The Verified Partner Program is how oakallow lets approvals happen outside the oakallow dashboard, inside a partner's own product, without weakening any of the guarantees that make an oakallow approval trustworthy. We intentionally require partners to register and scope their integration by authority so that a decision made in a partner's own surface carries the same cryptographic execution-token minting, the same immutable audit trail, and the same governance controls as a decision made natively in oakallow.
An authority is a named, domain-verified integration surface registered under a partner's legal entity. A customer opts an authority into their own organization, and from then on approvals in that org can be decided in the partner's product instead of only the oakallow dashboard.
- Partners host the human-decision step of an oakallow approval inside their own UI, so their customers approve in the platform they already use while oakallow records the cryptographic decision and the audit trail
- Customers opt in per-org from their own oakallow dashboard. Authority assignments are private to the customer org; there is no public partner directory
- Authorities can use mutual TLS on their callback domain for production traffic
- The partner contact emails (technical and security) receive escalation traffic from oakallow when an authority needs attention
- A parent-partner attestation, made once at apply time, where the applicant attests they are authorized to register this company and corporate domain as a partner. It is recorded with the accepting email, timestamp, and IP.
- A per-authority agreement, accepted separately for each authority registered under the partner. The parent attestation covers the company; the authority agreement covers each individual integration surface.
- The partner controls the corporate domain they claim, proven with a DNS TXT record on that domain (the Primary Governing Authority domain, or PGA domain). DNS control is the thing we can actually prove, so it is the basis of verification
- The applicant is on the corporate domain (the oakallow account that submits the application must have an email on the PGA domain)
- Each authority independently proves control of its own callback domain with its own DNS TXT record. The callback domain must be a different host from the bare corporate domain, so a partner demonstrates control of the specific surface its approvals run on
1. Apply at oakallow.io/partners/apply from an account whose email is on the corporate domain you submit 2. Attest, at the parent-partner level, that you are authorized to register this company and corporate domain 3. Add a DNS TXT record on the corporate domain to prove you control it 4. Register one or more authorities, each with its own callback domain and its own technical and security contact 5. Each authority proves its own callback domain with a DNS TXT record, verifies its technical and security contacts by email, and accepts the per-authority program agreement 6. Configure mutual TLS for production callback traffic at oakallow.io/partners/mtls-setup
The owner of the verified-partner record is the user who applied, and additional owners can be invited to co-manage the record. Partner dashboard access (oakallow.io/dashboard/partner) is gated on that membership, not on team role, so an owner can manage the record even from a personal oakallow account.