amount, daily/weekly/monthly);
  • currency controls;
  • country controls;
  • merchant controls (MCC, MID);
  • time-window controls (allow/block during specific periods).

Policy scope model

Policies are stored as rulesets and attached by scope:

  • default ruleset: applies to all customer accounts.
  • account scope: applies to all tokens under one or more accounts;
  • token scope with provision_types: applies to all tokens of a specific type (for example, virtual cards) under one or more accounts;
  • token scope with provision_ids: applies only to specific tokens;

If an account has explicit ruleset assignments, those assignments are evaluated. The default ruleset will only be applied if no account assignment exists.

Setup flow

Use this flow to implement Spend Controls:

  1. Create a ruleset with one or more rules.
  2. (Optional) Set a ruleset as the default ruleset.
  3. Assign rulesets to specific accounts and scopes.
  4. Iterate on limits/rules using ruleset updates.

Example

You might choose to create a default policy where each customer account is limited to $5,000 per day, while allowing premium customers to spend up to $10,000 per day. To set this up:

  • Create a ruleset with account_billing_amount_limit set to $5,000 per day and set is_default: true.
  • Create a second ruleset with account_billing_amount_limit set to $10,000 per day and set is_default: false.
  • When a customer is upgraded to your premium service, assign the second ruleset to their account so only the premium limits apply.

Next steps