Customer Invites and Authentication
FAR provides two mechanisms for granting access to customer accounts: invites for onboarding human users, and authentication credentials for programmatic access. A third entity, merchant credentials, handles the reverse direction — storing credentials that let the platform connect to external merchant systems on behalf of a customer.
Customer invites
A Customer Invite manages email-based invitations for users to join a customer's team. Each invite records:
- Email address — the recipient of the invitation
- Invite state — tracks the invitation lifecycle (pending, accepted, expired, etc.)
- User permissions — the permission level granted to the invited user (defaults to
VIEWS)
Expiry
Invites expire by default after one day. This short window limits the risk of stale invitations being used after the intended context has changed.
Processing
When an invite is created, the system triggers an asynchronous job that handles:
- Sending the invitation email
- Creating the user account (if the recipient is new)
- Establishing the appropriate permissions on the customer record
This asynchronous approach ensures that the invite creation is fast while the heavier account-setup work happens in the background.
Customer API keys
Customer Authentication Credentials provide API keys for programmatic access to Raytio's APIs on behalf of a customer. Key characteristics:
- Auto-generated — API keys are generated automatically with a
sk-cust-prefix - Immutable — once created, the API key value cannot be updated; a new credential must be created instead
- Named — each credential has a
customer_api_key_namefor identification
The sk-cust- prefix makes it easy to identify customer-scoped API keys in logs and configuration, distinguishing them from other credential types.
Merchant credentials
Customer Merchant Authentication Credentials store the credentials needed for the platform to connect to external merchant systems (e.g. payment gateways) on behalf of a customer. Each credential references a merchant from the XRM (External Relationship Management) module and can hold:
- Client ID and secret — for OAuth-based authentication
- API key — for API-key-based authentication
- Username and password — for basic authentication
This flexibility supports multiple authentication schemes across different merchant integrations.
Authorisation
All three credential types inherit authorisation from the parent customer, ensuring that only users with access to the customer record can see its invites and credentials.
Further reading
- Customers — the customer records that invites and credentials belong to
- Data Model Overview — how invites and credentials fit into the broader FAR model