Unphish v2 Docs
User Guide

Partner workflow

How a channel partner runs their own branded Unphish instance.

A partner is a channel reseller running a portfolio of clients on Unphish under their own brand. Functionally, your day looks a lot like an Unphish staff analyst's, scoped to your portfolio and presented under your brand.

What scope means for you

You see your clients, your brands, your cases, your team. You do not see Unphish-internal data or other partners' portfolios. Tenant isolation is enforced at the database, the API, and the UI; cross-partner access is impossible by construction.

Your branding (logo, primary color, login page styling, custom domain) is configured on your organization. Your clients see your brand, not Unphish's, when they log in.

Routes you use

RouteWhat it is
/partner/dashboardPortfolio-wide tiles: cases by client, recent enforcement, verification queue.
/partner/clientsList and manage your clients: contacts, brands, policies, plans, SSO domains.
/partner/threat-feedConsolidated intake across your portfolio. Same triage flow as analyst.
/partner/casesAll cases across your clients. Filter by client, brand, status, etc.
/partner/watchlistAll watchlist items across your portfolio.
/partner/verificationActive verification queue.
/partner/intelligenceThreat clusters and IOCs across your clients.
/partner/reportsSchedule and run reports for any client.
/partner/brandingYour logo, colors, custom domain, login page.
/partner/teamYour analyst team and roles.
/partner/settingsOrganization-level settings.

Triage, classification, enforcement, and verification all work the same way as the analyst guide. Read that first; this guide covers what is different for partners.

Onboarding a new client

  1. From /partner/clients, click New client.
  2. Enter contact details: legal name, primary contact, billing contact, support email, postal address.
  3. Set the plan and entitlements: enforcement plan, service flags (CleanDNS, social, registrar, etc.), watchlist frequency, quotas.
  4. Add brand records: official domains, logos, social handles, trademarks, copyrighted source URLs, content URLs, proof of authorization.
  5. Configure the client policy: automation thresholds, required approvals, notification rules, allowed channels.
  6. Optionally configure SSO: add a verified domain and the client's identity provider.
  7. Invite client users. Each user is invited with a role: admin, analyst, viewer, or client_approver.

The new client immediately appears in your portfolio. Your analyst team can start working their threats; client users see only their own data.

Managing your team

Partners run their own analyst team. From /partner/team:

  • Invite an analyst with role analyst or viewer.
  • Promote to admin for users who manage clients or other team members.
  • Restrict by client for analysts who should only see specific clients' cases.
  • Restrict by brand for analysts who should only work specific brands.
  • Remove a member; their session ends and their audit history is preserved.

Escalation to Unphish

When you need help — a tricky enforcement, a provider dispute, a policy question — the platform supports escalation to Unphish:

  1. From any case, click Escalate to Unphish.
  2. Choose the escalation type: technical, provider dispute, policy question, urgent threat.
  3. Add context.
  4. Submit. An Unphish staff member is paged based on severity. The case retains your context; Unphish acts inside your tenant scope with full audit.

Escalation does not expose your data to other partners. Only Unphish staff with permission to operate on your tenant can see it, and every action is logged.

Branding and white-label

/partner/branding controls how your clients see Unphish:

  • Display name — replaces "Unphish" in titles and UI copy.
  • Logo — primary and inverted variants.
  • Colors — primary, accent, foreground.
  • Custom domain — e.g., protect.example.com. Requires DNS configuration; the platform issues the certificate.
  • Login page — branded sign-in styling. Authentication still routes through Authentik but presents your brand.
  • Email templates — invitations, notifications, and reports go out under your name and from your sender domain (configured in Postmark).

Reporting and intelligence across the portfolio

You have visibility your clients do not: cross-client clusters, infrastructure overlaps between different clients' threats, repeat actors hitting multiple brands. Use intelligence to spot campaigns and proactively recommend watchlist coverage.

Reports can be scoped to one client (for sending to that customer), to a brand, or to your full portfolio (for internal partner operations).

Quotas and entitlements

Each client has a plan that determines:

  • Detection volume.
  • Enforcement volume per channel.
  • Reporting cadence.
  • API call rate limits.
  • Watchlist size.

You can monitor usage from /partner/clients/[id]/usage and request plan changes through the Unphish team. Quotas are enforced at intake, classification, and enforcement; your team will see clear "quota reached" states rather than silent failures.

Previous

Client reviewer

Next

Admin tasks

On this page