diff --git a/authserver/README.md b/authserver/README.md
index 96ba8e6..93e18d9 100644
--- a/authserver/README.md
+++ b/authserver/README.md
@@ -202,7 +202,7 @@ Here you can authorize users on tools or make them another lockout admin.
 
 #### PUT `/update-cards/`
 
-Send a dictionary of username=card_number pairs to update any profiles already in the system. Users not already registered will be ignored.
+Send a dictionary of username=card_number,card_number,card_number pairs to update any profiles already in the system. Users not already registered will be ignored.
 
 Responds with the number of profiles updated.
 
@@ -212,7 +212,7 @@ Example PUT data:
 
 ```
 {
-    "tanner.collin": "00000A4123",
+    "tanner.collin": "00000A4123,00000A4124,00000A4125",
     "matthew.mulrooney": "00000B8567",
     "not-a-member": "539830843A"
 }
@@ -227,5 +227,5 @@ Example response:
 Example request:
 
 ```
-curl -X PUT -H "Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b" -d tanner.collin=00000A4123 -d matthew.mulrooney=00000B8567 http://tools-auth.protospace.ca/update-cards/
+curl -X PUT -H "Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b" -d tanner.collin=00000A4123,00000A4124 -d matthew.mulrooney=00000B8567 http://tools-auth.protospace.ca/update-cards/
 ```
diff --git a/authserver/authserver/api/models.py b/authserver/authserver/api/models.py
index b6ca4ab..bb46088 100644
--- a/authserver/authserver/api/models.py
+++ b/authserver/authserver/api/models.py
@@ -32,7 +32,7 @@ class Profile(models.Model):
 
 class Card(models.Model):
     profile = models.OneToOneField(Profile, on_delete=models.CASCADE, editable=False)
-    number = models.CharField(max_length=10)
+    number = models.CharField(max_length=512) # TODO: normalize
 
     def __str__(self):
         return self.number
diff --git a/authserver/authserver/api/views.py b/authserver/authserver/api/views.py
index eefad76..6907a7c 100644
--- a/authserver/authserver/api/views.py
+++ b/authserver/authserver/api/views.py
@@ -90,15 +90,15 @@ def update_cards(request):
     updated_count = 0
 
     if not data:
-        return Response({'error': 'Please provide card data in the form username=cardnumber'},
+        return Response({'error': 'Please provide card data in the form username=cardnumber,cardnumber,cardnumber'},
                         status=status.HTTP_400_BAD_REQUEST)
 
-    for username, card_number in data.items():
+    for username, card_numbers in data.items():
         try:
             profile = models.Profile.objects.get(user__username=username)
             card, _ = models.Card.objects.update_or_create(
                     profile=profile,
-                    defaults={'number': card_number}
+                    defaults={'number': card_numbers}
                 )
             if card: updated_count += 1
         except: