API Permissions & Inheritance
Aurora uses a permission model that controls which API operations a token can perform. Permissions are managed at the partner level and automatically inherited by all merchant tokens under that partner.
API Key Scope
Every API key in Aurora is scoped to either a merchant or a partner:
- Merchant API keys can only access data and operations for that specific merchant.
- Partner API keys operate across all merchants that belong to the partner.
When you generate an API key in the Aurora Portal, the API key is automatically associated with your account's scope.
Permission Inheritance
If a merchant belongs to a partner, the merchant's API key inherits the partner's permission set. The partner's permissions act as an allowlist. They define the maximum set of API operations available to any merchant under that partner.
This means:
- If a permission is enabled at the partner level, merchant tokens under that partner can use the corresponding API endpoints.
- If a permission is disabled at the partner level, any request from a merchant token to a restricted endpoint will return
403 Forbidden. - Standalone merchants (not associated with a partner) have full access to all API operations without permission restrictions.
Permission changes at the partner level take effect immediately for all merchant tokens under that partner.
Permission Categories
Permissions are organized into the following categories. Each permission controls access to one or more related API endpoints.
POS / Terminal Operations
| Permission | Description |
|---|---|
| Start POS Transaction | Initiate a new transaction on a terminal device |
| Get POS Transactions | List POS transactions |
| Get POS Transaction Details | Retrieve details of a specific POS transaction |
| Cancel POS Transaction | Cancel a pending POS transaction |
| Print POS Receipt | Print a transaction receipt on the terminal |
| Get Terminal List | List available terminal devices |
| Get Terminal Information | Retrieve details of a specific terminal |
E-Commerce (Card Not Present)
| Permission | Description |
|---|---|
| Auth | Authorize a card transaction without capturing funds. |
| Sale | Authorize and capture a card transaction in one step. |
| Capture | Capture a previously authorized transaction. |
| Void | Void a transaction before settlement. |
| Refund | Refund a settled transaction. |
| Refund Without Reference | Issue a refund without referencing an original transaction. This is a considerably high-risk transaction type, as funds are debited directly from the merchant’s account even if the original sale was not processed through Aurora. |
ACH Transactions
| Permission | Description |
|---|---|
| ACH Debit | Initiate an ACH debit transaction |
| ACH Credit | Initiate an ACH credit transaction |
| ACH Void | Void an ACH transaction |
| ACH Hold | Place a hold on an ACH transaction |
| ACH Unhold | Release a hold on an ACH transaction |
Payment Management & Reporting
| Permission | Description |
|---|---|
| List Transactions | Retrieve a list of transactions with filtering options |
| Get Transaction Details | Retrieve full details of a specific transaction |
| Calculate Transaction Amount | Calculate totals including surcharges and fees |
| Submit Tip Adjustment | Adjust the tip amount on a transaction |
| Get Settlement Batches | List settlement batches |
| Submit Batch for Settlement | Submit an open batch for settlement |
| Send Receipt by SMS | Send a transaction receipt via text message |
Customer Management
| Permission | Description |
|---|---|
| List Customers | Retrieve a list of stored customers |
| Get Customer Details | Retrieve details of a specific customer |
| Manage Customers | Create, update, and delete customer records |
Hosted Solutions
| Permission | Description |
|---|---|
| Invoices | Create and manage hosted invoices |
| Quick Payments | Create and manage hosted quick payment links |
| Subscriptions | Create and manage recurring subscription plans |
| Web Components | Use the Aurora JS library for embedded payment forms |
| WooCommerce | Access WooCommerce integration features |
Features
| Permission | Description |
|---|---|
| Tap to Pay on Mobile | Enable Tap to Pay functionality on mobile devices |
General
The following permissions are always enabled and cannot be disabled:
| Permission | Description |
|---|---|
| Ping | Health check endpoint |
| Status | Service status endpoint |
| Configurations | Retrieve account configuration settings |
How It Works in Practice
When a merchant belongs to a partner, every API request from that merchant's token is checked against the partner's permission set:
- The request is authenticated using the merchant's API key.
- The system identifies the partner that the merchant belongs to.
- The required permission for the requested endpoint is checked against the partner's permission configuration.
- If the permission is enabled, the request proceeds normally.
- If the permission is disabled, the API returns
403 Forbidden.
For standalone merchants (those not associated with any partner), permission checks are not applied — all API operations are available.
If you receive an unexpected 403 Forbidden response, check with your partner administrator to confirm the required permission is enabled for your account.