ApiToll

← Catalog

BIN Lookup.

Card-issuer metadata for any 6-to-8-digit BIN prefix. Scheme, card type, issuing bank, country, geo. $0.002 per call. No signup, no key.

Endpoint
GET https://apitoll.io/v1/bin/:bin
Price
0.002 USDC per successful call
Network
base-sepolia (mainnet cutover imminent)
Asset
USDC (6 decimals)
Records
343,063
Auth
None. x402 payment is the auth.

What you get

A JSON response keyed to the longest matching BIN prefix in our index.

{
  "status":      "success",
  "bin":         "431940",
  "matched_bin": "431940",
  "data": {
    "scheme":   "VISA",
    "type":     "debit",
    "category": null,
    "issuer": {
      "name":         "Bank of Ireland",
      "country":      "IE",
      "country_name": "Ireland",
      "url":          "www.bankofireland.com",
      "phone":        "+353 1 661 5933"
    },
    "location": { "latitude": 53.4129, "longitude": -8.24389 }
  },
  "meta": {
    "source":           "iannuttall/binlist-data",
    "source_license":   "CC-BY-4.0",
    "database_records": 343063,
    "last_updated":     "2026-04-14T18:58:04Z"
  }
}

Use cases

What you do with this.

  1. Payment routing.

    Route US-issued cards to your US acquirer and EEA-issued to your EU PSP. Save 30 to 80bps per transaction on interchange.

  2. Fraud triage.

    Flag issuer-country versus shipping-country mismatch. Detect test BINs. Surface impossible issuer combinations during checkout.

  3. Surcharge and policy rules.

    Identify debit versus credit, corporate versus consumer, prepaid flags. Drive your pricing and acceptance rules without asking the customer.

  4. Analytics and reporting.

    Roll up revenue by issuer country or card type without touching the PAN. Completely out of PCI scope.

Boundary

PCI-safe by design.

We accept 6 to 8 digits only. Any input longer than 8 digits is rejected with HTTP 400 before it touches our handler, let alone our logs. Full card numbers are structurally impossible to send here. This keeps the API out of PCI DSS scope and keeps your systems out of scope for using it.

$ curl -i https://apitoll.io/v1/bin/4111111111111111
HTTP/1.1 400 Bad Request

{"status":"error","error":"BIN must be 6-8 numeric digits"}

Honest framing

What it is not.

This is not a compliance-grade BIN table like Mastercard MATCH or Visa VPA. Data is redistributed from the iannuttall/binlist-data public dataset under CC-BY-4.0.

Good for:

  • Routing decisions where "usually right, occasionally wrong" is acceptable
  • Fraud scoring signals as one input among many
  • Analytics where rough categorization is the goal

Not good for:

  • Regulatory compliance decisions that require bank-of-record accuracy
  • Hard card acceptance rejections where a misclassification harms a real customer

Try it

Right now.

One line to see the 402 challenge (no wallet needed):

curl -i https://apitoll.io/v1/bin/431940

A paid call in Node (see the agent primer for the full setup, about 8 lines total):

import { wrapAxiosWithPayment, x402Client, x402HTTPClient } from "@x402/axios";
// full setup at /agents/
const r = await api.get("https://apitoll.io/v1/bin/431940");

Discovery

Pricing rationale

We chose $0.002 per call because it is low enough that an agent will not hesitate at the budget (a thousand BIN lookups is $2) and high enough to pay for the infrastructure and the refresh work against upstream data. Comparable human-facing services either require monthly plans starting at $20 or throttle to a few calls per hour on a free tier. We do neither.