Access Policies

Use Access Policies to control which resources a Portal User, an API Credential, or a Klarna webhook can access within a Partner Account. An Access Policy groups a set of rules, where each rule grants access to a specific resource such as a Payment Account, Store Group, or Brand.

Acquiring Partners use Access Policies to restrict or define the scope of a Partner's operations — for people signing in to the Klarna Partner Portal, automated traffic using API Credentials, and Klarna webhooks. For example, a Partner that processes payments across multiple Payment Accounts can have Portal Users, credentials, and webhooks that only reach a subset of those Payment Accounts through an Access Policy.

Access Policies can be defined during onboarding or managed separately throughout the Partner lifecycle.

A Partner Account can have multiple Access Policies. Each Access Policy contains one or more rules, and each rule grants access to exactly one resource. Together, the rules define the effective scope for Portal Users, API Credentials, and Klarna webhooks on that account.

When no Access Policy is explicitly configured, Portal Users, API Credentials, and Klarna webhooks are assigned the DEFAULT policy, which grants full access to all resources on the account. Use a SCOPED policy to limit access to specific resources.

The following fields come from the 200 response of getAccountAccessPolicy. When you send access_policies in the onboard request, use the same references and rules but omit read-only response fields (type, state, and access_policy_rule_id on each rule).

The following fields come from the 200 response of getAccountAccessPolicyRule. The nested resource object identifies the target (for example a Payment Account, Store Group, or Brand); property names appear flattened in the table (for example resource.type).

Access Policies are created in the ENABLED state. Use the disable and enable actions to manage the policy lifecycle.

When a Partner operates multiple Payment Accounts — for example, one per legal entity or MCC — an Acquiring Partner can create a SCOPED Access Policy that limits a group of Portal Users to only the relevant Payment Accounts. Each policy contains rules that reference the target Payment Accounts, and the Portal Users assigned to that policy can only see and manage those Payment Accounts in the portal. See Model your Partner Accounts for a concrete example with a multi-brand enterprise.

When a Partner has multiple Store Groups or Brands, an Access Policy can control which Portal Users can manage each one. Create a SCOPED policy with rules referencing the target Store Groups or Brands to scope a group of Portal Users to only their relevant resources — preventing cross-region or cross-brand changes while keeping everything under a single Partner Account.

Include the access_policies array in the onboard request to scope Portal Users, API Credentials, and Klarna webhooks from the start. Each rule grants access to exactly one resource.

Use getAccountAccessPolicy to retrieve a policy and its rules.

Use disableAccountAccessPolicy to temporarily suspend a policy — Portal Users, API Credentials, and Klarna webhooks regain unrestricted access while it is disabled. Use enableAccountAccessPolicy to reactivate it.

Use getAccountAccessPolicyRule to retrieve a single rule, or deleteAccountAccessPolicyRule to remove it.

Use resolveAccessPolicyId to look up the Klarna identifier from your access_policy_reference. All other policy and rule actions require the resolved identifier in the path.