If your partners will be using a web browser to query those APIs (within some app they made), then cookies is fine. Else authorisation headers is the way to go