API Keys
How Cresora API keys work, what the key prefixes mean, and how to rotate them safely.
Every API request to Cresora must be authenticated with a Bearer token. Your API key is that token.
Key prefixes
| Prefix | Mode | Description |
|---|---|---|
csk_test_ | Sandbox | No real money movement. test_mode: true on all responses. |
csk_live_ | Production | Real transactions. Issued after certification only. |
The prefix is the only difference between test and live mode. Both key types hit the same API host (api.cresoracommerce.com). There is no sandbox URL.
Where to find your keys
Partner Portal → API Settings → Keys
Test keys are displayed once on creation. If you lose yours, rotate it — you cannot retrieve the original.
Key rotation
Rotate a key in the Partner Portal at any time. The old key is invalidated immediately upon rotation. Plan rotations during low-traffic windows, or implement key rotation with zero downtime by:
- Generate the new key (old key still active)
- Deploy the new key to your secrets manager
- Verify requests are flowing on the new key
- Revoke the old key
Scoping
Keys are scoped to your Partner account. A csk_test_ key can only access merchants under your partner account in the sandbox. A csk_live_ key can only access your live merchants.
Store API keys in a secrets manager (AWS Secrets Manager, HashiCorp Vault, Vercel Environment Variables, etc.). Never commit keys to source control or log them. Treat csk_test_ keys with the same care as production keys — they can create merchants and submit transactions in your sandbox.
Capabilities
Your key's enabled feature flags control which preview endpoints you can call. Check your capabilities:
GET https://api.cresoracommerce.com/v1/capabilities
Authorization: Bearer csk_test_xxxxxxxxxxxxThe response lists the feature flags enabled for your key. Preview endpoints that require a flag you don't have will return 403 feature_not_enabled.