> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nuvera.global/llms.txt
> Use this file to discover all available pages before exploring further.

# Partner API Overview

> Production flow for partner REST API applications, signing, permissions, and rotation

Nuvera exposes the REST API layer only to partner organizations. A partner API application is a server-to-server credential set owned by one partner workspace and scoped by explicit permissions.

The production integration flow is:

1. Create an API application in the partner settings area.
2. Generate or upload an RSA public signing key.
3. Select only the REST permissions the service needs.
4. Store the one-time API key in the partner secret manager.
5. Sign every REST request with the matching private key.
6. Use the generated API reference pages for endpoint schemas.
7. Rotate API keys and signing keys through the application management screens.

## Access model

Partner users manage their own API applications under **Settings → Platform → API Applications**. Nuvera admins can inspect and manage the same applications from the admin organization hub only for support, emergency disablement, permission fixes, and partner-assisted rotation.

Customer-platform users cannot create or use REST API applications.

## Credential model

Each application has two credential layers:

* `x-api-key`: a one-time secret API key. Nuvera stores only the hash, prefix, last four characters, status, and usage metadata.
* RS256 request signature: a JWT signed by the partner-held RSA private key. Nuvera stores the public key and verifies each request.

Nuvera does not store partner private keys. Private keys are generated or stored by the partner. If the browser generates a key pair, the private key is downloaded locally and the public key is saved to Nuvera.

## Permissions

Every REST handler has an explicit permission. Write permissions require the matching read permission where the resource has both read and write operations.

| Area                  | Read permission      | Write permission      |
| --------------------- | -------------------- | --------------------- |
| Customers             | `CUSTOMERS_READ`     | `CUSTOMERS_WRITE`     |
| Beneficiaries         | `BENEFICIARIES_READ` | `BENEFICIARIES_WRITE` |
| Documents             | `DOCUMENTS_READ`     | `DOCUMENTS_WRITE`     |
| Crypto reference data | `CRYPTO_READ`        | Not applicable        |
| Payments              | `PAYMENTS_READ`      | `PAYMENTS_WRITE`      |
| Screening             | `SCREENING_READ`     | Not applicable        |
| Support               | `SUPPORT_READ`       | `SUPPORT_WRITE`       |

## Request requirements

Every REST call must include:

```http theme={null}
x-api-key: <your-api-key>
Authorization: Bearer <signed-request-jwt>
```

The JWT must use RS256, issuer `nuvera-api`, audience `nuvera-rest-api`, a lifetime of 60 seconds or less, a unique `jti`, and claims for the exact request method, URI, and body hash.

<CardGroup cols={3}>
  <Card title="Create an application" icon="plus" href="/get-started/partner-api/create-api-application">
    Set up keys, permissions, and the one-time API key.
  </Card>

  <Card title="Sign requests" icon="signature" href="/get-started/partner-api/request-signing">
    Generate the JWT for JSON and multipart requests.
  </Card>

  <Card title="Rotate keys" icon="rotate" href="/get-started/partner-api/key-rotation">
    Replace API keys and signing keys safely.
  </Card>
</CardGroup>