Stand up a branded portal under your own domain — without standing up a platform team.
Lenders building a private-label channel for partner originators need a full pricing platform under their own brand. RateStack ships per-organization branding, custom domains with DNS verification, automatic Let's Encrypt certificate issuance, and white-label email links — coordinated by the tenant-domain-controller and a comp-service domain state machine.
The white-label surface is the same code paths as multi-tenant — same pricing-service, lock-service, hedge-service, audit chain, and capability catalog. There is no fork to maintain, no feature drift between brands. Every fix and new capability lands everywhere; the brand layer is a presentation + identity overlay served by the BFF.
Domain claim is self-serve. Your admin POSTs the host; the platform returns a TXT challenge; DNS verifies; tenant-domain-controller reconciles a cert-manager Certificate object via Let's Encrypt HTTP-01 and an IngressRoute. The whole lifecycle is audit-chained. Recent migration to Let's Encrypt completed 2026-05.
Beyond branding, the Org / Entity / LO hierarchy with typed org roles makes multi-channel architectures natural. ORIGINATOR partners get scoped capabilities; INVESTOR partners get a complementary set. Cross-tenant actions audit with actingAsOrgId. White-label is a deployment model, not a product fork.
Before vs. after
The shape of a day.
The same operating model, rebuilt around explicit pricing and a single audit log.
Before
Private-label requires a 6-month platform build with a dedicated team.
After
Claim a domain, verify DNS, issue cert, launch. Days, not quarters.
Before
Branded forks drift from the main product over time.
After
Same code paths under both brands. No drift, no maintenance overhead.
Before
Cert lifecycle is a manual ops task per partner host.
After
Automatic Let's Encrypt HTTP-01 issuance + renewal via cert-manager.
Before
Cross-tenant actions don't audit cleanly.
After
actingAsOrgId on every audit row makes the grantor → grantee chain explicit.
Capabilities, framed for you
The platform pieces you'll touch first.
Custom domain claim
DNS-verified self-serve domain claim with TXT challenge.
Automatic TLS
cert-manager + Let's Encrypt HTTP-01; auto-renewal.
Per-org branding
Logos, color tokens, favicons, email templates — host-aware.
Typed Org / Entity hierarchy
ORIGINATOR / INVESTOR / CORRESPONDENT / SUBSERVICER + 5 Entity types.
Capability catalog
12 + 7 capabilities published at /v1/capabilities for partner integrations.
Same engine + audit
No fork. Same pricing, locks, hedge, audit chain across all brands.
Onboarding
What week one looks like.
A pragmatic sequence — from sandbox to first signed quote.
- 1
Day 1: org setup + capability scoping
Stand up the white-label org with the appropriate type. Assign default capability set; tighten where needed.
- 2
Day 2: claim the domain
POST /v1/tenant/domains with your partner-facing host. Add the TXT record; verification completes globally.
- 3
Day 3: cert issuance
tenant-domain-controller reconciles a cert-manager Certificate; Let's Encrypt HTTP-01 solves; IngressRoute binds. Status transitions to ACTIVE.
- 4
Day 4: branding upload
Logos, color tokens, favicon, and email templates upload via the admin UI. Host-aware theming kicks in immediately.
- 5
Week 1: partner onboarding
Onboard your first partner org. TTL grants for cross-tenant visibility; capability catalog for scoping.
- 6
Production
Partners operate under your brand. White-label email links direct to your domain; audit chain spans tenants with actingAsOrgId.
Frequently asked
Specific to your operating model.
Can we use a wildcard cert we already own?
Yes on Enterprise. Upload the cert + key (encrypted via SecretEncryptor) and the controller skips ACME issuance for that host. Renewal becomes your responsibility.
Is white-label the same as multi-tenant?
White-label is a presentation + identity layer over multi-tenant. The data planes are identical; the surface is branded per host. You can run multi-tenant without white-label, but not the inverse.
Can we customize beyond logos and colors?
Email templates, terms-of-service banners, and a limited CSS overlay are supported out of the box. Deeper customizations (whole-page templates) are an Enterprise scope; talk to sales.
What happens if a partner brand goes away?
Deactivate the domain claim; the controller tears down the IngressRoute and lets the cert expire. The data remains for audit; the surface goes dark.
How is the audit chain shared across tenants?
Each tenant has its own audit chain; cross-tenant operations write actingAsOrgId so the chain is verifiable end-to-end. Wholesale and TPO audits walk both chains via the correlationId.
Ready when you are
See platform & white-label lenders on RateStack.
Live demo with your real ratesheets, your real scenarios, and an honest read on whether the platform fits your team.