Access & Permissions
Not every API endpoint is available to every account level. This page documents who can call what.
Who Can Make Purchases
Only users at the Merchant or Sub-Merchant level can call
POST /purchase.
Partner and Vendor users do not transact directly. They are administrative levels in the hierarchy. If you authenticate with a Partner or Vendor token and call /purchase, the API will reject the request with HTTP 403 Forbidden.
If you operate at the Partner or Vendor level and need to transact on behalf of a merchant, the merchant must integrate using their own credentials.
Endpoint Access Summary
| Endpoint | Partner | Vendor | Merchant | Sub-Merchant |
|---|---|---|---|---|
POST /auth/token (login) | ✅ | ✅ | ✅ | ✅ |
POST /auth/token/refresh | ✅ | ✅ | ✅ | ✅ |
POST /purchase | ❌ | ❌ | ✅ | ✅ |
POST /transactions (history) | ✅ | ✅ | ✅ | ✅ |
POST /lookup/* (account-lookup, etc.) | ✅ | ✅ | ✅ | ✅ |
GET /products/* (catalog, categories) | ✅ | ✅ | ✅ | ✅ |
GET /lookups/* (brands, types, etc.) | ✅ | ✅ | ✅ | ✅ |
Listing endpoints (
/transactions,/products/*) are scoped to the caller's hierarchy. You will only see data that belongs to your account or its descendants.
What a 403 Response Looks Like
{
"responseCode": "403",
"responseMessage": "Access denied"
}
Common causes:
- A Partner or Vendor user attempting to call
/purchase. - A Merchant attempting to query data that belongs to another Merchant.
- A user attempting to vend a product that is not active under their account (see Product Availability).
What a 401 Response Looks Like
{
"responseCode": "401",
"responseMessage": "Unauthorized"
}
Common causes:
- Missing
Authorizationheader. - Expired access token (see Authentication for refresh flow).
- Invalid or revoked token.
Last updated: April 2026