Act as a client via API
Use this guide when your integration calls HR, Payroll, Pay, or Books on behalf of a merchant you manage as a SERVICE_PARTNER. Acting-client headers tell the gateway which client company to scope — without creating a separate org per merchant.Prerequisites
- Machine JWT from token exchange
workspaceIdandcompanyIdfor the target merchantpartner:client:act-aspermission (included in partner workspace lead roles)
Overview
| Layer | What it identifies |
|---|---|
| Bearer JWT | Who is calling (your partner org, tenantId) |
X-Workspace-Id | Which workspace owns the client |
X-Acting-Company-Id | Which merchant you are operating on |
Steps
Exchange credentials for a machine token
tenantId is your partner organization — not the client’s.Call a product API with acting headers
Tips
- Store
workspaceId+companyIdper merchant at onboarding time — Onboard a client company. - Permissions are intersected at the gateway: you only get module permissions your partner role allows and that are valid for acting-client mode.
- Auth routes (workspaces, companies, token exchange) do not use acting headers.
Troubleshooting
| Problem | Resolution |
|---|---|
| Data from wrong merchant | Verify both headers match the intended company and that company.workspaceId matches X-Workspace-Id. |
403 despite valid token | Missing partner:client:act-as or private workspace visibility. Check org role and workspace membership. |
| Empty results but no error | Headers omitted — request scoped to partner org without a client context. |
Related
Multi-tenancy
Full tenancy model and setup flow.
Authorization
Token exchange and header reference.