Partner API Onboarding

Onboard a B2B partner from zero to a working API call in under 30 minutes. This recipe creates a client identity for the partner, binds a profile with token-based authentication and a rate limit policy, and grants them portal access so they can discover and test your APIs.

Typical scenario: A new logistics partner needs access to your shipment tracking and order APIs. They should see only those collections, have a 200 req/min rate limit, and be able to try calls from the developer portal.

Prerequisites

You are signed in to the Management UI as an admin or editor
At least one published collection exists (e.g. shipments or orders)
A rate limit policy is already defined, or you will create one in step 4

Step 1 — Create the partner client

A client is the identity record for a caller. It holds credentials the partner will send on every request.

Open Clients & Profiles → Clients in the left sidebar.
Click New client.
Fill in the form:
- Name: partner-acme-corp
- Description: Acme Corp logistics integration
- Status: Enabled
Click Save. The client is created with a generated Client ID.

tip

Copy the Client ID shown after creation — the partner will send this in the X-Client-ID request header.

Step 2 — Create a profile for the partner

A profile sets the authentication method, allowed HTTP methods, IP restrictions, and rate limiting for a client.

In Clients & Profiles → Profiles, click New profile.
Set:
- Name: acme-corp-standard
- Client: select partner-acme-corp (created in step 1)
- Auth method: Token
Under Token settings, generate or paste a token for the partner. Store it — the partner will send this as the Authorization: Bearer <token> header.
Under Allowed methods, enable only GET and POST.
Leave IP allowlist empty for now (add it later if needed).
Click Save.

Step 3 — Assign the client to a collection

Connecting the client to a collection means the partner can access that collection's endpoints.

Open Collections and select the collection the partner needs (e.g. shipments).
Go to the Access tab within the collection.
Click Add client, select partner-acme-corp.
Confirm the assignment and click Save.
Repeat for any additional collections this partner needs.

Step 4 — Attach a rate limit policy

Policies enforce throughput limits so one partner cannot overload your upstream.

Open Clients & Profiles → Policies.
If a suitable policy does not exist, click New policy:
- Name: standard-partner-200rpm
- Rate limit: 200 requests per minute
- Quota: 50,000 requests per day
Open Clients & Profiles → Clients, select partner-acme-corp.
Under Policies, attach standard-partner-200rpm.
Click Save.

Step 5 — Enable portal access

Give the partner access to the developer portal so they can browse documentation and test calls from the browser.

Open the partner-acme-corp client record.
Click the Portal access tab.
Under Authorized emails, add the partner's email address (e.g. [email protected]).
Click Save.

The partner will now receive a magic-link invite when they visit the developer portal and request access.

Step 6 — Verify the integration

Test that the partner credentials work from the command line before handing over the keys.

curl -i https://gateway.example.com/shipments/track/12345 \
  -H "X-Client-ID: <client-id>" \
  -H "Authorization: Bearer <partner-token>" \
  -H "X-Profile-ID: acme-corp-standard"

Expected results:

Check	Expected
Valid token + correct headers	`200` with response body
Missing `X-Client-ID` header	`401 Unauthorized`
Wrong or expired token	`401 Unauthorized`
Request rate above 200/min	`429 Too Many Requests`
Method not in allowed list	`405 Method Not Allowed`

Send the partner:

Client ID: from the client record
Bearer token: from the profile token settings
Profile ID: acme-corp-standard
Base URL: your gateway endpoint
Collections available: link to their portal view

Direct them to the developer portal URL to explore and test endpoints in their browser.

Verify in observability

Open Logs → Request Logs and filter by Client ID = partner-acme-corp. After the partner sends their first request, you should see the call logged with status, latency, and headers.

Open Logs → Audit Logs to confirm the client and profile creation events are recorded.

Next steps

Add mTLS authentication for high-assurance partners
Configure IP allowlisting to restrict to the partner's known IPs
Set up credential rotation for long-lived integrations
Developer Portal overview — share with the partner team

Prerequisites​

Step 1 — Create the partner client​

Step 2 — Create a profile for the partner​

Step 3 — Assign the client to a collection​

Step 4 — Attach a rate limit policy​

Step 5 — Enable portal access​

Step 6 — Verify the integration​

Step 7 — Share credentials with the partner​

Verify in observability​

Next steps​