Managing API Access for External Partners
Scenario: Your company has multiple external partners consuming different APIs. You need to control access, monitor usage, and provide documentation without exposing internal systems.
Features Used:
- Groups
- API Access
- Customer Role
- API Catalog
Overview
Managing external partner integrations at scale requires:
- Organized access control - Different partners need access to different APIs
- Automatic data filtering - Partners should only see their own request data
- Self-service documentation - Partners need API docs without internal system access
- Usage monitoring - Track which partners are using which APIs
This workflow demonstrates how to use Treblle’s access control features together to create a secure, scalable partner ecosystem.
Step 1: Create Partner Groups
Groups allow you to organize external partners by their access needs, making it easy to grant API access to multiple partners at once.
Navigate to Groups Management
- Click Settings in the left navigation bar
- Select User Management from the settings menu
- Click on the Groups tab
The Groups management page displays all your existing groups with:
- Name: Group identifier
- Members: Number of people in each group
- Created At: When the group was established
Create Logical Group Structure
Click + New Group and create groups that reflect your partner ecosystem:
The group creation dialog allows you to:
- Name: Enter a descriptive group name like “Payment Gateway Partners”
- People: Add initial members during creation (optional)
- Click Create Group to establish the group
Example Group Structure:
Payment Gateway Partners
Partners who process payments through your APIs - Stripe, PayPal, Square. They need access to Payment API, Transaction API, and Refund API.
Analytics Platform Partners
Partners who consume analytics data - Segment, Amplitude, Mixpanel. They need access to Analytics API and Events API.
Integration Partners
Partners building integrations with your platform - Zapier, Make, Workato. They need broad access to User API, Webhook API, and Core API.
Beta Program Partners
Early access partners testing new features - limited group with access to experimental APIs before general availability.
Group Naming Best Practices
Tip
Naming Convention Tip: Use descriptive, consistent names that reflect the business relationship:
- Good: “Payment Gateway Partners”, “Enterprise Integration Partners”, “Regional Resellers - EMEA”
- Avoid: “Group 1”, “External Users”, “Partners”
This makes it easier to assign access as your partner ecosystem grows.
Once created, the group details panel shows:
- Created At: When the group was established (11/12/2025)
- API Access: Number of APIs this group can access (0 initially, configured in Step 2)
- Group Members: All current members with their roles and email addresses
- Actions: Edit Group or Delete options
For Each Group, Define:
- Group Name: Clear, descriptive identifier
- Description: Purpose and typical use cases
- Access Level: Which APIs this group should access
Note
Groups are not just for organization - they’re the foundation of your access control strategy. Well-designed groups scale as you add more partners and APIs.
Step 2: Configure API Access by Group
Once groups are created, connect them to specific APIs. This creates automatic access control - anyone added to a group inherits its API permissions.
Navigate to API Access Settings
- Go to User Management in Settings
- Click on the API Access tab
- You’ll see a list of all your APIs
Assign Groups to APIs
For each API you want to share with partners:
- Select the API from the list (e.g., “Payment API”)
- Click View API Access to open the access management panel
- Navigate to the Groups section within the access panel
- Click + Add to assign groups
- Select the relevant partner group (e.g., “Payment Gateway Partners”)
- Save your changes
What Happens Automatically
When you assign a group to an API:
Tip
Access Control Tip: Start restrictive and expand access based on partner needs. It’s easier to grant additional API access than to revoke it after partners have built dependencies.
Step 3: Invite Partners with Customer Role
Now that groups and API access are configured, invite your external partners to the platform.
Navigate to People Management
- Go to Settings → User Management
- Click on the People tab
- Click Email Invite or + Add User
Complete the Invitation Form
Fill in the partner’s details:
Required Fields:
- Email Address: Partner contact’s work email
- Role: Select Customer (critical - this role has limited permissions)
- Group: Select the appropriate partner group
- First Name / Last Name: Partner contact details
Understanding the Customer Role
The Customer role is specifically designed for external partners:
Limited Dashboard Access
Customers cannot see your internal workspace, team members, or system configuration. They access only what you explicitly share.
Filtered Request Data
When viewing API requests, customers see only requests tagged with their customer ID - complete data isolation between partners.
API Documentation Only
Customers can view API specs, endpoints, request/response formats, and test endpoints - but cannot modify APIs or access analytics.
No Administrative Access
Customers cannot invite other users, change settings, view billing, or access governance/compliance features.
Bulk Invitations
For onboarding multiple partners at once:
- Click Bulk Invite in the People management section
- Upload a CSV file with columns: email, role, group
- The interface shows instructions:
- Upload .csv file with three columns (email, role, group)
- Each person receives an invitation email
- Click Send Invites after uploading
CSV Format Example:
email,role,group
partner1@stripe.com,member,Payment Gateway Partners
partner2@paypal.com,member,Payment Gateway Partners
analyst@segment.com,member,Analytics Platform PartnersManaging Existing Partners
To change a partner’s access:
- Find them in the People list
- Click on their name to view their profile, which shows:
- Role: Current workspace role (Owner in this example)
- Group: Which partner group they belong to (Payment Gateway Partners)
- API Access: Number of APIs they can access (20)
- Date Added: When they were invited (26/03/2025)
- Click Edit Role & Group to modify their access
- Changes take effect immediately
The People management table provides:
- Complete list of all workspace members
- Group column showing each member’s group assignment
- Actions menu (⋮) for each user with options to:
- View User: See detailed profile
- Delete: Remove user access
Caution
Security Reminder: Regularly audit your partner list. Remove access for partners who are no longer actively integrating. Use the “Last Active” column to identify inactive accounts.
Step 4: Ensure Customer ID Tracking
For Treblle to automatically filter data per partner, your API must pass customer identifiers in requests.
Implement Customer ID in Metadata
Add the customer identifier to the treblle-metadata header in your API:
// Node.js / Express Example
app.use((req, res, next) => {
// Extract customer ID from JWT token, API key, or session
const customerId = extractCustomerFromAuth(req);
// Set Treblle metadata
req.headers['treblle-metadata'] = JSON.stringify({
'user-id': customerId, // Maps to customer in Treblle
'Plan': determineCustomerPlan(customerId),
'Region': determineCustomerRegion(customerId)
});
next();
});# Python / Flask Example
from flask import request
@app.before_request
def add_treblle_metadata():
# Extract customer ID from auth
customer_id = extract_customer_from_auth(request)
# Set Treblle metadata
request.headers['treblle-metadata'] = json.dumps({
'user-id': customer_id,
'Plan': determine_customer_plan(customer_id),
'Region': determine_customer_region(customer_id)
})// PHP / Laravel Example
namespace App\Http\Middleware;
class TreblleMetadata
{
public function handle($request, $next)
{
// Extract customer ID from auth
$customerId = $this->extractCustomerFromAuth($request);
// Set Treblle metadata
$request->headers->set('treblle-metadata', json_encode([
'user-id' => $customerId,
'Plan' => $this->determineCustomerPlan($customerId),
'Region' => $this->determineCustomerRegion($customerId)
]));
return $next($request);
}
}Metadata Best Practices
Consistent Identifiers
Use the same customer ID format across all APIs - company name, unique ID, or domain. Example: “stripe-inc” or “cust_abc123”
Include Business Context
Add Plan tier (Free, Pro, Enterprise) and Region for better segmentation and analysis of partner usage patterns
Extract from Authentication
Pull customer ID from JWT claims, API key metadata, or OAuth tokens - never from request body to prevent spoofing
Validate Before Setting
Verify the customer ID exists in your system before adding to metadata. Log warnings for invalid IDs to catch integration issues
Verification
Test that customer IDs are being tracked correctly:
- Make a test API request as a partner
- Go to Requests in Treblle
- Open the request details
- Check the Headers tab first
- Find the
treblle-metadataheader (line 11 in the example above) - Verify it contains the customer ID in JSON format:
{
"user-id": "Microsoft",
"Plan": "Platinum Plan"
}Then switch to the Metadata tab:
The Metadata tab displays the parsed values from the header:
- Customer: Microsoft
- Trace ID: wryrYpzmu1
- Region: APAC
- Plan: Platinum Plan
Note
Tracing Note: The trace-id field in metadata is used for API Traceability and will group related requests in Treblle’s Trace section. This is the recommended approach. Alternatively, you can pass trace IDs using the treblle-tag-id header directly, but the metadata approach (trace-id inside treblle-metadata) is preferred and will override any root-level treblle-tag-id header if both are present.
Tip
Testing Tip: Create a test partner account with Customer role and make requests with different customer IDs. Verify in the Observability portal that you only see requests matching your test customer ID.
Why This Matters
Customer ID tracking enables:
- Data isolation: Partners see only their requests
- Usage analytics: Track which partners use which endpoints
- Billing accuracy: Measure API consumption per partner
- Support efficiency: Quickly filter to a specific partner’s requests
- Security monitoring: Detect suspicious patterns per partner
Note
The customer ID in treblle-metadata directly connects to the Customer accounts you created in Step 3. Make sure these identifiers match exactly - “stripe-inc” in metadata should correspond to a customer account with that ID.
Step 5: Publish APIs to API Catalog
The API Catalog is your external-facing API documentation portal. Publishing APIs here makes them discoverable and accessible to your partners.
Navigate to API Settings
- Select an API from your APIs list
- Click API Settings (gear icon)
- Scroll to the API Options section
Configure Publication Details
Before publishing, configure:
API Category (required)
- Logical grouping for navigation
- Examples: “Payment APIs”, “Analytics APIs”, “User Management APIs”, “Integration APIs”
Tags (recommended)
- Searchable keywords
- Examples: “OAuth”, “REST”, “WebSocket”, “v2”, “Beta”, “Deprecated”
Description (required)
- Clear summary of API purpose
- Include primary use cases and target audience
Version (recommended)
- Semantic versioning (v1.0, v2.1)
- Helps partners understand API maturity
Click Publish
- Review all fields for accuracy
- Click the Publish button
- The API is now visible in your API Catalog
Tip
Documentation Tip: Before publishing, ensure your API has:
- Comprehensive endpoint descriptions
- Request/response examples for all endpoints
- Error code documentation
- Authentication requirements
- Rate limiting information
Use Treblle’s built-in documentation editor to enhance API docs before making them public to partners.
What Partners See in API Catalog
After publication, partners with appropriate group access can:
Browse Published APIs:
- Filter by category (Payment, Analytics, etc.)
- Search by tags (OAuth, REST, v2)
- View API versions and status (Stable, Beta, Deprecated)
Access Full Documentation:
- Complete endpoint list with descriptions
- Request/response schemas
- Code examples in multiple languages
- Authentication guides
- Error handling documentation
When partners click into a specific endpoint (like auth/login shown above), they see:
- HTTP Method and Path: POST auth/login clearly displayed
- Request Body: Field names and types (email: string, password: string)
- Response Structure: Expected response format with status code (200)
- Example Response: Full JSON response showing the data structure
- Sidebar Navigation: Browse all endpoints organized by resource (auth, articles, users)
Test Endpoints (Optional):
- Interactive API testing directly in catalog
- Pre-filled authentication from their customer account
- Real requests to your APIs (if testing is enabled)
Monitor Their Usage:
- Link to Observability portal
- See their own API requests
- Track their integration health
Organizing Multiple APIs
As your catalog grows, maintain organization:
Managing Publication Status
You can unpublish or update APIs at any time:
To Unpublish:
- Go to API Settings
- Click Unpublish in API Options
- Partners immediately lose catalog access (but existing integrations continue working)
To Update:
- Edit category, tags, or description
- Changes appear immediately in catalog
- No need to republish
Caution
Deprecation Warning: When deprecating an API, don’t immediately unpublish. Instead:
- Add a “Deprecated” tag
- Update description with sunset date and migration guide
- Announce to affected partners via email
- Wait at least 90 days before unpublishing
The Metadata tab in Treblle displays the extracted business context:
- Customer: Microsoft (automatically filtered for this partner)
- Trace ID: wryrYpzmu1 (for distributed tracing)
- Region: APAC (geographic context)
- Plan: Platinum Plan (subscription tier)
This information comes directly from the treblle-metadata header you set in your API code.
Complete Partner Access Workflow
Here’s how all the pieces work together:
Partner Onboarding Flow
1. Partner Signs Agreement
Business team closes deal with new partner. They determine which APIs the partner needs access to.
2. Platform Team Adds to Group
You create or select appropriate group (e.g., “Payment Gateway Partners”), ensuring it has access to the right APIs.
3. Send Invitation
Invite partner contact with Customer role and group assignment. They receive email with access credentials.
4. Partner Explores Catalog
Partner logs in, browses API Catalog, views documentation for APIs their group can access, and starts integration.
During Integration
- Partner implements your API using documentation from catalog
- Your API tracks customer ID in
treblle-metadataheader - Requests flow through Treblle with proper customer tagging
- Partner views their data in Observability portal - sees only their requests
- You monitor all partners from your internal Treblle workspace
Troubleshooting Common Issues
Partners Can’t See Their Requests
Problem: Partner logs into Observability portal but sees no data
Diagnosis:
- Check if your API is setting
treblle-metadatawithuser-id - Verify the customer ID in metadata matches their account ID
- Confirm they’ve made requests since being added
Solution:
// Verify customer ID is being set
console.log('Treblle Metadata:', req.headers['treblle-metadata']);
// Should show: {"user-id":"partner-company-name",...}
// Check customer account ID in Treblle matches
// If partner company is "Stripe Inc" but metadata says "stripe",
// requests won't be associated correctlyPartners See Wrong APIs in Catalog
Problem: Partner has access to APIs they shouldn’t see, or can’t see APIs they need
Diagnosis:
- Check which group they’re assigned to (Settings → People)
- Review that group’s API access (Settings → API Access)
- Verify the APIs are published (not just internal)
Solution:
- Remove partner from incorrect group
- Add them to correct group
- Verify group has access to required APIs
- Changes take effect immediately - have partner refresh catalog
Invitations Not Received
Problem: Partner says they didn’t receive invitation email
Diagnosis:
- Check spam/junk folders
- Verify email address is correct in People list
- Check if invitation expired (invites are valid for 7 days)
Solution:
- Resend invitation from People list
- If repeatedly fails, check email deliverability settings
- As alternative, manually create account and share login link
Customer ID Not Tracking
Problem: All requests show up under “Unknown” customer
Diagnosis:
- Check if
treblle-metadataheader is being set - Verify
user-idfield exists in metadata - Confirm customer ID format matches customer accounts
Solution:
// Debug middleware
app.use((req, res, next) => {
const metadata = req.headers['treblle-metadata'];
if (!metadata) {
console.error('Missing treblle-metadata header');
} else {
const parsed = JSON.parse(metadata);
if (!parsed['user-id']) {
console.error('Missing user-id in metadata');
} else {
console.log('Customer ID:', parsed['user-id']);
}
}
next();
});Next Steps
Now that you’ve set up partner access management:
- Create partner onboarding docs: Build a comprehensive guide partners receive upon invitation
- Set up automated alerts: Configure notifications for partner error spikes or unusual activity
- Build internal runbooks: Document how to provision, modify, and revoke partner access
- Establish SLAs: Define response times for partner support issues
- Plan for scale: Design your group structure to accommodate 10x growth
