prowler-cloud · pap-nazaries · May 5, 2026 · May 6, 2026 · May 20, 2026
@@ -73,6 +73,12 @@
               "getting-started/products/prowler-lighthouse-ai"
             ]
           },
+          {
+            "group": "Prowler Partner Portal",
+            "pages": [
+              "getting-started/products/prowler-partner-portal"
+            ]
+          },
           {
             "group": "Prowler MCP Server",
             "pages": [
@@ -164,6 +170,16 @@
               }
             ]
           },
+          {
+            "group": "Prowler Partner Portal",
+            "pages": [
+              "user-guide/tutorials/partner-portal-sign-up",
+              "user-guide/tutorials/partner-portal-organization",
+              "user-guide/tutorials/partner-portal-team",
+              "user-guide/tutorials/partner-portal-branding",
+              "user-guide/tutorials/partner-portal-customer-onboarding"
+            ]
+          },
           {
             "group": "CI/CD",
             "pages": [

@@ -0,0 +1,40 @@
+---
+title: 'Overview'
+---
+
+[Prowler Partner Portal](https://partners.prowler.com) is a dedicated console for Prowler partners — resellers, MSPs and consultants — to onboard customers, manage their teams, and operate Prowler Cloud tenants on their customers' behalf.
+
+It gives every partner organization its own sign-in surface, a partner-scoped team and role model, branding controls, and a managed flow to provision and access customer Prowler Cloud tenants. Every action against a customer tenant is auditable as the partner user acting on behalf of the customer.
+
+<Card title="Sign up for Prowler Partner Portal" href="https://partners.prowler.com/sign-up" />
+
+Prowler Partner Portal provides:
+
+<ul>
+    <li> Self-service sign-up that flows through email verification and Prowler approval before activating a partner organization. </li>
+    <li> A partner-scoped role model with granular permissions for managing members, settings, billing, customer organizations, and tenant access. </li>
+    <li> Managed customer-tenant provisioning into Prowler Cloud. </li>
+    <li> Branding controls — partner logo on the sign-in screen, invitation emails, and the console header. </li>
+</ul>
+
+## Components
+
+The Partner Portal stack mirrors Prowler Cloud:
+
+- **Partner Portal UI** at `partners.prowler.com` — Next.js console for partner administrators and operators.
+- **Partner Portal API** at `api.partners.prowler.com` — Django REST Framework backend (JSON:API, JWT RS256).
+- **Prowler Cloud integration** — server-to-server signed tokens carry an `on_behalf_of` claim so Prowler Cloud attributes partner-driven actions to the customer tenant they target.
+
+## How it relates to Prowler Cloud
+
+| Capability | Prowler Cloud | Prowler Partner Portal |
+|---|---|---|
+| Audience | End customers | Resellers, MSPs, consultants |
+| Console | `cloud.prowler.com` | `partners.prowler.com` |
+| API | `api.prowler.com` | `api.partners.prowler.com` |
+| Tenancy | Customer-owned | Partner-owned, with managed access to customer tenants |
+| Branding | Prowler-branded | Partner-branded sign-in and console |
+
+## Getting access
+
+Prowler Partner Portal is invitation-driven. Sign up at `partners.prowler.com/sign-up`; a new partner organization stays in **Pending Approval** until the Prowler team reviews and approves the application. Once active, the partner administrator can invite team members and start onboarding customer organizations.
@@ -0,0 +1,22 @@
+---
+title: 'Customise Partner Portal branding'
+---
+
+Partner administrators with the **Manage settings** permission can upload a logo and customise visual identity for their partner organization. Branding is shown to the partner team across the Partner Portal console and on outbound communications such as invitation emails.
+
+## What you can change
+
+| Element | Where it appears |
+|---|---|
+| **Logo** | Sign-in screen, top-left of the console, invitation emails |
+| **Company name** | Browser tab title, sign-in screen, invitation emails |
+
+## Upload a logo
+
+The logo is a single image file uploaded by a partner administrator from **Settings → Branding**. PNG, JPEG and SVG formats are supported; SVG renders best at small sizes. The maximum file size is **1 MB**; transparent backgrounds work best, and wide horizontal logos render cleanest in the sidebar.
+
+Once uploaded, the logo is shown immediately to the team in the console and on subsequent sign-ins. Replacing or removing the logo is also a one-click operation from the same tab; removing reverts the console to the default Prowler branding.
+
+## Note on customer-facing surfaces
+
+Branding applies to Prowler Partner Portal only. Customers signing in to https://cloud.prowler.com see the standard Prowler-branded UI. **White-labelling of `cloud.prowler.com` for partners is not supported today.**
@@ -0,0 +1,55 @@
+---
+title: 'Onboard a customer and access their tenant'
+---
+
+Prowler Partner Portal lets partners provision Prowler Cloud tenants for customer organizations and operate inside those tenants on the customer's behalf. Every partner action is recorded in Prowler Cloud's audit log with both the partner identity and an `on_behalf_of` claim that pinpoints the customer.
+
+## Provision a customer
+
+<Steps>
+  <Step title="Open Customers">
+    From the sidebar, choose **Customers**. The page is only visible to all signed-in partner users; the **+ Add Customer** button on the toolbar requires the `manage_organizations` permission.
+  </Step>
+
+  <Step title="Start the wizard">
+    Click **+ Add Customer**. Fill in the customer's organization name and primary contact email. Organization name uniqueness is validated per partner; trying to add a duplicate returns an inline error.
+  </Step>
+
+  <Step title="Wait for provisioning">
+    Prowler Partner Portal calls Prowler Cloud to create the tenant. Provisioning is asynchronous; the customer row updates from **Pending** to **Active** when the tenant is ready (usually under a minute).
+  </Step>
+</Steps>
+
+The customer is now visible to your team in the Customers table and ready for partner-side operations.
+
+## The Customers view
+
+The Customers table lists the customer organizations linked to your partner. Each row carries:
+
+- **Customer** — the cloud organization name.
+- **Cloud accounts** — count of cloud-provider accounts attached to the customer.
+- **Providers** — icons for each cloud provider in use (AWS, Azure, GCP, Kubernetes, Microsoft 365, GitHub, IAC, Vercel, MongoDB Atlas, Cloudflare, Google Workspace, Alibaba Cloud, Oracle Cloud, image scanning, OpenStack — plus any new providers Prowler adds).
+- **Findings** — Critical / High / Medium counts from the latest scan.
+- **Last scan** — timestamp of the last successful scan.
+
+## Customer self-pairing with a Partner Code
+
+Each approved partner has a **Partner Code** — a unique, Prowler-issued value shown on **Settings → Profile** with the helper text *"Share this code with customers to link their accounts"*. Sharing the code lets a customer paste it into their Prowler Cloud account and request the partner relationship; once confirmed, the customer is listed in your Customers view alongside any partner-provisioned tenants.
+
+The customer-side flow that consumes the Partner Code is rolled out progressively in Prowler Cloud. Verify availability with your Prowler contact before sharing the code.
+
+## Access a customer tenant on behalf of
+
+From **Customers**, open the customer's row and choose **Open in Prowler Cloud**. You're redirected to https://cloud.prowler.com signed in as a partner user **on behalf of** the customer. While operating in the tenant:
+
+- You see the same Prowler Cloud UI a customer administrator would see.
+- Every action is recorded in Prowler Cloud's audit log with both your identity (the partner user) and an `on_behalf_of` claim identifying the customer tenant.
+- Returning to Prowler Partner Portal — close the tab or use the *Back to Partner Portal* link.
+
+## Customer self-access
+
+Customers continue to sign into https://cloud.prowler.com directly with their own users. Partner-side access is **additive** — it does not replace customer-side users.
+
+## Removing a customer
+
+Removing a customer in Prowler Partner Portal detaches the tenant from your partner organization but does **not** delete the underlying Prowler Cloud tenant. Coordinate tenant disposal with the customer through Prowler Cloud directly.
@@ -0,0 +1,40 @@
+---
+title: 'Your partner organization'
+---
+
+Your **partner organization** in Prowler Partner Portal is the top-level container for your team, your branding, your role catalogue and the customers you operate Prowler Cloud tenants for.
+
+## Lifecycle
+
+A partner organization moves through these states:
+
+| State | Meaning |
+|---|---|
+| **Pending email verification** | The first administrator has signed up but has not yet clicked the email verification link. |
+| **Pending approval** | Email verified; Prowler is reviewing the application. |
+| **Active** | Approved by Prowler. The partner organization can sign in, invite team members and onboard customers. |
+| **Rejected** | Prowler reviewed and declined the application. The account cannot sign in; the decision email contains the reason. |
+| **Suspended** | A previously active partner has been suspended. Sign-in is blocked; resolve manually with Prowler support. |
+
+If an application is rejected, you receive an email with the reason. Common rejection categories include incomplete documentation, ineligibility and duplicate registrations.
+
+## Settings
+
+Partner administrators with the **Manage settings** permission can edit the partner organization's profile from **Settings**:
+
+- **Company name** — the display name shown in the console, invitations and emails.
+- **Branding** — logo and visual identity. See [Customise Partner Portal branding](/user-guide/tutorials/partner-portal-branding).
+- **Partner Code** — a Prowler-issued, read-only value shown on the Profile tab. Customers paste this code in Prowler Cloud to link their tenant to your partner.
+- **Security** — password change for any signed-in user, plus a Danger zone for partner administrators to **request partner deletion**.
+
+## Customer capacity
+
+Each partner organization has a maximum number of concurrent customer organizations (default: **50**). To raise the limit, contact Prowler.
+
+## Closing your organization
+
+To close a partner organization, an administrator submits a deletion request from **Settings → Security → Danger zone**. Typing `DELETE` in the confirmation field and (optionally) providing a short reason files the request; the partner moves into the **deletion requested** state.
+
+While the request is pending, you and your team can still sign in and use the Partner Portal. Once Prowler processes the request, the partner organization, its team memberships and its branding assets are removed and all sessions are invalidated.
+
+Customer Prowler Cloud tenants are **not** automatically deleted — coordinate tenant disposal with each customer through Prowler Cloud directly.
@@ -0,0 +1,50 @@
+---
+title: 'Sign up and sign in to Prowler Partner Portal'
+---
+
+Prowler Partner Portal sign-up and sign-in run on Prowler-managed accounts. The first administrator of a partner organization signs up self-service; subsequent team members are added by invitation.
+
+## Self-service sign-up
+
+<Steps>
+  <Step title="Open the sign-up page">
+    Go to https://partners.prowler.com/sign-up and provide your work email, your name, and the company name to register as a partner. Pick a password of at least 12 characters; a strength helper validates it as you type.
+  </Step>
+
+  <Step title="Verify your email">
+    Prowler sends a verification email with a one-time link, valid for **24 hours**. After verification, your partner organization moves to **Pending Approval**. If the link expires, request a new one at https://partners.prowler.com/resend-verification — issuing a fresh link invalidates any previous unused link for the same account.
+  </Step>
+
+  <Step title="Wait for Prowler approval">
+    Prowler reviews each new partner application. You receive an email when the organization is approved (status moves to **Active**) or, in rare cases, rejected with a reason.
+  </Step>
+
+  <Step title="Sign in">
+    Once approved, sign in at https://partners.prowler.com with the email and password you set during sign-up. You land on your partner organization's dashboard.
+  </Step>
+</Steps>
+
+## Sign-in
+
+Existing users sign in at https://partners.prowler.com with email and password. On success you land on `/dashboard`.
+
+Common sign-in errors:
+
+- `Invalid email or password` — credentials do not match an account.
+- `Please verify your email before signing in` — verification has not been completed; open the verification email or request a fresh link from `/resend-verification`.
+- `Your partner application is still under review` — sign-in is blocked until Prowler approves the application.
+- `Your partner application was not approved` — the application was rejected; the account cannot sign in.
+
+## Forgot password
+
+Click **Forgot password?** on the sign-in screen and enter your email at `/forgot-password`. Prowler sends a password reset email; the reset link is valid for a fixed window. The reset page asks for a new password (minimum 12 characters) and a confirmation; on success you are redirected back to sign-in.
+
+For security, the confirmation banner on the Forgot-password screen is shown whether or not the email matches an account — a fresh request invalidates any previous unused reset link.
+
+## Sessions
+
+Prowler Partner Portal uses short-lived JWTs (RS256) refreshed automatically while you remain active. Refresh tokens rotate on every refresh; previous refresh tokens are revoked. If a refresh fails — for example, after a long inactivity, a server restart, or a revoked token — you are returned to `/sign-in?error=RefreshAccessTokenError`. Sign in again to continue.
+
+## Sign out
+
+Open the user avatar in the top-right of any page and pick **Sign out**. The session is cleared and you are returned to the sign-in form.
@@ -0,0 +1,60 @@
+---
+title: 'Manage your Partner Portal team'
+---
+
+Each partner organization in Prowler Partner Portal has its own team and its own role catalogue. Partner administrators invite team members by email and assign each member a role from the catalogue.
+
+## Roles
+
+Today every partner organization ships with two built-in roles:
+
+- **Admin** — full management of the partner organization (team, customers, settings, branding, billing, partner deletion). Admins are mapped to **Cloud Manager** on the customer tenants the partner manages on Prowler Cloud.
+- **Member** — read-only inside the Partner Portal. Members can change their own password and operate on customer tenants as **Cloud Operator** on Prowler Cloud.
+
+The role assigned at invitation time decides both Partner Portal and Cloud-side permissions; there is no separate Cloud role to assign.
+
+Each role bundles a set of permissions:
+
+- **Manage members** — invite, re-invite, revoke and remove team members.
+- **Manage settings** — edit the partner organization's profile and configuration.
+- **Manage billing** — manage billing details and subscriptions.
+- **Manage organizations** — add and remove customer organizations and provision their Prowler Cloud tenants.
+- **Access tenants** — open a customer tenant in Prowler Cloud on behalf of the customer.
+
+Permissions surface on the session as boolean flags (`manage_members`, `manage_settings`, `manage_billing`, `manage_organizations`, `access_tenants`) that the UI consults to gate the corresponding sidebar entries and actions.
+
+## Invite a team member
+
+<Steps>
+  <Step title="Open Team">
+    From the sidebar, choose **Team**. The page is only visible to users whose role grants `manage_members`.
+  </Step>
+
+  <Step title="Send the invitation">
+    Click **Invite user**, enter the work email, choose a role, and send. Inviting an email that is already a team member is rejected. The invitee receives an email with a one-time link that opens the public `/invitations/accept` page.
+  </Step>
+
+  <Step title="Track status">
+    The Team table lists each invitation's state: **Pending**, **Accepted**, **Expired** or **Revoked**.
+  </Step>
+</Steps>
+
+When the invitee opens the link, they fill in their full name and a password (minimum 12 characters), accept, and are redirected to the sign-in page with a confirmation banner.
+
+## Re-invite or revoke
+
+For invitations in **Pending** or **Expired** state, the row's **Re-invite** action emails a fresh link, bumps the invitation's expiry, and updates the **Invite Sent** column. **Revoke** invalidates the invitation immediately; the invitee can no longer accept it.
+
+An email address can have only one **Pending** invitation at a time. To re-issue, revoke the existing invitation first or use **Re-invite**.
+
+## Disable, enable, or remove a member
+
+Active members expose a **Disable** action on their row. Disabling soft-deletes the member: their access is revoked immediately, but the row stays in the table flagged as **Disabled** for audit trail.
+
+Disabled members can be **Enabled** to restore access, or **Re-invited** to send a fresh invitation that brings them back as a fresh active member.
+
+## Notes
+
+- The first administrator of a new partner organization is created during sign-up.
+- An email address can have only one active membership in a given partner organization.
+- Permissions are scoped to a partner organization — a session for partner A does not carry permissions on partner B.