# Release Notes July 2026
source: https://developer.mastercard.com/mdes-customer-service/documentation/release-history/release-notes-july2026/index.md

## Release Change Summary {#release-change-summary}

MDES Customer Service will introduce four new endpoints to implement token-level spending rules.
In addition, a new token search functionality will be introduced to return token capabilities enabled for a device token.

##### New APIs {#new-apis}

* [Search Token Spend Control](https://developer.mastercard.com/mdes-customer-service/documentation/release-history/release-notes-july2026/index.md#search-token-spend-control)
* [Create Token Spend Control](https://developer.mastercard.com/mdes-customer-service/documentation/release-history/release-notes-july2026/index.md#create-token-spend-control)
* [Update Token Spend Control](https://developer.mastercard.com/mdes-customer-service/documentation/release-history/release-notes-july2026/index.md#update-token-spend-control)
* [Delete Token Spend Control](https://developer.mastercard.com/mdes-customer-service/documentation/release-history/release-notes-july2026/index.md#delete-token-spend-control)

##### Impacted APIs {#impacted-apis}

* Search

## Release Timeline {#release-timeline}

* MTF - 1 July 2026
* Production - 29 July 2026

### Impacted Market {#impacted-market}

* Functionality Available - Global

## Change 1 - Introduction of Token Spend Controls APIs {#change-1---introduction-of-token-spend-controls-apis}

This new capability allows issuers to define token-level spending rules. These rules may include spending limits and usage restrictions that determine when a token transaction is permitted.
Mastercard evaluates each tokenized transaction against these rules and declines the tokenized transactions if they are over the limit.

**Spend Limit Based Controls**: These controls configure token level spending rules.

* **Daily Spend Limit** -- Set the maximum amount that can be spent using a token within a single day.
* **Weekly Spend Limit** -- Restrict the total spending amount permitted during a calendar week.
* **Monthly Spend Limit** -- Define the maximum spending amount allowed within a calendar month.
* **Transaction Limit** -- Specify the maximum amount allowed for an individual transaction.
* **Single Use Control** -- Configure a token for one-time use with an expiration date. After the first successful non-zero transaction, the token can no longer be used for additional transactions.
* **Absolute Spend Limit** -- Set a cumulative spending cap that the token cannot exceed over its lifetime.

**List Based Controls**: These controls configure transaction restrictions by defining rules based on transaction characteristics to allow lists or block lists to control where and how a token can be used.

* **Acceptor Business Code (MCC)** -- Allow or restrict transactions based on Merchant Category Codes.
* **Merchant ID (MID)** -- Allow or block transactions for specific merchants.
* **Transaction Category Code (TCC)** -- Control transactions based on transaction category classifications.
* **Transaction Type** -- Restrict or permit specific transaction types.
* **Geography** -- Define geographic locations where the token can or cannot be used.

These new APIs provide granular usage control beyond card or account-level settings. List of new APIs and their usage is described below:

### API Details {#api-details}

#### Search Token Spend Control {#search-token-spend-control}

The API searches and retrieves token level spending rules for a token.

Diagram searchtokenspendcontrol


API Reference: `GET /{id}/token/spendcontrols/search`

<br />

#### Create Token Spend Control {#create-token-spend-control}

The API creates token level spending rules after cardholder authentication.

Diagram createtokenspendcontrol


API Reference: `GET /{id}/token/spendcontrols/create`

<br />

#### Update Token Spend Control {#update-token-spend-control}

The API updates token level spending rules based on the issuer's decision after cardholder authentication.

Diagram updatetokenspendcontrol


API Reference: `GET /{id}/token/spendcontrols/update`

<br />

#### Delete Token Spend Control {#delete-token-spend-control}

The API deletes token level spending rules based on the issuer's decision after cardholder authentication.

Diagram deletetokenspendcontrol


API Reference: `GET /{id}/token/spendcontrols/delete`

<br />

### Error Codes {#error-codes}

Three new error codes have been introduced to indicate that token-level spending rules could not be applied as described below:

#### Rule Not Found {#rule-not-found}

```json
{
  "Errors": {
    "Error": [
      {
        "Source": "INPUT",
        "ReasonCode":  "RULE_NOT_FOUND",
        "ErrorCode": "E0010325",
        "Description": "Daily amount limit, Weekly amount limit, Monthly amount limit, Transaction spend limit, Allow list geo, Allow list tcc, Allow list tran type, Block list mid, Allow list mcc not found for this token."
      }
    ]
  }
}
```

#### Token Not Found {#token-not-found}

```json
{
  "Errors": {
    "Error": [
      {
        "Source": "INPUT",
        "ReasonCode": "TOKEN_NOT_FOUND",
        "ErrorCode": "E0010309",
        "Description": "Token not found."
      }
    ]
  }
}
```

#### Rule Already Exists {#rule-already-exists}

```json
{
  "Errors": {
    "Error": [
      {
        "Source": "INPUT",
        "ReasonCode": "RULE_ALREADY_EXISTS",
        "ErrorCode": "E0010321",
        "Description": "Daily amount limit, Weekly Amount Limit, Allow lst tcc, Block lst geo already exist for this token."
      }
    ]
  }
}
```

## Change 2 - Receive additional token information {#change-2---receive-additional-token-information}

A new search parameter will be available to request token capabilities enabled for device tokens. If requested, the search response will provide related information in three new fields to help issuers manage tokens effectively.
This parameter will narrow down the search by a specific token capability, such as Near Field Communication (NFC), Digital Secure Remote Payment (DSRP), and Contactless will be introduced.

**Request parameter**

|                                                                                                                     Field and Description                                                                                                                     | Data Type | Min Length | Max Length | Required |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|----------|
| `IncludeTokenCapabilities` Indicates if token capabilities should be returned in the Search response. If omitted, then the default false should be assumed. Must be one of: * **true**: Return token capability. * **false**: Do not return token capability. | Boolean   | 4          | 5          | No       |

**Response parameter**

|                                                                                                                                         Field and Description                                                                                                                                          | Data Type | Min Length | Max Length |                                           Required                                           |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|----------------------------------------------------------------------------------------------|
| `CapabilityName` The capability name available for the token. Valid values: * `contactlessMagstripeEnabled`: Contactless microchip capability for wallet transactions. * `dsrpEnabled`: Dynamic Secure Remote Payment capability. * `nfcEnabled`: Magnetic stripe fallback capability.                 | String    | 9          | 27         | Conditional field. Only present when `IncludeTokenCapabilities` in the request is sent true. |
| `CapabilityDescription` The capability description available for the token.                                                                                                                                                                                                                            | String    | 1          | 99         | Conditional field. Only present when `IncludeTokenCapabilities` in the request is sent true. |
| `CapabilityValue` Indicates whether the capability for the token is supported or not. If omitted, then the default false should be assumed. Must be one of: * **true**: The corresponding capability for a token is supported. * **false**: The corresponding capability for a token is not supported. | Boolean   | 4          | 5          | Conditional field. Only present when `IncludeTokenCapabilities` in the request is sent.      |


API Reference: `GET /{id}/search`

## Impact {#impact}

### Change 1 {#change-1}

Issuers can optionally support the new APIs once they are available in Production. Mastercard recommends testing these APIs in MTF.

### Change 2 {#change-2}

The new search request parameter is optional. However, issuers can leverage this new parameter to manage existing and new tokens effectively. Follow the requirements described in the API specification to implement this functionality.