Partner API Integration
Partners (affiliates) can use the Aurora API to programmatically create and manage API credentials for their merchants. This allows you to onboard merchants and provision their API access without the need for manual setup.
Prerequisites
Before using the Partner API endpoints, ensure:
- You have a partner-level API Key (generated from your partner account in the Aurora Portal).
- You have authenticated and obtained an access token via the OAuth client credentials flow.
- The specific API Permissions are enabled for your partner account.
Permission Inheritance
All the API Keys created for the merchant under your partner account inherit your partner account's permission set. This means the merchant can only access API endpoints that your partner account has enabled.
For more details on how permissions work, see API Permissions & Inheritance.
Creating the API Key as a Partner Account
To create the API Key as a Partner account:
- Log in to the Aurora Portal (Sandbox). This is the partner account that was set up for you earlier.
- Click on your user name in the bottom-left corner.
- Select Settings.
- In the navigation menu on the right, select API Keys. This activates the New API Key button.
- Select New API Key. The New API Key dialog displays.
- Enter an API Key name. This is a friendly, free-formed name. Use a meaningful name that easily identifies the API Key.
- Select Generate Key. The Client ID and Client Secret values display. Those are the two OAuth 2.0 client credential components and will be used to generate API Tokens.
The Client ID is part of the API Key that is safe to expose in frontend code. It only identifies the account. It does not grant privileged or authentication access to the account. The Client ID will be visible in your API Keys list of your Partner dashboard. It will also be associated with a friendly name to make it easier to identify.
The Client Secret is part of the API Key that is secret. It must be protected in the same way as a password.
The Client Secret will not be displayed again after it is created.
If the Client Secret is lost, forgotten, or compromised, a new API Key must be generated. Therefore, we recommend immediately saving and storing the Client Secret in a secure location. Consider using secure note applications, password managers, or encrypted storage option.
After saving the Client Secret in a secure location, close this dialog. The new API Key displays in the dashboard section.
Partner API endpoints
The following API endpoints are available for creating and managing merchant API Keys as a partner.
All merchant token management endpoints use the following base URL:
Sandbox Environment:
https://api.uat.arise.risewithaurora.com/pay-api/v1/merchants/tokens
Production Environment:
https://api.arise.risewithaurora.com/pay-api/v1/merchants/tokens
Create a Merchant API Key
Generate a new API Key (client credentials) for a merchant under your partner account.
Request:
POST /pay-api/v1/merchants/tokens
| Field | Type | Required | Description |
|---|---|---|---|
| merchantId | string (UUID) | Yes | The unique identifier of the merchant to create the token for. |
| tokenName | string | Yes | A display name to help identify this token (e.g. "Ecommerce API Key"). |
Example:
curl -X POST 'https://api.uat.arise.risewithaurora.com/pay-api/v1/merchants/tokens' \
-H 'Authorization: Bearer ACCESS_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"merchantId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"tokenName": "Ecommerce Sandbox API Key"
}'
Response:
{
"clientId": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
"clientSecret": "generated-secret-value"
}
| Field | Description |
|---|---|
| clientId | The client identifier for the new merchant token. Used as the username when authenticating. |
| clientSecret | The client secret for the new merchant token. Used as the password when authenticating. |
The clientSecret is only returned once at creation time. Store it securely — you will not be able to retrieve it again. If lost, delete the token and create a new one.
The merchant can then use this clientId and clientSecret pair to authenticate via the OAuth client credentials flow and make API calls scoped to their merchant account.
List Merchant API Keys
Retrieve a list of API Keys that have been created for merchants under your partner account.
Request:
GET /pay-api/v1/merchants/tokens
You can optionally filter by a specific merchant:
GET /pay-api/v1/merchants/tokens?merchantId=a1b2c3d4-e5f6-7890-abcd-ef1234567890
| Parameter | Type | Required | Description |
|---|---|---|---|
| merchantId | string (UUID) | No | Filter tokens for a specific merchant. If omitted, returns tokens for all merchants under your partner account. |
Response:
{
"tokens": [
{
"merchantId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"tokenName": "Ecommerce API Key",
"clientId": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
"creationDate": "2026-01-15T10:30:00Z"
},
{
"merchantId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"tokenName": "Ecommerce Sandbox API Key",
"clientId": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
"creationDate": "2026-02-01T14:00:00Z"
}
]
}
| Field | Description |
|---|---|
| tokens | Array of merchant API Keys. |
| tokens[].merchantId | The merchant that owns this token. |
| tokens[].tokenName | The display name assigned when the token was created. |
| tokens[].clientId | The client identifier for this token. |
| tokens[].creationDate | When the token was created (ISO 8601 format). |
The clientSecret is never returned in list responses. It is only available at the time of creation.
Delete a Merchant API Key
Revoke and permanently delete a merchant API Key. The merchant will no longer be able to authenticate using the deleted credentials.
Request:
DELETE /pay-api/v1/merchants/tokens/{clientId}?merchantId={merchantId}
| Parameter | Type | Required | Description |
|---|---|---|---|
| clientId | string (UUID) | Yes | Path parameter. The client ID of the token to delete. |
| merchantId | string (UUID) | Yes | Query parameter. The merchant that owns the token. |
Example:
curl -X DELETE 'https://api.uat.arise.risewithaurora.com/pay-api/v1/merchants/tokens/f47ac10b-58cc-4372-a567-0e02b2c3d479?merchantId=a1b2c3d4-e5f6-7890-abcd-ef1234567890' \
-H 'Authorization: Bearer ACCESS_TOKEN'
Response:
Returns 200 OK with no response body on success.
Deleting a token is permanent and takes effect immediately. Any integration using the deleted credentials will stop working immediately.
Error Responses
All endpoints return standard HTTP error codes:
| Status Code | Description |
|---|---|
| 400 Bad Request | Invalid request — check that required fields are present and correctly formatted. |
| 401 Unauthorized | Missing or invalid access token. |
| 403 Forbidden | Your partner account does not have the required permission. |
| 404 Not Found | The specified token or merchant was not found. |
| 500 Internal Server Error | An unexpected error occurred. Contact support if the issue persists. |