> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lite.sa/llms.txt
> Use this file to discover all available pages before exploring further.

# Perform action on instrument(s)

> Performs actions like block, activate, delete, or expire on specific
instruments or on all instruments for a holder.



## OpenAPI

````yaml /openapi/payment-instruments.json put /instruments/action
openapi: 3.1.0
info:
  title: lite - Payment Instruments
  version: 1.0.0
servers:
  - url: https://api.lite.sa/v1
    description: Production
  - url: https://sandbox.lite.sa/v1
    description: Sandbox
  - url: https://dev.lite.sa/v1
    description: Development
security:
  - ApiKeyAuth: []
  - BearerAuth: []
tags:
  - name: Payment Instruments
    description: Create, manage, and perform actions on payment instruments
paths:
  /instruments/action:
    put:
      tags:
        - Payment Instruments
      summary: Perform action on instrument(s)
      description: |-
        Performs actions like block, activate, delete, or expire on specific
        instruments or on all instruments for a holder.
      operationId: lite.instruments.instrumentAction
      parameters:
        - $ref: '#/components/parameters/x-correlation-id'
        - $ref: '#/components/parameters/x-idempotency-key'
      requestBody:
        $ref: '#/components/requestBodies/InstrumentAction'
      responses:
        '200':
          $ref: '#/components/responses/InstrumentActionResult'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
components:
  parameters:
    x-correlation-id:
      name: x-correlation-id
      in: header
      required: false
      description: >-
        Unique identifier for request tracing. Generated by the client or server
        if not provided.
      schema:
        type: string
        format: uuid
        example: 550e8400-e29b-41d4-a716-446655440000
    x-idempotency-key:
      name: x-idempotency-key
      in: header
      required: false
      description: >-
        Unique key for idempotent request processing. Duplicate requests with
        the same key are safely ignored.
      schema:
        type: string
        format: uuid
        example: baf6a8e2-0c89-46ef-9ca5-faa65b99bcd5
  requestBodies:
    InstrumentAction:
      description: Instrument action data
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/InstrumentActionRequest'
  responses:
    InstrumentActionResult:
      description: Instrument action completed successfully.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/InstrumentActionResponse'
    BadRequest:
      description: >
        The request was invalid or malformed.


        Returned when:

        - Request validation fails (missing required fields, invalid field
        formats)

        - Payment details do not match the session (amount, currency, order
        reference mismatch)

        - The operation is not allowed given the current resource state
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized:
      description: |
        Authentication failed — missing or invalid token.

        Returned when:
        - The JWT bearer token is missing, expired, or has an invalid signature
        - The API key is missing or invalid
        - The authenticated session token is invalid
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Forbidden:
      description: >
        Request blocked by security policy.


        Returned when:

        - A security threat is detected (SQL injection, XSS, NoSQL injection,
        LDAP injection, path traversal)

        - Header injection or suspicious headers are detected

        - The request payload exceeds the maximum allowed size

        - Geo-region validation fails (user country does not match client
        region)
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotFound:
      description: |
        The requested resource was not found.

        Returned when:
        - The specified resource ID does not exist
        - The path does not match any known endpoint
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    InternalServerError:
      description: >
        An unexpected error occurred on the server.


        Returned when an unhandled exception or infrastructure failure prevents
        the request from being processed. Retry the request with exponential
        backoff.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
  schemas:
    InstrumentActionRequest:
      oneOf:
        - title: By Instrument ID
          type: object
          description: Perform action on a specific instrument
          required:
            - action_type
            - instrument_id
          properties:
            action_type:
              type: string
              description: Action type to perform
              example: BLOCK
              oneOf:
                - title: Block
                  const: BLOCK
                  description: Block the instrument from use
                - title: Activate
                  const: ACTIVATE
                  description: Activate a previously created instrument
                - title: Delete
                  const: DELETE
                  description: Permanently delete the instrument
                - title: Expire
                  const: EXPIRE
                  description: Mark the instrument as expired
            instrument_id:
              type: string
              format: uuid
              description: Specific instrument ID to perform the action on
              example: 550e8400-e29b-41d4-a716-446655440000
        - title: By Holder
          type: object
          description: Perform action on all instruments for a holder
          required:
            - action_type
            - holder_id
            - holder_type
          properties:
            action_type:
              type: string
              description: Action type to perform
              example: BLOCK
              oneOf:
                - title: Block
                  const: BLOCK
                  description: Block the instrument from use
                - title: Activate
                  const: ACTIVATE
                  description: Activate a previously created instrument
                - title: Delete
                  const: DELETE
                  description: Permanently delete the instrument
                - title: Expire
                  const: EXPIRE
                  description: Mark the instrument as expired
            holder_id:
              type: string
              description: Holder ID to perform the action on all their instruments
              example: holder_123456789
            holder_type:
              type: string
              description: Holder type when performing action by holder
              example: CUSTOMER
              oneOf:
                - title: Customer
                  const: CUSTOMER
                  description: End customer
                - title: Beneficiary
                  const: BENEFICIARY
                  description: Payout beneficiary
    InstrumentActionResponse:
      type: object
      description: Instrument action result
      required:
        - success
        - message
      properties:
        success:
          type: boolean
          description: Whether the action was executed successfully
          example: true
        message:
          type: string
          description: Human-readable result message
          example: Action executed successfully
    ErrorResponse:
      type: object
      required:
        - error
      properties:
        error:
          type: object
          required:
            - code
            - message
            - timestamp
          properties:
            code:
              type: string
              description: Error code identifying the type of error
              example: PAYMENT_DETAILS_MISMATCH
            message:
              type: string
              description: Human-readable error description
              example: The request was invalid or malformed
            details:
              type: object
              description: Additional error details
            correlationId:
              type: string
              format: uuid
              description: Correlation ID for tracking the request
              example: 550e8400-e29b-41d4-a716-446655440000
            timestamp:
              type: string
              format: date-time
              description: Timestamp when the error occurred
              example: '2024-12-16T10:30:00.000Z'
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key
      description: API key for service-to-service or merchant authentication.
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        JWT Bearer token obtained from user authentication. Passed as
        Authorization: Bearer <token>.

````