Skip to main content
Cresora Commerce
Security

Security

Transport security, authentication, webhook identity, and rate limiting for Cresora integrations.

This section documents Cresora's security architecture and your obligations as an integrating partner.

Transport security

All Cresora API traffic is TLS 1.2+ only. TLS 1.0 and 1.1 are not supported. Certificate pinning is not required but is supported.

Authentication

All API requests require a Bearer token (csk_test_ or csk_live_ key) in the Authorization header. Keys are scoped to your Partner account.

See API Keys for rotation and scoping details.

Webhook identity

Verify the X-Cresora-Signature HMAC-SHA256 header on every webhook delivery before trusting the payload. See Signature verification →.

Rate limiting

The API rate limit is 1,000 requests per minute per Partner key. On limit breach, Cresora returns 429 Too Many Requests with a Retry-After header.

Vulnerability disclosure

Report security issues to: security@cresoracommerce.com

See Vulnerability disclosure → for the full responsible disclosure policy.

Topics in this section

Audit Logging for Compliance

Using Cresora audit logs to meet PCI DSS and regulatory requirements.

Transport Security

Cresora's TLS configuration and transport security requirements.

On this page

Transport securityAuthenticationWebhook identityRate limitingVulnerability disclosureTopics in this section