> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lite.sa/llms.txt
> Use this file to discover all available pages before exploring further.

# Lookup instruments

> Retrieves instruments for a merchant, optionally filtered by holder ID.
Returns a list of matching instruments with their current status.



## OpenAPI

````yaml /openapi/payment-instruments.json get /instruments
openapi: 3.1.0
info:
  title: lite - Payment Instruments
  version: 1.0.0
servers:
  - url: https://api.lite.sa/v1
    description: Production
  - url: https://sandbox.lite.sa/v1
    description: Sandbox
  - url: https://dev.lite.sa/v1
    description: Development
security:
  - ApiKeyAuth: []
  - BearerAuth: []
tags:
  - name: Payment Instruments
    description: Create, manage, and perform actions on payment instruments
paths:
  /instruments:
    get:
      tags:
        - Payment Instruments
      summary: Lookup instruments
      description: |-
        Retrieves instruments for a merchant, optionally filtered by holder ID.
        Returns a list of matching instruments with their current status.
      operationId: lite.instruments.lookupInstruments
      parameters:
        - $ref: '#/components/parameters/x-correlation-id'
        - name: holder_id
          in: query
          required: false
          schema:
            type: string
          description: Optional holder ID to filter by specific holder
      responses:
        '200':
          $ref: '#/components/responses/InstrumentList'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
components:
  parameters:
    x-correlation-id:
      name: x-correlation-id
      in: header
      required: false
      description: >-
        Unique identifier for request tracing. Generated by the client or server
        if not provided.
      schema:
        type: string
        format: uuid
        example: 550e8400-e29b-41d4-a716-446655440000
  responses:
    InstrumentList:
      description: Instruments retrieved successfully.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/InstrumentListResponse'
    BadRequest:
      description: >
        The request was invalid or malformed.


        Returned when:

        - Request validation fails (missing required fields, invalid field
        formats)

        - Payment details do not match the session (amount, currency, order
        reference mismatch)

        - The operation is not allowed given the current resource state
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized:
      description: |
        Authentication failed — missing or invalid token.

        Returned when:
        - The JWT bearer token is missing, expired, or has an invalid signature
        - The API key is missing or invalid
        - The authenticated session token is invalid
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Forbidden:
      description: >
        Request blocked by security policy.


        Returned when:

        - A security threat is detected (SQL injection, XSS, NoSQL injection,
        LDAP injection, path traversal)

        - Header injection or suspicious headers are detected

        - The request payload exceeds the maximum allowed size

        - Geo-region validation fails (user country does not match client
        region)
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    InternalServerError:
      description: >
        An unexpected error occurred on the server.


        Returned when an unhandled exception or infrastructure failure prevents
        the request from being processed. Retry the request with exponential
        backoff.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
  schemas:
    InstrumentListResponse:
      type: object
      description: List of instruments with total count
      required:
        - instruments
        - total_count
      properties:
        instruments:
          type: array
          description: List of instruments matching the query
          items:
            $ref: '#/components/schemas/InstrumentResponse'
        total_count:
          type: integer
          description: Total count of instruments matching the query
          example: 5
    ErrorResponse:
      type: object
      required:
        - error
      properties:
        error:
          type: object
          required:
            - code
            - message
            - timestamp
          properties:
            code:
              type: string
              description: Error code identifying the type of error
              example: PAYMENT_DETAILS_MISMATCH
            message:
              type: string
              description: Human-readable error description
              example: The request was invalid or malformed
            details:
              type: object
              description: Additional error details
            correlationId:
              type: string
              format: uuid
              description: Correlation ID for tracking the request
              example: 550e8400-e29b-41d4-a716-446655440000
            timestamp:
              type: string
              format: date-time
              description: Timestamp when the error occurred
              example: '2024-12-16T10:30:00.000Z'
    InstrumentResponse:
      type: object
      description: Full instrument details
      required:
        - id
        - merchant_id
        - holder_id
        - payment_method
        - holder_type
        - status
        - created_at
        - updated_at
      properties:
        id:
          type: string
          format: uuid
          description: Unique instrument identifier
          example: 550e8400-e29b-41d4-a716-446655440000
        merchant_id:
          type: string
          description: Merchant that owns the instrument
          example: merch_123456789
        holder_id:
          type: string
          description: Holder ID associated with the instrument
          example: holder_123456789
        payment_method:
          type: string
          description: Payment method type
          example: card
          oneOf:
            - title: Card
              const: card
              description: Credit or debit card
            - title: Iban
              const: iban
              description: IBAN bank account
            - title: Apple Pay
              const: applePay
              description: Apple Pay digital wallet
            - title: Samsung Pay
              const: samsungPay
              description: Samsung Pay digital wallet
            - title: Google Pay
              const: googlePay
              description: Google Pay digital wallet
        holder_type:
          type: string
          description: Holder type
          example: CUSTOMER
          oneOf:
            - title: Customer
              const: CUSTOMER
              description: End customer
            - title: Beneficiary
              const: BENEFICIARY
              description: Payout beneficiary
        status:
          type: string
          description: Current status of the instrument
          example: ACTIVE
          oneOf:
            - title: Created
              const: CREATED
              description: Instrument has been created but not yet activated
            - title: Active
              const: ACTIVE
              description: Instrument is active and ready for use
            - title: Expired
              const: EXPIRED
              description: Instrument has expired
            - title: Blocked
              const: BLOCKED
              description: Instrument has been blocked
            - title: Deleted
              const: DELETED
              description: Instrument has been deleted
        created_at:
          type: string
          format: date-time
          description: Timestamp when the instrument was created
          example: '2024-01-01T00:00:00.000Z'
        updated_at:
          type: string
          format: date-time
          description: Timestamp of the last update to the instrument
          example: '2024-01-01T00:00:00.000Z'
        display:
          $ref: '#/components/schemas/InstrumentDisplay'
    InstrumentDisplay:
      type: object
      description: Masked display information for card instruments
      properties:
        expiry_year:
          type: string
          description: Card expiry year (YY)
          pattern: ^\d{2}$
          example: '30'
        expiry_month:
          type: string
          description: Card expiry month (MM)
          pattern: ^(0[1-9]|1[0-2])$
          example: '12'
        scheme:
          type: string
          description: Card scheme (e.g. Visa, Mastercard)
          example: Visa
        last_4:
          type: string
          description: Last four digits of the card number
          pattern: ^\d{4}$
          example: '0018'
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key
      description: API key for service-to-service or merchant authentication.
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        JWT Bearer token obtained from user authentication. Passed as
        Authorization: Bearer <token>.

````