# Authorization controls
These controls can allow or restrict authorizations based on the allowed or restricted countries list or merchants list. You can limit spending at a single country or at a group of countries, and you can limit spending by a single user, users with a particular card product, or all users. And the same applies to merchants.
There are two types of authorization controls nCore platform offers.
* Allowed countries authorization controls
* Allowed MCCs authorization controls
### **Allowed countries authorization controls**
The allowed countries authorization controls functionality checks while processing authorizations whether the authorization is coming from a certain country which is allowed (whitelisted) or restricted (blacklisted). If the authorization is coming from a whitelisted country, then this control check is passed and move for the further processing else if the authorization is coming from a blacklisted country then the authorization is rejected and do not move forward for further processing.
It is a non-financial check specific to a country list to allow (whitelist) certain countries or restrict (blacklist) certain countries as per your business needs. The allowed countries' whitelisting or blacklisting should be configured and managed at card product level as well as at an individual card level.
#### **Allowed lists management**
You can create and manage allowed lists by using our APIs. Following are the APIs available at nCore platform for allowed lists management.
* Create a list of allowed countries
* Retrieve all allowed countries lists
* Get allowed countries list by ID
* Update a specific list of allowed countries
**Create a list of allowed countries**
You can create a list of allowed countries by sending a **POST** request to **/allowedcountries** endpoint. An example is given below.
POST /allowedcountries
**`{`**\
**`"id": "d089a80f-e641-4045-8a80-54841e4a7458",`**\
**`"name": "Country list 01",`**\
**`"allow": true,`**\
**`"active": true,`**\
**`"country_codes": [`**\
**`"string"`**\
**`]`**\
**`}`**
{% hint style="info" %}
The parameter “allow” is used to blacklist or whitelist the allowed countries list. If “allow” is ***false*** then the countries list will be considered as a blacklist.
{% endhint %}
\
**Retrieve all lists of allowed countries**
You can retrieve all existing lists of allowed countries by sending a **GET** request to **/allowedcountries** endpoint as given below.
> [**GET /allowedcountries**](https://nymcard.com/docs/api#tag/Allowed-Lists/operation/listAllowedCountries)
\
**Get a list of allowed countries by ID**
You can retrieve a specific list of allowed countries by its ID by sending a **GET** request to **/allowedcountries/{id}** endpoint as given below.
> [**GET /allowedcountries/{id}**](https://nymcard.com/docs/api#tag/Allowed-Lists/operation/getAllowedCountries)
\
**Update a specific list of allowed countries**
You can update a list of allowed countries by sending a **PUT** request to **/allowedcountries/{id}** endpoint as given below.
> [**PUT /allowedcountries/{id}**](https://nymcard.com/docs/api#tag/Allowed-Lists/operation/updateAllowedCountries)
### **Allowed MCCs authorization controls**
The allowed MCCs authorization controls functionality checks whether the authorization is initiated at a certain merchant which is allowed (whitelisted) or restricted (blacklisted). If the authorization is coming from a whitelisted merchant, then this control check is passed and move for the further processing else if the authorization is coming from a blacklisted merchant then the authorization is rejected and do not move forward for further processing.
It is a non-financial check specific to a MCCs list (MCCs - merchant category codes) to allow (whitelist) certain merchants or restrict (blacklist) certain merchants as per your business needs. The list can be either a whitelist or a blacklist and logically cannot be both at the same time. The MCC whitelisting or the blacklisting should be configured on both card product level as well as at an individual card level.
{% hint style="warning" %}
It is allowed up to 1000 MCC codes per list.
{% endhint %}
In the file below you can find the list of supported MCCs:
{% file src="" %}
#### **Allowed lists management**
You can manage allowed lists by using our APIs. Following are the APIs available at nCore platform for allowed lists management.
* Create list of allowed MCCs
* Retrieve all lists of allowed MCCs
* Get a specific list of allowed MCCs by ID
* Update a specific list of allowed MCCs
**Create list of allowed MCCs**
You can create a list of allowed MCCs by sending a **POST** request to **/allowedmccs** endpoint as given below.
> [**POST /allowedmccs**](https://nymcard.com/docs/api#tag/Allowed-Lists/operation/createAllowedMccs)
**Retrieve all lists of allowed MCCs**
You can retrieve all existing lists of allowed MCCs by sending a **GET** request to **/allowedmccs** endpoint as given below.
> [**GET /allowedmccs**](https://nymcard.com/docs/api#tag/Allowed-Lists/operation/listAllowedMccs)
**Get a specific list of allowed MCCs**
You can retrieve a list of allowed MCCs by its ID by sending a **GET** request to **/allowedmccs/{id}** endpoint as given below.
> [**GET /allowedmccs/{id}**](https://nymcard.com/docs/api#tag/Allowed-Lists/operation/getAllowedMccs)
\
**Update a specific list of allowed MCCs**
You can update a list of allowed MCCs by sending a **PUT** request to **/allowedmccs/{id}** endpoint as given below.
> [**PUT /allowedmccs/{id}**](https://nymcard.com/docs/api#tag/Allowed-Lists/operation/updateAllowedMccs)
{% hint style="warning" %}
We have implemented several enhancements for MCC list management. For details refer to this [document](https://docs.nymcard.com/get-started/product-management/authorization-controls/enhancements-for-mcc-list-management).
{% endhint %}
### Merchant lists
We have introduced a merchant list functionality, which gives the ability to allow transactions from specific merchants. This list can be linked to a card product or an individual card and include Merchant IDs with an allow flag set to true or false. If a merchant list is linked to both the card and the card product, the card configuration will take priority.
In scope of this functionality the following APIs are developed:
* [Create allowed merchants list](https://portal.stg.platform.ae-1.nymcard.com/default/documentation/02_api_specs#tag/Allowed-Lists/operation/createAllowedMerchants)
* [Get list of allowed merchants](https://portal.stg.platform.ae-1.nymcard.com/default/documentation/02_api_specs#tag/Allowed-Lists/operation/listAllowedMerchants)
* [Update allowed merchants list](https://portal.stg.platform.ae-1.nymcard.com/default/documentation/02_api_specs#tag/Allowed-Lists/operation/updateAllowedMerchants)
* [Get specific allowed merchants list](https://portal.stg.platform.ae-1.nymcard.com/default/documentation/02_api_specs#tag/Allowed-Lists/operation/getAllowedMerchants)
* [Get allowed merchants linked to card product](https://portal.stg.platform.ae-1.nymcard.com/default/documentation/02_api_specs#tag/Card-Products/operation/getCardProductAllowedMerchants)
* [Link allowed merchants to a card product](https://portal.stg.platform.ae-1.nymcard.com/default/documentation/02_api_specs#tag/Card-Products/operation/linkAllowedMerchantsToCardProduct)
* [Unlink allowed merchants from card product](https://portal.stg.platform.ae-1.nymcard.com/default/documentation/02_api_specs#tag/Card-Products/operation/unlinkAllowedMerchantsFromCardProduct)
* [Link allowed merchants to card](https://portal.stg.platform.ae-1.nymcard.com/default/documentation/02_api_specs#tag/Cards/operation/linkAllowedMerchantsToCard)
* [Unlink allowed merchants from card](https://portal.stg.platform.ae-1.nymcard.com/default/documentation/02_api_specs#tag/Cards/operation/unlinkAllowedMerchantsFromCard)
* [Get allowed merchants linked to card](https://portal.stg.platform.ae-1.nymcard.com/default/documentation/02_api_specs#tag/Cards/operation/getCardAllowedMerchants)