Creating Partner User Sessions

You can mint a temporary session token for a partner user (sub-account) by sending a POST request to the partner user session creation endpoint. This provides a time-limited alternative to long-lived API tokens when you need to delegate limited access to a customer account.

The session token is created in the context of the child user selected by the {userId} path parameter. The parent partner account remains the caller, but the resulting token authenticates requests as the partner user. A fresh transient session ID is generated for each call so every minted token is isolated from the caller's own authenticated browser session.

POST /api/v1/partner/user/{userId}/session/create
Content-Type: application/json
Authorization: Bearer YOUR_PARTNER_TOKEN

{
  "durationInSeconds": 1200,
  "config": {
    "allowedRoutes": [
      "/api/v1/bot/**",
      "!/api/v1/conversation/**"
    ]
  }
}
http

The durationInSeconds field controls how long the minted session token remains valid. The optional config object is forwarded into the temporary session token generator and is intended for behavioral restrictions such as allowedRoutes, plus additional internal session-scoping values like contactId.

Security Note: Prefer session tokens over persistent API tokens when the access you need is short-lived or should be restricted to a narrow set of API paths. Using allowedRoutes greatly reduces blast radius if a token is leaked.