TPO and partner channels go live faster
Lenders building a private-label channel for partners get a portal under their own brand in days, not quarters. No platform team required.
Capability · White-label & multi-tenant
Stand up a branded portal under your own domain — without standing up a platform team.
Per-organization branding, claimable domains with DNS verification, automatic Let's Encrypt certificate issuance, white-label email links, and a typed Org / Entity hierarchy — coordinated by the tenant-domain-controller. Same engine, same audit chain, same APIs under your own brand.
Overview
What it is, in one paragraph
White-label deployment is split across two services for clean separation of concerns. comp-service owns the per-organization branding (logos, colors, email templates) and the DNS-claim lifecycle (PENDING_DNS → VERIFIED → ACTIVE). tenant-domain-controller is a Kubernetes operator that reconciles the verified domain into a Certificate resource (cert-manager + Let's Encrypt HTTP-01) and an IngressRoute. The end result: a branded portal at pricing.example.com running the same engine, same audit chain, and same APIs as the multi-tenant deployment.
Custom domain claim
Claim any host you control. DNS verification via TXT challenge; status transitions are audit-chained.
Automatic TLS issuance
tenant-domain-controller drives cert-manager + Let's Encrypt HTTP-01. Renewal is automatic. Migration to Let's Encrypt completed 2026-05.
Per-org branding
Logos, color tokens, favicons, and email template overrides — all per-organization. Host-aware theming served from the BFF.
Branded email links
Transactional emails route their action links to your white-label domain. The user never sees ratestack.com.
Typed Org / Entity hierarchy
Org carries OrgRoles; Entity is a sub-unit (BRANCH·REGION·TEAM·DIVISION·CORPORATE). The hierarchy maps directly into capability scoping.
Same engine, same audit
White-label is a presentation + identity layer over the same pricing-service, lock-service, hedge-service, and audit chain. No fork, no parallel build.
How it works
The pipeline, end to end.
Numbered steps from input to output. Each step maps to a specific subsystem you can inspect via OpenTelemetry.
- 1
Claim a domain
POST /v1/tenant/domains with the host. The platform returns a TXT record value and creates a PENDING_DNS claim.
- 2
Add the TXT record
Your DNS team adds the _ratestack-challenge TXT record. The platform polls until visible globally.
- 3
DNS verified
The claim transitions to VERIFIED. comp-service writes an audit row; the tenant-domain-controller picks up the change.
- 4
Cert issuance
The controller reconciles a cert-manager Certificate object. cert-manager solves Let's Encrypt HTTP-01 against the operator-managed ingress.
- 5
IngressRoute reconciliation
Once the cert is issued, the controller binds the IngressRoute to route the host to the BFF. Status transitions to ACTIVE.
- 6
Branding applies
The BFF resolves theming from the host header (or the org binding for non-host requests). Email templates pick up the matching brand.
Hands on
Claim a custom domain
Live cURL sample — copy, paste, ship.
# Claim a custom domain for your org
curl -X POST https://api.ratestack.com/v1/tenant/domains \
-H "X-API-Key: $RATESTACK_KEY" \
-H "Content-Type: application/json" \
-d '{ "orgId": "org_42", "host": "pricing.example.com" }'
# Returns:
# {
# "domainId": "dom_4b2c",
# "status": "PENDING_DNS",
# "verify": {
# "type": "TXT",
# "name": "_ratestack-challenge.pricing.example.com",
# "value": "ratestack-claim=a1b2c3d4..."
# }
# }
# Add the TXT record; the platform polls + verifies, then triggers ACME issuance.
# tenant-domain-controller reconciles the K8s cert + IngressRoute objects.Why this matters
The pain it removes.
No fork, no drift
The white-label surface is the same code paths as multi-tenant. Every fix and feature lands everywhere; you do not maintain a private fork.
Compliance owns the chain
The audit chain spans tenants with actingAsOrgId; a wholesale lender can prove which originator instigated each price discovery.
Frequently asked
Direct answers, no marketing spin.
Can we use a wildcard cert we already own?
Yes on Enterprise. Upload the cert + key (encrypted via SecretEncryptor) and the controller skips ACME issuance for that host. Renewal becomes your responsibility.
How is brand isolation enforced?
Host-aware theming + capability scoping. A user landing on org-A's domain cannot see org-B's data even if their account has cross-tenant visibility — the host determines the brand and the default tenant.
Can a single tenant have multiple domains?
Yes. An org can claim primary + alias domains. Cert lifecycle runs per host.
What happens if my DNS expires?
The controller continues to serve from the existing cert until expiry, then degrades to a fallback page with a clear message. We notify the org admin at 14 / 7 / 1 days before issue.
Is the white-label fully self-serve?
Yes — the entire flow (claim → verify → issue → activate) is admin-API + UI driven. Sales does not need to be in the loop after contract signing.
How we compare
Stand up a branded portal under your own domain — without standing up a platform team. — vs the alternatives.
Specific angles, not generic feature checklists. Each row links to a longer side-by-side; we're transparent about where competitors are the better choice.
vs Polly
Full white-label deployment with custom domains and automatic TLS, not a sub-brand theme.
See the side-by-sidevs Optimal Blue
Same engine and audit chain on the white-label surface — no fork to maintain, no feature drift.
See the side-by-sidevs Lender Price
Self-serve domain claim + ACME issuance, not a manual cert-upload exercise per partner.
See the side-by-sideComparisons reflect each vendor's public positioning. Where a fact is unverifiable, we mark it "Depends" or "Unknown" instead of guessing.
Related capabilities
Pieces that work better together.
Ready to see it on your data?
Wire stand up a branded portal under your own domain — without standing up a platform team. up to your real workflow.
We'll spin you a sandbox, load your actual ratesheets, and walk you through this capability against your top scenarios.