Provisioning API - Security Overview

Getting started with our Provisioning API

Getting Started

As a partner, after connecting with the Deputy partner team, the next step involves setting up of the Security Authentication Layer that is required to access our privileged provisioning API.

The first step is to create an account with Deputy. This will create what Deputy calls a “Once Profile” - a global level user that can be reused across multiple businesses. With a Once Profile, partners are able to create an OAuth client which will allow them to access the create/convert and downgrade APIs.

The once user that is created should be for the company as a whole, not an individual or for a customer. This once user will control the provisioning, upgrading and downgrading of all the partner's embedded accounts.


  1. After creating a Deputy account, navigate to and follow the prompts to set up a new OAuth client. Follow this guide Using Oauth 2.0
  2. Share the generated client_id from the previous step, with the Deputy team.
  3. Deputy will provide a private key. The private key and client_id constitute the key fields needed to gain access to the endpoints.
  4. Retrieve the kid (Key ID) from the well-known endpoint below by substituting in with the OAuth client_id from before.

  1. Generate the JWT token:

    1. Header
      1. Set the kid (Key ID) with the value retrieved in the well-known endpoint from previous step
      2. Use RS256 for the algorithm
    2. Payload
      1. Set the client_id with the client ID generated above
      2. Set the aud (audience) to
      3. Set the sub (subject) to
      4. Set the iss (issuer) value to the issuer assigned to the partner
  2. Sign the token with the private key shared earlier.

  3. All done! Use the signed JWT token when sending requests to the partner APIs.