Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.partneros.ai/llms.txt

Use this file to discover all available pages before exploring further.

PartnerOS uses session-based authentication. When you sign in through the web application, the server issues a session cookie that is tied to your user account and active organization. Every subsequent request to the API must carry that cookie so the server can verify your identity and scope your data to the correct organization.

How authentication works

There is no separate API key system. Authentication flows through the same mechanism the PartnerOS web app uses:
  1. You sign in at https://app.partneros.com with your email and password (or SSO).
  2. The server sets a session cookie in your browser.
  3. You include that cookie in Cookie request headers when calling API endpoints directly.
The session is org-scoped. If your account belongs to multiple organizations, the active organization context is stored in the session. All API responses are filtered to data that belongs to the active org.

Obtaining a session

Sign in via the auth endpoint to establish a session programmatically: 
curl --request POST \
  --url "https://app.partneros.com/api/auth/sign-in/email" \
  --header "Content-Type: application/json" \
  --data '{
    "email": "you@yourcompany.com",
    "password": "your-password"
  }'
The response sets a Set-Cookie header. Capture the cookie value from that header and include it in subsequent requests.
When using curl, pass --cookie-jar session.txt --cookie session.txt to automatically save and replay the session cookie across requests.

Making an authenticated request

Pass the session cookie in the Cookie header on every API call: 
curl --request GET \
  --url "https://app.partneros.com/api/integrations/conn_01hx.../status" \
  --header "Content-Type: application/json" \
  --header "Cookie: session_token=<your-session-token>"
The session cookie name is session_token. Copy the value from the Set-Cookie header returned at sign-in and pass it in every subsequent request.

Session expiry

Sessions expire after a period of inactivity or when you sign out. When a session expires, the API returns 401 Unauthorized. Sign in again to obtain a fresh session.

Common authentication errors

401 Unauthorized

Your request is missing a session cookie, or the session has expired. 
{
  "error": "Unauthorized"
}
What to do: Sign in again to get a valid session, then retry the request.

403 Forbidden

You are authenticated but your account role does not permit the requested action. For example, users with the partner role cannot access internal management endpoints. 
{
  "error": "Forbidden"
}
What to do: Check that your account has the correct role for the operation. Contact your organization’s PartnerOS admin if you believe this is a mistake.

400 No active organization

Your session is valid but no active organization is set. 
{
  "error": "No active organization."
}
What to do: Ensure your account is a member of at least one organization and that an active organization context is established. This usually means completing sign-in through the web app once first.

Security recommendations

Never embed your session cookie in frontend code, public repositories, or log files. Session tokens grant full access to your PartnerOS organization.
  • Rotate your session by signing out and signing back in if you suspect a token has been compromised.
  • Use environment variables or a secrets manager to store session tokens in scripts or CI pipelines.
  • Prefer short-lived sessions for automated workflows and re-authenticate on a schedule rather than reusing a single long-lived token.