Partner / Merchant Relationships
The Aurora platform uses a two-level account hierarchy: Partners and merchants. Understanding this relationship is important because it determines how API keys are scoped, how permissions are enforced, and how data access works across the platform.
Account Types
| Account Type | Description |
|---|---|
| Partner | An organization that manages one or more merchant accounts. Partners can create and manage API credentials for their merchants, and control which API operations those merchants can perform. |
| Merchant | A business that processes payments. A merchant can either be standalone (independent) or belong to a partner. |
How the Relationship Works
A partner (Partner Account A in the example below) must have at least one merchant (Merchant A) but could also have more merchants (Merchant B and Merchant C).
When a merchant belongs to a partner:
- The partner can create and manage API keys and API tokens on behalf of the merchant.
- The partner can view and operate across all of their merchants using a single partner-level key.
- The merchant's API access is governed by the partner's permission set.
Each merchant belongs to at most one partner. For example, Merchant A could not belong to both Partner Account A and Partner Account B.
Partner Account A Partner Account B Merchant F
├── Merchant A ├── Merchant D
├── Merchant B ├── Merchant E
└── Merchant C
Merchants aren't required to have partners (Merchant F in the example above). These are called standalone merchants. They are not associated with any partner. A standalone merchant has full access to all API operations. They manage their own API keys and API tokens independently.
API Key Scoping
Every API key in Aurora is scoped to either a partner or a merchant. The API key type determines what data can be accessed.
| Key Type | Scope | Typical Use |
|---|---|---|
| Partner key | Operates across all merchants that belong to the partner. | Managing merchant credentials, viewing transactions across merchants, platform-level operations. Partner-level keys are intended for administrative, reporting, and management functions only. They must not be used for processing live transactions. |
| Merchant key | Operates on data for that specific merchant only. | Processing payments, managing customers, day-to-day API operations for a single merchant. Merchant-level keys created by a partner still only has access to that specific merchant's data. It cannot access other merchants even under the same partner. |
Permission Inheritance
When a merchant belongs to a partner, the merchant's API key inherits the partner's permission set. The partner's permissions sets acts as an allowlist. This defines the complete set of API operations available to any merchant under that partner.
This means:
- If a permission is enabled at the partner level, merchant keys under that partner can use the corresponding API endpoints.
- If a permission is disabled at the partner level, any request from a merchant key to a restricted endpoint will return
403 Forbidden, regardless of the merchant's own configuration.
Standalone merchants (those merchants not associated with a partner) are not subject to permission restrictions. Ths is called key isolation. All API operations are available.
For a full list of permissions and how they work, see API Permissions & Inheritance.
Managing Merchant Keys
Partners can programmatically create, list, and delete API keys for their merchants using the partner API's allowlist. This is useful for onboarding new merchants or rotating credentials without requiring each merchant to log into the Aurora Portal.
For endpoint details, see Partner API Integration.
Concepts Summary
| Concept | Detail |
|---|---|
| One-to-many | A partner can have many merchants. A merchant belongs to at most one partner. |
| Standalone merchant | A merchant without a partner has unrestricted API access and manage their own credentials. |
| Permission inheritance | A merchant's API access is limited by the partner's permission set. |
| Key isolation | Merchant keys are scoped to a single merchant, even when created by a partner. |
| Partner API key | A partner API key can operate across all merchants under the partner. |