API Reference

Partner Organization

Self-service endpoints for your organization record and credentials. These use organization credentials only (no user session).

GET/partner/me

๐Ÿ”‘ Org key + secret

Returns your partner record with secrets stripped (api_secret_hash and webhook_secret are never returned).

200 ยท Response
{
  "partner": {
    "id": "uuid",
    "name": "acme",
    "display_name": "Acme Financial",
    "slug": "acme",
    "api_key": "pk_test_acme_...",
    "allowed_origins": [],
    "webhook_url": null,
    "scopes": ["users","cards","transactions"],
    "rate_limit": 1000,
    "status": "active",
    "contact_email": "dev@acme.com",
    "config": {}
  }
}

PATCH/partner/me

๐Ÿ”‘ Org key + secret

API key/secret are not editable here (use rotate). At least one field is required.

Body โ€” all optional

display_name, contact_email, contact_name, allowed_origins (string[] of URLs), webhook_url (URL or null), config (object).

Response (200) โ€” same shape as GET /partner/me:

200 ยท Response
{
  "partner": { ... }
}

POST/partner/me/rotate-api-key

๐Ÿ”‘ Org key + secret

Generates a new api_key + api_secret pair. The previous credentials are invalidated immediately, and the new secret is shown only once.

200 ยท Response
{
  "api_key": "pk_test_acme_<new>",
  "api_secret": "sk_test_acme_<new>",
  "message": "Update your stored credentials immediately. The previous key/secret are now invalid; the new secret will not be shown again."
}

GET/partner/usage

๐Ÿ”‘ Org key + secret

Rate-limit config plus a 24-hour activity snapshot.

200 ยท Response
{
  "rate_limit": 1000,
  "status": "active",
  "scopes": ["users","cards","transactions"],
  "last_24h": {
    "webhook_deliveries_succeeded": 142,
    "webhook_deliveries_permanently_failed": 0
  },
  "totals": { "users": 87 }
}