Quickstart
Make your first test payment in under 30 minutes using your csk_test_ API key.
This guide walks you from a fresh Partner account to a verified sandbox payment in under 30 minutes. No support call required.
Before you begin: you need a Partner account and a csk_test_ API key. Request access via the Partner Portal →
Step 1 — Retrieve your test credentials
Sign in to the Partner Portal and navigate to API Settings → Keys. Copy the test secret key — it will be displayed once. For automated rotation, see Retrieve credentials.
Your key prefix selects the mode. csk_test_ → sandbox (no real money); test keys must be used with the sandbox host. csk_live_ → production (issued after certification). Use sandbox (sandbox-api.cresoracommerce.com/api/v1) for testing and certification; production (api.cresoracommerce.com/api/v1) for live traffic.
Step 2 — Make your first API call
The Payments API is a single POST endpoint. Pass an amount as a decimal string (e.g., "100.00"), currency, payment method, and your merchant ID.
curl -X POST https://sandbox-api.cresoracommerce.com/api/v1/transactions/sale \
-H "Authorization: Bearer csk_test_xxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: idem_$(uuidgen)" \
-d '{
"amount": "50.00",
"currency": "USD",
"payment_method": "card",
"merchant_id": "mrch_xxxxxxxxxx",
"capture_method": "automatic"
}'import requests, uuid
requests.post(
"https://sandbox-api.cresoracommerce.com/api/v1/transactions/sale",
headers={
"Authorization": "Bearer csk_test_xxxxxxxxxxxx",
"Idempotency-Key": f"idem_{uuid.uuid4()}",
},
json={
"amount": "50.00",
"currency": "USD",
"payment_method": "card",
"merchant_id": "mrch_xxxxxxxxxx",
"capture_method": "automatic",
},
)const res = await fetch("https://sandbox-api.cresoracommerce.com/api/v1/transactions/sale", {
method: "POST",
headers: {
"Authorization": "Bearer csk_test_xxxxxxxxxxxx",
"Content-Type": "application/json",
"Idempotency-Key": "idem_" + crypto.randomUUID(),
},
body: JSON.stringify({
amount: "50.00",
currency: "USD",
payment_method: "card",
merchant_id: "mrch_xxxxxxxxxx",
capture_method: "automatic",
}),
});Step 3 — Handle the response
A successful payment returns 200 OK with a status of captured (for automatic capture) or authorized (for manual capture):
{
"id": "pay_xxxxxxxxxxxxxxxxxx",
"status": "captured",
"amount": "50.00",
"currency": "USD",
"merchant_id": "mrch_xxxxxxxxxx",
"created_at": "2026-05-18T10:00:00Z",
"test_mode": true
}test_mode: true is always present on sandbox responses. It is never present in production.
This endpoint must only be called server-to-server. Never pass raw card data through your server — use the HPP integration or direct tokenization to reduce PCI scope to SAQ A.
Step 4 — Set up your webhook receiver
Build your webhook receiver before going live. Webhook events are the authoritative source for payment lifecycle state — don't poll the API for status.
Register your endpoint URL in the Partner Portal, then verify the HMAC-SHA256 signature on each delivery. See the Webhooks guide for the full setup.
Common errors
| Code | Meaning | Fix |
|---|---|---|
invalid_api_key | Invalid or expired API key | Check key prefix and rotation status in Partner Portal |
merchant_not_found | merchant_id not under your partner account | Verify MID in Partner Portal |
idempotency_key_conflict | Same idempotency key reused with different params | Generate a new unique key per request |
Next steps
- HPP Integration — hosted payment page with white-label branding
- Webhooks — event catalog and signature verification
- Certification overview — path from sandbox to production go-live
- Testing & Sandbox — test PANs, ACH returns, 3DS2 simulation