Partner accounts are provisioned by the OneCLI team; there is no self-serve signup yet. Once your partner account exists, you receive a Partner API key and can manage everything below programmatically.
Authentication
The Partner API accepts two credentials:- Partner API key: a key prefixed
oc_partner_, sent as a Bearer token. Use this for programmatic access. - Partner portal session: the dashboard session of a logged-in partner member. Use this from the portal UI.
Authorization header:
How it works
You provision an organization, the customer starts using it immediately with the tokens you pass them, and ownership transfers to the customer when they open the claim link.Create an organization
Call
POST /partner/orgs with a name. The response returns everything needed to run and to claim the organization.Hand off the credentials and claim link
Give the org token, project token, and agent token to your customer (or wire them into your own tooling), and send them the
claimUrl.Customer claims ownership
The customer opens the claim link, signs in to OneCLI, and becomes the owner of the organization. Each organization has one claim link at a time.
What you receive when you create an organization
POST /partner/orgs returns one ready-to-use organization with four credentials and a claim link:
| Field | Description |
|---|---|
organizationId | ID of the new organization. |
projectId | ID of its default project. |
orgApiKey | Organization-scoped API key (oc_org_…) for managing the org across projects. |
projectApiKey | Project-scoped API key (oc_…) for the default project. |
agentToken | Access token for the default agent; route traffic through the gateway with this. |
claimUrl | The link your customer opens to claim ownership of the organization. |
Before an organization is claimed
A newly created organization is unclaimed until a customer opens its claim link. While it’s unclaimed:- LLM calls work: your customer (or your tooling) can start using agents against Anthropic, OpenAI, and other LLM hosts right away.
- Other external calls are paused: any non-LLM request through the gateway returns a
claim_requiredresponse containing the claim link, so the customer is prompted to finish setup.
Partner-managed secrets
Secrets you create withPOST /partner/secrets are inherited by every organization you manage. They’re the lowest-priority credential tier: when a host matches at more than one level, project secrets override organization secrets, which override partner secrets.
This lets you set a shared credential (say a fallback LLM key) once, and have it apply across all your customers’ organizations without provisioning it per org. Customers see inherited secrets as read-only.
A customer can stop inheriting your secrets at any time by detaching their organization (POST /org/partner/detach). Detaching keeps the organization, and its attribution to you, but stops applying partner secrets.
Managing organizations
| Action | Endpoint |
|---|---|
| List your organizations | GET /partner/orgs |
| Inspect one organization | GET /partner/orgs/{orgId} |
| Reissue a claim link | POST /partner/orgs/{orgId}/claim-link |
| Rotate org + project tokens | POST /partner/orgs/{orgId}/rotate-tokens |
| Delete an unclaimed organization | DELETE /partner/orgs/{orgId} |
| Add or remove projects | GET/POST/DELETE /partner/orgs/{orgId}/projects |
Reissuing claim links, rotating tokens, deleting an organization, and managing projects are only allowed while an organization is unclaimed. After a customer claims it, the organization is theirs to manage.
Endpoint reference
Browse the full request and response details under these groups in the API Reference:- Partner Organizations: create, list, inspect, delete, reissue claim links, rotate tokens.
- Partner Projects: add and remove projects on an unclaimed organization.
- Partner Secrets: manage credentials inherited across every organization.
- Organization Partner: check partner status and detach (called by the customer’s organization, not by the partner).