Manage Partner Lifecycle

Manage the full partner lifecycle — deactivate partners temporarily, reactivate them, and list partners with filters.

When to use: When you need to disable a partner that is misbehaving, no longer needed, or needs temporary restriction.

Prerequisites

Completed Register Partner
Have a partner ID to manage

5-Line Core

# Deactivate (reversible)
await provider.deactivate_partner(partner_id)

# Reactivate
await provider.reactivate_partner(partner_id)

Partner States

State

Can Sign?

Can Reactivate?

Signatures Valid?

Active

Yes

N/A

Yes

Inactive

Yes

Step-by-Step

Deactivate a Partner

Deactivation is reversible — use it when a partner needs temporary restriction:

result = await provider.deactivate_partner(partner_id)
if result.is_ok:
    print("Partner deactivated successfully")
else:
    print(f"Error: {result.error.code} - {result.error.message}")

Verify Signature Rejection

Signatures from deactivated partners are rejected immediately:

result = await provider.validate_partner_signature(
    consumer_key=consumer_key,
    signature=signature,
    payload=payload,
    timestamp=timestamp,
)

if not result.is_ok:
    print(f"Error: {result.error.code}")  # PARTNER_INACTIVE

Error: partner_inactive

Reactivate a Partner

result = await provider.reactivate_partner(partner_id)
if result.is_ok:
    print("Partner reactivated — can sign requests again")

List Partners

List partners with optional filtering:

# All active partners
result = await provider.list_partners(is_active=True)
if result.is_ok:
    partners = result.unwrap()
    print(f"Active partners: {len(partners)}")
    for p in partners:
        print(f"  {p.id}: {p.partner_name} (active: {p.is_active})")

# Filter by organization
result = await provider.list_partners(
    organization_id="default",
    is_active=None,  # All statuses
)
if result.is_ok:
    partners = result.unwrap()
    print(f"\nAll partners in 'default': {len(partners)}")

# All partners (no filters)
result = await provider.list_partners()

Expected Output

Partner deactivated successfully
Error: partner_inactive
Partner reactivated — can sign requests again
Active partners: 3
  partner-001: Acme Corp (active: True)
  partner-002: Beta Inc (active: True)
  partner-003: Gamma Ltd (active: True)

All partners in 'default': 4

You've learned how to manage the full partner lifecycle — deactivate, reactivate, and list partners!

Error Codes Reference

Error Code

Description

partner_not_found

Consumer key or partner ID not recognized

partner_inactive

Partner has been deactivated

invalid_partner_signature

HMAC-SHA256 signature mismatch

partner_already_exists

Partner with same name already registered

no_partner_registry

Provider does not support partner registry

signature_expired

Timestamp outside tolerance window

email_domain_not_allowed

Email domain not in partner's allowed list

max_users_exceeded

Partner has reached maximum user cap

Complete Example

Create manage_partner_lifecycle.py:

"""GL IAM Manage Partner Lifecycle Example."""

import asyncio
import hashlib
import hmac
from datetime import datetime, timezone

from gl_iam.core.crypto_config import CryptoConfig, EncryptionAlgorithm
from gl_iam.core.types.sso import SSOPartnerCreate
from gl_iam.providers.postgresql import (
    PostgreSQLPartnerRegistryProvider,
    PostgreSQLConfig,
)

DATABASE_URL = "postgresql+asyncpg://postgres:postgres@localhost:5432/gliam"
SECRET_KEY = "your-secret-key-min-32-characters-long"  # For JWT signing
# Generate with: python -c "import secrets, base64; print(base64.urlsafe_b64encode(secrets.token_bytes(32)).decode())"
ENCRYPTION_KEY = "<YOUR_ENCRYPTION_KEY>"


async def main():
    # Setup
    config = PostgreSQLConfig(
        database_url=DATABASE_URL,
        secret_key=SECRET_KEY,
        crypto_config=CryptoConfig(
            encryption_keys={1: ENCRYPTION_KEY},
            encryption_algorithm=EncryptionAlgorithm.AES_256_GCM,
        ),
    )
    provider = PostgreSQLPartnerRegistryProvider(config)

    # Register a partner
    reg_result = await provider.register_partner(
        SSOPartnerCreate(partner_name="Lifecycle Demo", org_id="default")
    )
    registration = reg_result.unwrap()
    partner_id = registration.partner.id
    consumer_key = registration.consumer_key
    consumer_secret = registration.consumer_secret
    print(f"1. Registered: {registration.partner.partner_name}")

    # Helper to compute and validate signature
    async def try_signature() -> bool:
        payload = '{"test": true}'
        timestamp = datetime.now(timezone.utc).isoformat()
        signing_string = f"{timestamp}|{consumer_key}|{payload}"
        signature = hmac.new(
            consumer_secret.encode(), signing_string.encode(), hashlib.sha256,
        ).hexdigest()
        result = await provider.validate_partner_signature(
            consumer_key=consumer_key, signature=signature,
            payload=payload, timestamp=timestamp,
        )
        return result.is_ok

    # Verify active partner can sign
    print(f"2. Signature valid (active): {await try_signature()}")

    # Deactivate
    deactivate_result = await provider.deactivate_partner(partner_id)
    print(f"3. Deactivated: {deactivate_result.is_ok}")

    # Verify deactivated partner is rejected
    print(f"4. Signature valid (inactive): {await try_signature()}")

    # Reactivate
    reactivate_result = await provider.reactivate_partner(partner_id)
    print(f"5. Reactivated: {reactivate_result.is_ok}")

    # Verify reactivated partner can sign again
    print(f"6. Signature valid (reactivated): {await try_signature()}")

    # List all partners
    list_result = await provider.list_partners(organization_id="default")
    if list_result.is_ok:
        partners = list_result.unwrap()
        print(f"\n7. Partners in 'default': {len(partners)}")
        for p in partners:
            print(f"   {p.id}: {p.partner_name} (active: {p.is_active})")

    # List only active partners
    active_result = await provider.list_partners(is_active=True)
    if active_result.is_ok:
        print(f"\n8. Active partners: {len(active_result.unwrap())}")

    await provider.close()


if __name__ == "__main__":
    asyncio.run(main())

Run it:

uv run manage_partner_lifecycle.py

Expected output:

1. Registered: Lifecycle Demo
2. Signature valid (active): True
3. Deactivated: True
4. Signature valid (inactive): False
5. Reactivated: True
6. Signature valid (reactivated): True

7. Partners in 'default': 1
   550e8400-...: Lifecycle Demo (active: True)

8. Active partners: 1

Common Pitfalls

Pitfall

Solution

Deactivating without notifying

Coordinate with partner before deactivation

Not checking error codes

Always check result.error.code for specific failure reasons

Missing organization filter

Pass organization_id to scope list_partners results

Confusing deactivate vs revoke

Unlike agents, deactivation is always reversible

Next Steps

Register Partner — Register new partners
Validate Partner Signature — Validate incoming SSO requests
Rotate Consumer Secret — Rotate secrets for security
Result Pattern — Handle errors from lifecycle operations

Found an issue on this page? Report it on our feedback form.

PreviousRotate Consumer Secret NextResult Pattern

Last updated 9 days ago

Was this helpful?

hashtag5-Line Core

hashtagPartner States

hashtagStep-by-Step

hashtagError Codes Reference

hashtagComplete Example

hashtagCommon Pitfalls

hashtagNext Steps

5-Line Core

Partner States

Step-by-Step

Error Codes Reference

Complete Example

Common Pitfalls

Next Steps