internal_error (500) when creating credit card payment with Payments API - Authorization header conflict

[Everton Fernandes (vertocode)]

---

SDK Version:
"mercadopago": "^2.0.9"

Environment:

• Node.js with TypeScript
• Using seller access tokens (manual integration, not OAuth)

---

Problem

When creating credit card payments using the Payments API with a
seller access token, we encounter different errors depending on
Authorization header handling:

1. With manual Authorization header in requestOptions:
   PA_UNAUTHORIZED_RESULT_FROM_POLICIES (403)
2. Without Authorization header in requestOptions: internal_error
   (500)

---

Code Sample

  const sellerAccessToken = 'TEST-1234567890-seller-token'

  // Initialize SDK with seller token
  const sellerClient = new MercadoPagoConfig({
    accessToken: sellerAccessToken,
    options: { timeout: 5000 },
  })

  const payment = new Payment(sellerClient)

  // Payment body
  const paymentBody = {
    transaction_amount: 10.00,
    description: "Order for 1 item(s)",
    payment_method_id: "master", // Card brand (master, visa, elo, 
  etc.)
    token: "924d86f9de5ec02a756f481646c5d66a29072e", // Card token from 
  frontend SDK
    installments: 1,
    payer: {
      email: "[email protected]",
      first_name: "John",
      last_name: "Doe",
      identification: {
        type: "CPF",
        number: "12345678900"
      }
    },
    external_reference: `order_${Date.now()}`,
    statement_descriptor: 'MYSTORE',
  }

  // Attempt 1: With manual Authorization header
  const requestOptions = {
    headers: {
      Authorization: `Bearer ${sellerAccessToken}`,
      'X-meli-session-id': deviceId,
    },
  }

  const response = await payment.create({
    body: paymentBody,
    requestOptions
  })

---

Response / Error

Attempt 1 (without Authorization header in requestOptions, letting
SDK handle it):

  {
    "blocked_by": "PolicyAgent",
    "code": "PA_UNAUTHORIZED_RESULT_FROM_POLICIES",
    "status": 403,
    "message": "At least one policy returned UNAUTHORIZED."
  }

Attempt 2 (with manual Authorization header):

  {
    "message": "internal_error",
    "error": null,
    "status": 500,
    "cause": []
  }

---

Expected Behavior

The payment should be created successfully when:

• SDK is initialized with MercadoPagoConfig({ accessToken:
  sellerToken })
• Payment body contains all required fields (token, installments,
  payment_method_id, payer info)
• SDK should automatically handle Authorization header

---

Additional Context

1. PIX payments work correctly with the same setup using Payments
   API
2. OAuth flow works when using seller's OAuth access token
3. Card token is valid (generated via frontend MercadoPago SDK)
4. Test credentials being used (TEST- prefix tokens)
5. According to MercadoPago docs,
   PA_UNAUTHORIZED_RESULT_FROM_POLICIES occurs when "Authorization
   header is removed during request or Access Token not sent"

---

Questions

1. Should the Authorization header be manually set in requestOptions
   when the SDK is already initialized with an access token via
   MercadoPagoConfig?
2. Does the SDK properly handle Authorization for Payments API when
   using seller tokens (non-OAuth)?
3. Are there additional requirements for credit card payments with
   manual integration that aren't documented?
4. Is statement_descriptor allowed for non-certified accounts?

---

Workaround Attempted

• ✅ Using Payments API instead of Orders API (Orders API doesn't
  support card tokens properly)
• ✅ Removing statement_descriptor for non-certified accounts
• ❌ Still getting errors regardless of Authorization header
  handling

Any guidance would be greatly appreciated!

---

Environment Details:

• OS: macOS (Darwin 24.6.0)
• Node.js: Latest LTS
• TypeScript: Latest
• Using Express.js backend with MercadoPago SDK