Organizations & Merchants
Understand Tokeflow's multi-tenant model and choose between Organization-level and Merchant-level API integration.
Tokeflow is multi-tenant by design. Every account is modeled as an Organization that owns one or more Merchants. This two-level hierarchy is the foundation for how you authenticate, scope data, and govern access across your platform.
You integrate at one of two levels:
- Organization level — one set of credentials that operates across every merchant in the org. Ideal for platforms and back-office systems.
- Merchant level — credentials scoped to a single merchant, where the merchant is inferred automatically. Ideal for a single store.
This page explains the hierarchy and helps you pick the right integration level. For header formats and key handling, see Authentication.
Tokeflow is a payment orchestration platform — the infrastructure behind your platform. It standardizes payment operations across connected providers; the connected providers handle processing and settlement.
The hierarchy
An Organization is the top-level tenant. It owns Merchants. Each Merchant is fully isolated: it has its own API credentials, product catalog, customers, transactions, and webhook endpoints. Data never leaks across merchant boundaries.
| Concept | Owns | Examples of scoped resources |
|---|---|---|
Organization (org_…) | One or many Merchants | Merchants, org-wide reporting, org API keys |
Merchant (mrc_…) | Its own isolated data | Products, customers, transactions, orders, subscriptions, webhook endpoints |
Merchants and API keys are created in the Tokeflow Dashboard during onboarding, not through the public API. Once provisioned, you receive the keys you use to authenticate every request.
Organization-level integration
An Organization key spans every merchant in the org. Use it from a central platform or back-office system that needs to operate on behalf of many merchants with one credential.
Because an org key is not bound to a single merchant, you must tell Tokeflow which merchant a merchant-scoped operation targets:
- List and read endpoints: pass the merchant as the
merchant_idquery parameter. - Create endpoints: pass
merchant_idin the request body.
Omitting merchant_id on a merchant-scoped operation returns 400 validation_error.
# Organization key — list a specific merchant's transactions
curl https://api.tokeflow.com/api/v1/transactions?merchant_id=mrc_123&page=1&limit=20 \
-H "Authorization: Bearer sk_live_org_xxxxxxxxxxxxxxxxxxxx"// Organization key — create a customer for a specific merchant
const res = await fetch("https://api.tokeflow.com/api/v1/customers", {
method: "POST",
headers: {
Authorization: `Bearer ${process.env.TOKEFLOW_ORG_SECRET_KEY}`,
"Content-Type": "application/json",
"Idempotency-Key": crypto.randomUUID(),
},
body: JSON.stringify({
merchant_id: "mrc_123", // required for org keys on merchant-scoped resources
email: "ada@example.com",
name: "Ada Lovelace",
}),
});If merchant_id is missing, the API responds:
{
"error": {
"type": "validation_error",
"code": "MERCHANT_ID_REQUIRED",
"message": "merchant_id is required when using organization API keys",
"details": {},
"request_id": "req_8f3c2a1b9d",
"timestamp": "2026-01-15T12:30:00.000Z"
}
}Merchant-level integration
A Merchant key is permanently scoped to one merchant. The merchant is inferred from the key — you never pass merchant_id. Use it for a single store or any integration that only ever touches one merchant.
# Merchant key — list this merchant's transactions (no merchant_id needed)
curl https://api.tokeflow.com/api/v1/transactions?page=1&limit=20 \
-H "Authorization: Bearer sk_live_mer_xxxxxxxxxxxxxxxxxxxx"// Merchant key — create a customer (merchant is inferred)
const res = await fetch("https://api.tokeflow.com/api/v1/customers", {
method: "POST",
headers: {
Authorization: `Bearer ${process.env.TOKEFLOW_MERCHANT_SECRET_KEY}`,
"Content-Type": "application/json",
"Idempotency-Key": crypto.randomUUID(),
},
body: JSON.stringify({
email: "ada@example.com",
name: "Ada Lovelace",
}),
});A successful response is wrapped in the standard success envelope:
{
"success": true,
"data": {
"id": "cust_4f9a1c2e7b",
"merchant_id": "mrc_123",
"email": "ada@example.com",
"name": "Ada Lovelace",
"created_at": "2026-01-15T12:30:00.000Z",
"updated_at": "2026-01-15T12:30:00.000Z"
},
"request_id": "req_8f3c2a1b9d",
"timestamp": "2026-01-15T12:30:00.000Z"
}A merchant key can never reach another merchant's data — isolation is enforced server-side. Requesting a resource that belongs to a different merchant returns 404 not_found_error, not the resource.
Organization key vs Merchant key
Both key levels exist as secret keys (sk_…, server-side only) and public keys (pk_…, client-safe). The level controls which entity the key acts on; the type controls where it can be used. See Authentication for key anatomy and handling.
| Capability | Organization key | Merchant key |
|---|---|---|
| Secret prefix | sk_live_org_… | sk_live_mer_… |
| Public prefix | pk_live_org_… | pk_live_mer_… |
| Scope of access | Every merchant in the org | A single merchant |
merchant_id required | Yes, on merchant-scoped list/get (query) and create (body) | No — merchant is inferred |
| Manage merchants | Yes (e.g. merchants:read, merchants:write) | No |
| Org-wide reporting | Yes | No (single-merchant only) |
| Per-merchant resources (transactions, customers, orders, products, offers, subscriptions, webhooks) | Yes, for any merchant | Yes, for its own merchant |
| Typical use | Platform / back-office over many stores | A single store |
Scopes are independent of level. A key only grants the resource:action scopes assigned to it during onboarding (e.g. transactions:read, products:write). A request that lacks the required scope returns 403 authorization_error, even if the key can otherwise reach the target merchant.
When to use which
Choose the integration level that matches how your system maps to merchants.
Use an Organization key when:
- You run a platform or marketplace that manages many merchants.
- A back-office, billing, or analytics service needs org-wide visibility.
- You provision or reconcile data across stores from one place.
Use a Merchant key when:
- You are integrating a single store or brand.
- You want the simplest possible requests — no
merchant_idto manage. - You want to limit a credential's blast radius to one merchant.
Many platforms use both: an Organization key in the central control plane, and a dedicated Merchant key handed to each store's integration. This keeps store-level credentials narrowly scoped while preserving org-wide control.
Next steps
- Authentication — key anatomy, headers, secret vs public keys, and security rules.