Core concepts
A glossary and object model reference for Tokeflow — the entities you orchestrate (organizations, merchants, customers, catalog, checkout, transactions, orders, subscriptions, and payment instruments) and how they relate.
Tokeflow is the infrastructure behind your platform. You model your business once — its accounts, catalog, customers, and payments — and Tokeflow standardizes those objects across every connected payment provider. This page is the canonical glossary and object model: each entity, what it represents, its ID prefix, and how the pieces fit together.
Tokeflow orchestrates payments — routing, fallback, normalization, and traceability — but it is not a payment processor and never moves or settles funds. Authorization, capture, and settlement happen at the connected payment providers. The objects below are Tokeflow's normalized view of your operation.
The object model at a glance
Everything in Tokeflow hangs off a two-level tenancy model: an Organization (your platform) that contains one or more Merchants (the brands or business units that actually sell). Almost every other resource is scoped to a single merchant.
A Merchant API key is automatically scoped to its merchant — you never pass merchant_id. An Organization key spans every merchant in the org, so merchant-scoped calls must identify the target merchant via the merchant_id query parameter (on list/get) or body field (on create). See Authentication.
Tenancy
Organization
Your platform — the top-level tenant and billing/governance boundary. An organization owns one or more merchants and carries org-wide compliance identity (legal name, registration, country). Organization-scoped API keys (sk_live_org_… / pk_live_org_…) can act across every merchant in the org.
ID prefix: org_
Merchant
A single brand or business unit that sells under your platform. A merchant is the scope for nearly every operational resource — customers, catalog, checkout, transactions, orders, and subscriptions all belong to exactly one merchant. Merchant-scoped keys (sk_live_mer_… / pk_live_mer_…) infer the merchant automatically.
ID prefix: mrc_
Merchants, API keys, and webhook endpoints are provisioned in the Tokeflow Dashboard during onboarding — not via the API. Once onboarded, you use the issued keys to drive everything below programmatically.
Customers and payment data
Customer
A buyer under a specific merchant. Holds identity (name, email, phone), an optional tax document, and a billing address. Customers are de-duplicated by email within a merchant, and the same person may exist independently under different merchants.
ID prefix: cust_
| Field | Type | Required | Description |
|---|---|---|---|
email | string | No | Used for de-duplication within the merchant. |
name | string | No | Display name. |
phone | string | No | Contact phone. |
document_type | enum | No | One of cpf, cnpj, passport, tax_id. |
document_number | string | No | The document value for the given type. |
Payment Instrument
A reusable, tokenized payment method owned by a customer — typically a card stored for future charges (returning checkout, subscriptions, one-click). Tokeflow stores only safe metadata such as brand, last four digits, and expiry; raw card data is never persisted on Tokeflow's systems.
ID prefix: pi_
| Field | Type | Description |
|---|---|---|
id | string | pi_… instrument identifier. |
customer_id | string | Owning customer (cust_…). |
card_brand | string | Card network brand. |
last4 | string | Last four digits of the card. |
exp_month | integer | Expiry month. |
exp_year | integer | Expiry year. |
is_default | boolean | Whether this is the customer's default instrument. |
status | string | Lifecycle status of the instrument. |
Payment instruments can stay current automatically: Tokeflow supports network tokens and an account updater so stored cards keep working across reissues and expiries — without you re-collecting card details.
Card Token
A short-lived, single-use reference to card data collected in the browser by Tokeflow's secure fields. Secure fields run inside isolated, cross-origin iframes; card data is encrypted in the browser and never touches your servers. Your client receives a card token and hands it to your backend, which exchanges it (server-side, with a secret key) into a durable Payment Instrument.
ID prefix: tok_
Card tokens are an SDK / browser-side concept and are short-lived by design. Treat them as one-time hand-offs: exchange them server-side promptly, then reference the resulting pi_… instrument for any future charge. See the SDK docs.
Catalog
Your sellable catalog is a four-level hierarchy: a Product Family groups related Products; each product is sold as one or more Offers; each offer is priced via Offer Prices (one per currency). Offer Transitions define how a subscriber may move between offers (upgrade/downgrade) within a family.
Product Family
A grouping of related products that a subscriber can move between (for example, tiers of a plan). The family defines the default behavior — change_charge_behavior — for transitions between its offers. A product belongs to a family when it participates in upgrade/downgrade flows.
ID prefix: pfa_
Product
Something you sell. A product is either one_time or recurring (type), and is active or archived (status). When part of a family, it carries a tier position so plans can be ordered for upgrade/downgrade logic.
ID prefix: prd_
| Field | Type | Description |
|---|---|---|
name | string | Product name. |
type | enum | one_time or recurring. |
status | enum | active or archived. |
product_family_id | string | Owning family (pfa_…); set when the product participates in upgrade/downgrade. |
Offer
A purchasable configuration of a product — the thing a customer actually buys. An offer fixes the billing cycle, trial and setup behavior, and how many cycles to charge. A product can expose several offers (for example, a monthly and a yearly offer).
ID prefix: ofr_
| Field | Type | Description |
|---|---|---|
name | string | Offer name (e.g. "Monthly", "Holiday Promo"). |
billing_cycle | enum | daily, biweekly, monthly, quarterly, half_yearly, yearly, custom, or none (on-demand, no scheduler). |
cycle_limit | integer | Number of charges; null = charge until cancelled. |
status | enum | active or archived. |
is_default | boolean | Default offer for the product. |
billing_cycle: none means an on-demand offer with no automatic billing scheduler. Use it for offers that are charged ad hoc rather than on a fixed cadence.
Offer Price
The amount for an offer in a single currency. An offer has one price per currency, with one marked as the default. Amounts are integer minor units and always paired with an ISO 4217 currency.
ID prefix: opr_
| Field | Type | Description |
|---|---|---|
currency | string | ISO 4217 currency (e.g. BRL, USD). |
amount | integer | Price in minor units (e.g. 9900 = US$99.00). |
is_default | boolean | Default currency for the offer. |
Offer Transition
A directional rule connecting two offers in the same family — the path a subscriber takes when upgrading or downgrading. A transition can override the family's default change_charge_behavior (next_renew, prorated, or override) for that specific pair, and can be activated or deactivated.
ID prefix: oft_
Checkout
A hosted, stateful purchase flow. A Checkout Session tracks a buyer from arrival to completion, holds the chosen offers as Checkout Items, and records a timeline of Checkout Events (including UTM attribution) for funnel analysis. A completed session produces an Order.
Checkout Session
The container for one checkout attempt. Tracks the primary offer, the (eventually identified) customer, the selected currency, and a lifecycle status: initiated, customer_identified, payment_pending, completed, expired, abandoned.
ID prefix: cks_
Checkout Item
A line within a session: an offer, its currency and snapshotted amount, quantity, and selected installments. Amounts are snapshotted from the offer price at session time so later catalog edits don't change an in-flight checkout.
ID prefix: cki_
Checkout Event
An append-only event in a session's timeline. Event types: initiated, customer_identified, currency_changed, payment_started, payment_failed, payment_succeeded, completed, expired, abandoned. Carries optional attribution (utm_source, utm_medium, utm_campaign) and request context.
ID prefix: cke_
Payments
Transaction
A single payment attempt against a provider — the normalized record of one authorization/capture, regardless of which connected provider handled it. Carries the payment method, amounts (authorized and captured, in minor units), currency, country, and a rich status. Transactions are idempotent on create and may be linked to an Order.
ID prefix: tx_
| Field | Type | Description |
|---|---|---|
payment_method | enum | credit_card, debit_card, pix, boleto, wallet. |
charge_type | enum | payment or setup_verification. |
amount_authorized | integer | Authorized amount in minor units. |
amount_captured | integer | Captured amount in minor units. |
currency | string | ISO 4217 currency. |
country | string | ISO 3166-1 alpha-2 country. |
status | enum | See transaction statuses below. |
status: pending, pre_authorized, authorized, failed, canceled, voided, charged_back, refund_pending, capture_pending, refunded, partially_refunded, expired.
When you create a transaction, send an Idempotency-Key header (or idempotency_key in the body). Replaying the same key returns the original result instead of charging twice. See Idempotency.
Order
The merchant-facing, normalized record of a single sale. An order links to at most one Transaction that settles it, references the customer, and may be tied to a Subscription when it's a renewal or trial setup. Use the order as your stable business reference; the transaction is the payment mechanics behind it.
ID prefix: ord_
| Field | Type | Description |
|---|---|---|
customer_id | string | Buyer (cust_…). |
order_type | enum | api, checkout, renewal, trial_setup, card_setup. |
total_amount | integer | Order total in minor units. |
currency | string | ISO 4217 currency. |
status | enum | See order statuses below. |
subscription_id | string | Set for renewal / trial_setup orders; null for one-off orders. |
checkout_session_id | string | Set when the order originated from a checkout session. |
status: pending, pre_authorized, authorized, failed, canceled, refunded, partially_refunded, charged_back, refund_pending.
Refund
A full or partial reversal of a captured transaction. A transaction may have multiple refunds (e.g. successive partial refunds). Each refund records an amount in minor units, a currency, a status, and a reason.
ID prefix: ref_
| Field | Type | Description |
|---|---|---|
payment_transaction_id | string | The transaction being refunded (tx_…). |
amount | integer | Refunded amount in minor units. |
currency | string | ISO 4217 currency. |
status | enum | pending, succeeded, failed, cancelled. |
reason | enum | duplicate, fraudulent, requested_by_customer. |
Subscription
A recurring billing agreement: a customer billed on an Offer using a stored Payment Instrument. Tokeflow tracks the current offer and amount, the billing period, trial windows, dunning state for failed renewals, and a lifecycle status. Each renewal charge produces an Order (and its transaction).
ID prefix: sub_
| Field | Type | Description |
|---|---|---|
customer_id | string | Subscriber (cust_…). |
current_offer_id | string | The offer currently billed (ofr_…). |
billing_cycle | enum | Copied from the offer at creation. |
current_amount | integer | Current recurring amount in minor units. |
currency | string | ISO 4217 currency. |
payment_instrument_id | string | Instrument charged on renewal (pi_…). |
cancel_at_period_end | boolean | If true, cancels at period end instead of immediately. |
status | enum | trialing, active, dunning, paused, cancelled, expired. |
Money and formatting conventions
Consistency across providers and currencies is enforced by a few rules. Apply them everywhere.
| Concept | Convention | Example |
|---|---|---|
| Amounts | Integer minor units (cents) — never decimals | 15000 = R$150.00; 9900 = US$99.00 |
| Currency | ISO 4217, always paired with an amount | BRL, USD, EUR |
| Country | ISO 3166-1 alpha-2 | BR, US |
| Timestamps | ISO 8601, UTC | 2026-01-15T12:30:00.000Z |
Every amount in Tokeflow is an integer in minor units. Sending 150.00 where 15000 is expected will be rejected or misinterpreted. Always send and store amounts as cents, and always include the currency.
Standard response envelope
Every API response wraps the resource in a consistent envelope. A single resource omits meta; a list includes meta.pagination.
{
"success": true,
"data": {
"id": "tx_8f3c2a1b",
"status": "authorized",
"payment_method": "credit_card",
"amount_authorized": 15000,
"amount_captured": 15000,
"currency": "BRL",
"country": "BR"
},
"request_id": "req_8f3c2a1b9d",
"timestamp": "2026-01-15T12:30:00.000Z"
}A list response sets data to an array and includes pagination:
{
"success": true,
"data": [
{ "id": "ord_a1b2c3", "status": "authorized", "total_amount": 9900, "currency": "USD" }
],
"meta": {
"pagination": {
"page": 1,
"limit": 20,
"total": 42,
"total_pages": 3,
"has_next": true,
"has_prev": false
}
},
"request_id": "req_8f3c2a1b9d",
"timestamp": "2026-01-15T12:30:00.000Z"
}ID format reference
Every Tokeflow object carries a prefixed, opaque identifier. Prefixes are stable — match on them rather than parsing the random suffix.
| Object | Prefix | Example |
|---|---|---|
| Organization | org_ | org_a1b2c3d4 |
| Merchant | mrc_ | mrc_a1b2c3d4 |
| Customer | cust_ | cust_a1b2c3d4 |
| Product Family | pfa_ | pfa_a1b2c3d4 |
| Product | prd_ | prd_a1b2c3d4 |
| Offer | ofr_ | ofr_a1b2c3d4 |
| Offer Price | opr_ | opr_a1b2c3d4 |
| Offer Transition | oft_ | oft_a1b2c3d4 |
| Checkout Session | cks_ | cks_a1b2c3d4 |
| Checkout Item | cki_ | cki_a1b2c3d4 |
| Checkout Event | cke_ | cke_a1b2c3d4 |
| Transaction | tx_ | tx_a1b2c3d4 |
| Order | ord_ | ord_a1b2c3d4 |
| Refund | ref_ | ref_a1b2c3d4 |
| Subscription | sub_ | sub_a1b2c3d4 |
| Payment Instrument | pi_ | pi_a1b2c3d4 |
| Card Token (SDK) | tok_ | tok_a1b2c3d4 |
Next steps
- Authentication — key types, scopes, and the
merchant_idrule for org keys. - Idempotency — safe retries on create and charge calls.
- SDK — collect cards with secure fields and exchange card tokens into payment instruments.
- Webhooks — normalized event delivery and signature verification.