Overview

Partner Credentials is an internal Python 3.13 FastAPI service that issues partner authentication credentials for other services. It reads organization metadata from Spanner, fetches secrets from Secret Manager, and caches tokens in memory for reuse.

Service profile

Responsibilities

• Issue OAuth or API key credentials for partner integrations.
• Centralize Secret Manager access for partner credentials.
• Cache and refresh tokens to reduce partner API load.

Non-goals

• Persist partner data or tokens outside in-memory cache.
• Public API access or end-user authentication.

Tech stack

• Python 3.13 + FastAPI (ASGI).
• Granian server with ORJSONResponse for JSON.
• httpx for partner token requests with TLS 1.2 enforcement.
• Spanner client from packages/python/common.
• Secret Manager for credential storage.
• Sentry for error reporting.

Code entrypoints

• services/partnercreds/main.py: FastAPI app, Sentry, Spanner lifecycle.
• services/partnercreds/api/v1/endpoints/pims.py: token issuance endpoint.
• services/partnercreds/util/data_access_manager.py: Spanner access for org metadata.
• services/partnercreds/util/token_cache_manager.py: token caching + refresh.
• services/partnercreds/core/token_processor.py: provider-specific flows.
• services/partnercreds/core/security.py: Secret Manager lookups.

Dependencies

• Upstream: Handler and other internal services requesting tokens.
• Downstream: None (token broker only).
• External: Cloud Spanner; Secret Manager; Sentry; partner token endpoints (data APIs are used by Handler).

Related pages

• Architecture
• Interfaces
• Data model
• Configuration
• Local development
• Operations
• Runbooks
• Ownership