Core Concepts
Authentication Model
How Cresora authenticates API requests using Bearer tokens and the three-tier hierarchy.
Cresora uses Bearer token authentication. Every API request must include your API key in the Authorization header.
Request format
Authorization: Bearer csk_test_xxxxxxxxxxxxNo other authentication schemes (OAuth, cookies, API key query params) are supported.
Three-tier hierarchy
Cresora's access model follows three tiers:
Platform (Cresora Commerce)
└── Partner (your ISV account)
└── Merchant (sub-merchants you onboard)Your API key is scoped to the Partner tier. When you create a payment, you specify which merchant the payment belongs to via merchant_id. You can only interact with merchants under your own partner account.
What a request looks like end-to-end
curl -X POST https://sandbox-api.cresoracommerce.com/api/v1/transactions/sale \
-H "Authorization: Bearer csk_test_xxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: idem_$(uuidgen)" \
-d '{
"amount": "50.00",
"currency": "USD",
"payment_method": "card",
"merchant_id": "mrch_xxxxxxxxxx"
}'- The
Authorizationheader identifies your Partner account - The
merchant_idscopes the payment to one of your merchants - The key prefix (
csk_test_) selects the environment
Error responses
| HTTP | Code | Meaning |
|---|---|---|
401 | invalid_api_key | Key missing, malformed, expired, or rotated |
403 | forbidden | Key is valid but doesn't have access to this merchant or feature |
403 | feature_not_enabled | Endpoint requires a feature flag not on your key |
ℹNote
401 means the key itself was rejected. 403 means the key is valid but you don't have permission for the specific resource or feature. These are distinct — handle them differently in your error logic.