Partner Admin API

Partner Admin API Documentation

Intentional server-to-server contract for partner user provisioning, partner-held connector entitlements, MCP access, and usage reporting.

Docs home CLI MCP servers

Endpoints

Sections

Bearer

Backend auth

JIT

Key custody

Credential Custody

Premium connector keys should stay in the partner or customer credential system when the partner is configured for partner_jit.

Use credentialRef for premium connector entitlements. PatchOps stores the reference, not the secret.
Raw credentials are rejected for partner_jit partners.
MCP runtime credential resolution is configured during partner onboarding before partner_jit entitlements are used.
PatchOps encrypted credential storage remains available only for partners explicitly configured for patchops_kek.

Identity Model

The partner owns customer and user identity; PatchOps mirrors only the records needed to issue MCP access.

partner_tenant_id is the partner's customer or tenant key.
partner_user_id is stable within that tenant and makes provisioning idempotent.
PatchOps IDs are returned for follow-up calls, but partner IDs remain the system of record.

Auth And Scopes

Partner backends use bearer tokens issued by PatchOps. Tokens are scoped and can be revoked without changing code.

provision allows user, token-rotation, and connector-entitlement writes.
usage allows billing-period and self-report reads/writes.
Token plaintext is shown once at issuance and stored by PatchOps only as a hash.

Error Contract

Partner-scoped resources intentionally return the same not-found shape for missing and cross-partner IDs.

400 means the request shape is invalid for the partner's configured mode.
401/403 are authentication and scope failures.
404 does not reveal whether a resource exists under another partner.

Showing 10 of 10 endpoints

Overview

Mirrors a partner tenant and user into PatchOps. The operation is idempotent on partner_tenant_id and partner_user_id, and reactivates a previously revoked user in the same partner scope.

Auth

Partner-admin bearer token with provision scope

Surface

Users & Tenants

Base URL

https://patchops.ai

Parameters

Name	In	Type	Required	Description
Authorization	header	Bearer token	yes	Partner-admin API token issued to the partner backend.`example: Bearer po_part_...`

Request Body

application/jsonPartner tenant/user identity and display account details.

Request example

application/json

{
  "partner_tenant_id": "acme-west",
  "partner_user_id": "operator-123",
  "email": "operator@acme.example",
  "name": "Taylor Operator",
  "role": "member"
}

Notes

The bearer_token is returned once. The partner backend must store it for the user.
Tokens with provision scope cannot grant owner/admin roles unless they also have manage_admins.

Responses

Status	Meaning
200	User and tenant were created, found, or reactivated.
400	Payload validation failed.
409	Email or idempotency mismatch conflict.
413	Request body exceeded the 4 KB limit.
401	Missing, malformed, expired, revoked, or invalid bearer token.
403	Partner is inactive or the bearer token lacks the required scope.
500	Provisioning failed.

cURL

POST /api/partner-admin/users

Terminal

curl "$BASE_URL/api/partner-admin/users" \
  -X POST \
  -H "Authorization: Bearer $PARTNER_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
  "partner_tenant_id": "acme-west",
  "partner_user_id": "operator-123",
  "email": "operator@acme.example",
  "name": "Taylor Operator",
  "role": "member"
}'

Sample Response

Response example

JSON

{
  "patchops_org_id": "org_...",
  "patchops_user_id": "usr_...",
  "mcp_url": "https://patchops.ai/api/mcp/...",
  "bearer_token": "po_user_...",
  "bearer_token_prefix": "po_user_",
  "has_bearer_token": true,
  "created_org": false,
  "created_user": true
}

Overview

Mints a new per-user MCP bearer token, stores only its hash on PatchOps MCP instances, and clears access caches so the old token stops working.

Auth

Partner-admin bearer token with provision scope

Surface

Users & Tenants

Base URL

https://patchops.ai

Parameters

Name	In	Type	Required	Description
Authorization	header	Bearer token	yes	Partner-admin API token issued to the partner backend.`example: Bearer po_part_...`
userId	path	string	yes	PatchOps user ID returned by the provisioning endpoint.

Responses

Status	Meaning
200	Token rotated. The new plaintext token is included once.
400	userId is missing.
404	User not found, cross-partner, or revoked.
401	Missing, malformed, expired, revoked, or invalid bearer token.
403	Partner is inactive or the bearer token lacks the required scope.

cURL

POST /api/partner-admin/users/{userId}/rotate-token

Terminal

curl "$BASE_URL/api/partner-admin/users/$USER_ID/rotate-token" \
  -X POST \
  -H "Authorization: Bearer $PARTNER_ADMIN_TOKEN"

Sample Response

Response example

JSON

{
  "patchops_user_id": "usr_...",
  "bearer_token": "po_user_...",
  "bearer_token_prefix": "po_user_",
  "instances_rotated": 1
}

Overview

Lists partner-owned connector entitlement metadata. Credential values and credential references are never returned.

Auth

Partner-admin bearer token

Surface

Connector Entitlements

Base URL

https://patchops.ai

Parameters

Name	In	Type	Required	Description
Authorization	header	Bearer token	yes	Partner-admin API token issued to the partner backend.`example: Bearer po_part_...`

Notes

credentialMode reports the storage/custody mode for the entitlement.
credentialRef values are intentionally omitted from list responses.

Responses

Status	Meaning
200	Partner connector entitlements.
401	Missing, malformed, expired, revoked, or invalid bearer token.
403	Partner is inactive or the bearer token lacks the required scope.

cURL

GET /api/partner-admin/connections

Terminal

curl "$BASE_URL/api/partner-admin/connections" \
  -H "Authorization: Bearer $PARTNER_ADMIN_TOKEN"

Sample Response

Response example

JSON

{
  "partner": "collide",
  "connections": [
    {
      "id": "conn_...",
      "name": "Acme Production Corva",
      "status": "connected",
      "orgId": "org_...",
      "providerId": "provider_...",
      "providerDisplayName": "Corva",
      "credentialMode": "partner_jit"
    }
  ]
}

Overview

Creates a partner-scoped connector entitlement for one customer org. For partner_jit partners, send credentialRef and keep premium connector keys in the partner credential system.

Auth

Partner-admin bearer token with provision scope

Surface

Connector Entitlements

Base URL

https://patchops.ai

Parameters

Name	In	Type	Required	Description
Authorization	header	Bearer token	yes	Partner-admin API token issued to the partner backend.`example: Bearer po_part_...`

Request Body

application/jsonCustomer org, provider, display name, and partner-held credential reference.

Request example

application/json

{
  "orgId": "org_...",
  "providerId": "provider_...",
  "name": "Acme Production Corva",
  "credentialRef": "vault://collide/acme-west/corva/prod"
}

Notes

partner_jit partners must send credentialRef and must not send credentials.
patchops_kek partners may send credentials instead. That legacy shape is shown below for explicitly configured encrypted-storage partners.
{ "orgId": "org_...", "providerId": "provider_...", "name": "Acme Production Corva", "credentials": { "apiKey": "secret-value", "tenantId": "acme" } }

Responses

Status	Meaning
200	Connector entitlement created.
400	Body validation failed or the body conflicts with the partner credential-storage mode.
404	Org or provider was not found in this partner scope.
413	Request body exceeded the 64 KB limit.
401	Missing, malformed, expired, revoked, or invalid bearer token.
403	Partner is inactive or the bearer token lacks the required scope.
500	Credential encryption failed for patchops_kek partners.

cURL

POST /api/partner-admin/connections

Terminal

curl "$BASE_URL/api/partner-admin/connections" \
  -X POST \
  -H "Authorization: Bearer $PARTNER_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
  "orgId": "org_...",
  "providerId": "provider_...",
  "name": "Acme Production Corva",
  "credentialRef": "vault://collide/acme-west/corva/prod"
}'

Sample Response

Response example

JSON

{
  "success": true,
  "id": "conn_..."
}