Rate Limiting & Abuse Protection
How Cresora protects the API from abuse and what happens when limits are exceeded.
Cresora enforces rate limits and abuse protection at multiple layers to ensure platform stability and protect all partners.
API rate limits
See Rate Limiting → for per-key limits and how to handle 429 responses.
Abuse protection
Beyond rate limits, Cresora implements:
Velocity checks
Unusual transaction velocity triggers review:
- Many payments in a short window from a single IP
- Multiple failed authorizations for the same card
- Repeated payments with the same amount across multiple merchants
Velocity alerts are visible in the Partner Portal under Security → Alerts.
Fraud signals
Cresora evaluates each payment for fraud signals including:
- IP geolocation vs. billing address mismatch
- Device fingerprint anomalies
- BIN country mismatch
- High-risk MCC + unusual velocity
Payments flagged as high-risk may be declined or held for review depending on your merchant's risk configuration.
Endpoint protection
The API endpoints are protected by:
- TLS-only (no HTTP)
- Rate limiting per key
- Automatic blocking of known malicious IP ranges
- Request signature validation on webhooks
IP allowlisting
For high-security deployments, you can restrict API calls to specific IP ranges. Contact your Cresora account manager to configure IP allowlisting for your partner account.
IP allowlisting is a defense-in-depth measure, not a replacement for API key security. Always protect your keys independently of IP restrictions.
Reporting suspicious activity
If you observe suspicious activity on your account (unauthorized transactions, unexpected API calls), contact Cresora immediately:
- Security email: security@cresoracommerce.com
- Partner Portal: Account → Support → Security Incident
Rotate your API keys immediately if you suspect key compromise.