# Create a stored credential profile Creates a stored credential profile within a payment method. The stored credential profile represents a consent agreement that you have established with a customer. When you use the payment method in a transaction, Zuora may include information from the stored credential profile to inform the payment processor that the transaction is related to your pre-existing consent agreement with the customer. Endpoint: POST /v1/payment-methods/{payment-method-id}/profiles Version: 2026-02-20 Security: bearerAuth ## Header parameters: - `Idempotency-Key` (string) Specify a unique idempotency key if you want to perform an idempotent POST or PATCH request. Do not use this header in other request types. With this header specified, the Zuora server can identify subsequent retries of the same request using this value, which prevents the same operation from being performed multiple times by accident. - `Accept-Encoding` (string) Include the Accept-Encoding: gzip header to compress responses as a gzipped file. It can significantly reduce the bandwidth required for a response. If specified, Zuora automatically compresses responses that contain over 1000 bytes of data, and the response contains a Content-Encoding header with the compression algorithm so that your client can decompress it. - `Content-Encoding` (string) Include the Content-Encoding: gzip header to compress a request. With this header specified, you should upload a gzipped file for the request payload instead of sending the JSON payload. - `Zuora-Track-Id` (string) A custom identifier for tracing the API call. If you set a value for this header, Zuora returns the same value in the response headers. This header enables you to associate your system process identifiers with Zuora API calls, to assist with troubleshooting in the event of an issue. The value of this field must use the US-ASCII character set and must not include any of the following characters: colon (:), semicolon (;), double quote ("), and quote ('). - `Zuora-Entity-Ids` (string) An entity ID. If you have Zuora Multi-entity enabled and the OAuth token is valid for more than one entity, you must use this header to specify which entity to perform the operation in. If the OAuth token is only valid for a single entity, or you do not have Zuora Multi-entity enabled, you should not set this header. - `Zuora-Org-Ids` (string) Comma separated IDs. If you have Zuora Multi-Org enabled, you can use this header to specify which orgs to perform the operation in. If you do not have Zuora Multi-Org enabled, you should not set this header. The IDs must be a sub-set of the user's accessible orgs. If you specify an org that the user does not have access to, the operation fails. This header is important in Multi-Org (MO) setups because it defines the organization context under which the API should operate—mainly used for read access or data visibility filtering. If the header is not set, the operation is performed in scope of the user's accessible orgs. - `Zuora-Version` (string) The minor API version. For a list of available minor versions, see API upgrades. ## Path parameters: - `payment-method-id` (string, required) ID of a payment method. ## Request fields (application/json): - `action` (string) Specifies how Zuora activates the stored credential profile. Only applicable if you set the status field to Active. - Activate (default) - Use this value if you are creating the stored credential profile after receiving the customer's consent. Zuora will create the stored credential profile then send a cardholder-initiated transaction (CIT) to the payment gateway to validate the stored credential profile. If the CIT succeeds, the status of the stored credential profile will be Active. If the CIT does not succeed, Zuora will not create a stored credential profile. If the payment gateway does not support the stored credential transaction framework, the status of the stored credential profile will be Agreed. - Persist - Use this value if the stored credential profile represents a stored credential profile in an external system. The status of the payment method's stored credential profile will be Active. Enum: "Activate", "Persist" - `agreedOn` (string) The date on which the profile is agreed. The date format is yyyy-mm-dd. - `authGateway` (string) Specifies the ID of the payment gateway that Zuora will use when activating the stored credential profile. Example: "4028905f5702783601570291e14c0015" - `cardSecurityCode` (string) The security code of the credit card. - `consentAgreementRef` (string) Specifies your reference for the consent agreement that you have established with the customer. Example: "ACCT1338AgreementV1.pdf" - `consentAgreementSrc` (string, required) Specifies how the consent agreement has been established with the customer. The allowed value is External. Enum: "External" - `networkTransactionId` (string) The ID of a network transaction. Only applicable if you set the action field to Persist. - `status` (string, required) Specifies the status of the stored credential profile. - Active - Use this value if you are creating the stored credential profile after receiving the customer's consent, or if the stored credential profile represents a stored credential profile in an external system. You can use the action field to specify how Zuora activates the stored credential profile. - Agreed - Use this value if you are migrating the payment method to the stored credential transaction framework. In this case, Zuora will not send a cardholder-initiated transaction (CIT) to the payment gateway to validate the stored credential profile. Enum: "Agreed", "Active" - `type` (string, required) Indicates the type of the stored credential profile to process recurring or unsecheduled transactions. Enum: "Recurring", "Unscheduled" ## Response 200 fields (application/json): - `number` (integer) The number that identifies the stored credential profile within the payment method. - `paymentMethodId` (string) ID of the payment method. - `success` (boolean) ## Response 500 fields (application/json): - `reasons` (array) Example: [{"code":"ObjectNotFound","message":"Notification definition with id 6e569e1e05f040eda51a927b140c0ac1 does not exist"}] - `reasons.code` (string) The error code of response. - `reasons.message` (string) The detail information of the error response ## Response 4XX fields (application/json): - `processId` (string) The ID of the process that handles the operation. - `reasons` (array) The container of the error code and message. This field is available only if the success field is false. - `reasons.code` (string) The error code of response. - `reasons.message` (string) The detail information of the error response - `requestId` (string) Unique identifier of the request. - `success` (boolean) Indicates whether the call succeeded.