Partner / Merchant Relationships
The Aurora platform uses a two-level account hierarchy: partners and merchants. Understanding this relationship is important because it determines how API Tokens are scoped, how permissions are enforced, and how data access works across the platform.
Account Types
| Account Type | Description |
|---|---|
| Partner | An organization that manages one or more merchant accounts. Partners can create and manage API credentials for their merchants, and control which API operations those merchants can perform. |
| Merchant | A business that processes payments. A merchant can either be standalone (independent) or belong to a partner. |
How the Relationship Works
A partner can have many merchants, but each merchant belongs to at most one partner.
Partner Account
├── Merchant A
├── Merchant B
└── Merchant C
When a merchant belongs to a partner:
- The partner can create and manage API credentials on behalf of the merchant.
- The merchant's API access is governed by the partner's permission set.
- The partner can view and operate across all of their merchants using a single partner-level token.
Standalone merchants — those not associated with any partner — have full access to all API operations and manage their own credentials independently.
API Token Scoping
Every API Token in Aurora is scoped to either a partner or a merchant. The token type determines what data can be accessed.
| Token Type | Scope | Typical Use |
|---|---|---|
| Partner token | Operates across all merchants that belong to the partner. | Managing merchant credentials, viewing transactions across merchants, platform-level operations. |
| Merchant token | Operates on data for that specific merchant only. | Processing payments, managing customers, day-to-day API operations for a single merchant. |
A merchant token created by a partner still only has access to that specific merchant's data — it cannot access other merchants under the same partner.
Permission Inheritance
When a merchant belongs to a partner, the merchant's API Token inherits the partner's permission set. The partner's permissions act as an allowlist — they define the maximum set of API operations available to any merchant under that partner.
This means:
- If a permission is enabled at the partner level, merchant tokens under that partner can use the corresponding API endpoints.
- If a permission is disabled at the partner level, any request from a merchant token to a restricted endpoint will return
403 Forbidden, regardless of the merchant's own configuration.
Standalone merchants (not associated with a partner) are not subject to permission restrictions — all API operations are available.
For a full list of permissions and how they work, see API Permissions & Inheritance.
Managing Merchant Credentials
Partners can programmatically create, list, and delete API credentials for their merchants using the Partner API. This is useful for onboarding new merchants or rotating credentials without requiring each merchant to log into the Aurora Portal.
For endpoint details, see Partner API Integration.
Key Concepts Summary
| Concept | Detail |
|---|---|
| One-to-many | A partner can have many merchants. A merchant belongs to at most one partner. |
| Permission inheritance | A merchant's API access is limited by the partner's permission set. |
| Token isolation | Merchant tokens are scoped to a single merchant, even when created by a partner. |
| Standalone merchants | Merchants without a partner have unrestricted API access and manage their own credentials. |
| Partner tokens | Partner tokens can operate across all merchants under the partner. |