diff --git a/.changelog/11699.txt b/.changelog/11699.txt
new file mode 100644
index 000000000..32949238b
--- /dev/null
+++ b/.changelog/11699.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auto-config: ensure the feature works properly with partitions
+```
diff --git a/agent/agent_test.go b/agent/agent_test.go
index 6b3ea8cfb..322e99e9b 100644
--- a/agent/agent_test.go
+++ b/agent/agent_test.go
@@ -5117,6 +5117,9 @@ func TestAutoConfig_Integration(t *testing.T) {
 	// verify_incoming config on the server would not let it work.
 	testrpc.WaitForTestAgent(t, client.RPC, "dc1", testrpc.WithToken(TestDefaultMasterToken))
 
+	// spot check that we now have an ACL token
+	require.NotEmpty(t, client.tokens.AgentToken())
+
 	// grab the existing cert
 	cert1 := client.Agent.tlsConfigurator.Cert()
 	require.NotNil(t, cert1)
@@ -5159,9 +5162,6 @@ func TestAutoConfig_Integration(t *testing.T) {
 		require.NoError(r, err)
 		require.Equal(r, client.Agent.tlsConfigurator.Cert(), &actual)
 	})
-
-	// spot check that we now have an ACL token
-	require.NotEmpty(t, client.tokens.AgentToken())
 }
 
 func TestAgent_AutoEncrypt(t *testing.T) {
@@ -5351,3 +5351,10 @@ func uniqueAddrs(srvs []apiServer) map[string]struct{} {
 	}
 	return result
 }
+
+func runStep(t *testing.T, name string, fn func(t *testing.T)) {
+	t.Helper()
+	if !t.Run(name, fn) {
+		t.FailNow()
+	}
+}
diff --git a/agent/auto-config/auto_config.go b/agent/auto-config/auto_config.go
index f3eedb7eb..631ccc75d 100644
--- a/agent/auto-config/auto_config.go
+++ b/agent/auto-config/auto_config.go
@@ -279,6 +279,7 @@ func (ac *AutoConfig) getInitialConfigurationOnce(ctx context.Context, csr strin
 		Datacenter: ac.config.Datacenter,
 		Node:       ac.config.NodeName,
 		Segment:    ac.config.SegmentName,
+		Partition:  ac.config.PartitionOrEmpty(),
 		JWT:        token,
 		CSR:        csr,
 	}
diff --git a/agent/auto-config/config_translate.go b/agent/auto-config/config_translate.go
index 829bd6b1e..eb9d73f80 100644
--- a/agent/auto-config/config_translate.go
+++ b/agent/auto-config/config_translate.go
@@ -26,9 +26,12 @@ func translateConfig(c *pbconfig.Config) config.Config {
 		Datacenter:        stringPtrOrNil(c.Datacenter),
 		PrimaryDatacenter: stringPtrOrNil(c.PrimaryDatacenter),
 		NodeName:          stringPtrOrNil(c.NodeName),
-		// only output the SegmentName in the configuration if its non-empty
+		// only output the SegmentName in the configuration if it's non-empty
 		// this will avoid a warning later when parsing the persisted configuration
 		SegmentName: stringPtrOrNil(c.SegmentName),
+		// only output the Partition in the configuration if it's non-empty
+		// this will avoid a warning later when parsing the persisted configuration
+		Partition: stringPtrOrNil(c.Partition),
 	}
 
 	if a := c.AutoEncrypt; a != nil {
diff --git a/agent/auto-config/tls.go b/agent/auto-config/tls.go
index ab647b515..bf88b41bd 100644
--- a/agent/auto-config/tls.go
+++ b/agent/auto-config/tls.go
@@ -192,11 +192,12 @@ func (ac *AutoConfig) caRootsRequest() structs.DCSpecificRequest {
 
 func (ac *AutoConfig) leafCertRequest() cachetype.ConnectCALeafRequest {
 	return cachetype.ConnectCALeafRequest{
-		Datacenter: ac.config.Datacenter,
-		Agent:      ac.config.NodeName,
-		DNSSAN:     ac.getDNSSANs(),
-		IPSAN:      ac.getIPSANs(),
-		Token:      ac.acConfig.Tokens.AgentToken(),
+		Datacenter:     ac.config.Datacenter,
+		Agent:          ac.config.NodeName,
+		DNSSAN:         ac.getDNSSANs(),
+		IPSAN:          ac.getIPSANs(),
+		Token:          ac.acConfig.Tokens.AgentToken(),
+		EnterpriseMeta: *structs.NodeEnterpriseMetaInPartition(ac.config.PartitionOrEmpty()),
 	}
 }
 
diff --git a/agent/config/builder.go b/agent/config/builder.go
index 74ce70cb3..d1f3fed8f 100644
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@@ -2374,8 +2374,9 @@ func validateAutoConfigAuthorizer(rt RuntimeConfig) error {
 	// create a blank identity for use to validate the claim assertions.
 	blankID := validator.NewIdentity()
 	varMap := map[string]string{
-		"node":    "fake",
-		"segment": "fake",
+		"node":      "fake",
+		"segment":   "fake",
+		"partition": "fake",
 	}
 
 	// validate all the claim assertions
diff --git a/agent/connect/uri.go b/agent/connect/uri.go
index 7bdf223e7..fa1387086 100644
--- a/agent/connect/uri.go
+++ b/agent/connect/uri.go
@@ -76,6 +76,10 @@ func ParseCertURI(input *url.URL) (CertURI, error) {
 			}
 		}
 
+		if ap == "" {
+			ap = "default"
+		}
+
 		return &SpiffeIDService{
 			Host:       input.Host,
 			Partition:  ap,
@@ -103,6 +107,10 @@ func ParseCertURI(input *url.URL) (CertURI, error) {
 			}
 		}
 
+		if ap == "" {
+			ap = "default"
+		}
+
 		return &SpiffeIDAgent{
 			Host:       input.Host,
 			Partition:  ap,
diff --git a/agent/connect/uri_test.go b/agent/connect/uri_test.go
index 47e1e4199..96b2b7a71 100644
--- a/agent/connect/uri_test.go
+++ b/agent/connect/uri_test.go
@@ -5,10 +5,13 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/sdk/testutil"
 )
 
 func TestParseCertURIFromString(t *testing.T) {
+	defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition()
+
 	var cases = []struct {
 		Name       string
 		URI        string
@@ -26,6 +29,7 @@ func TestParseCertURIFromString(t *testing.T) {
 			"spiffe://1234.consul/ns/default/dc/dc01/svc/web",
 			&SpiffeIDService{
 				Host:       "1234.consul",
+				Partition:  defaultEntMeta.PartitionOrDefault(),
 				Namespace:  "default",
 				Datacenter: "dc01",
 				Service:    "web",
@@ -49,6 +53,7 @@ func TestParseCertURIFromString(t *testing.T) {
 			"spiffe://1234.consul/agent/client/dc/dc1/id/uuid",
 			&SpiffeIDAgent{
 				Host:       "1234.consul",
+				Partition:  defaultEntMeta.PartitionOrDefault(),
 				Datacenter: "dc1",
 				Agent:      "uuid",
 			},
@@ -70,6 +75,7 @@ func TestParseCertURIFromString(t *testing.T) {
 			"spiffe://1234.consul/ns/foo%2Fbar/dc/bar%2Fbaz/svc/baz%2Fqux",
 			&SpiffeIDService{
 				Host:       "1234.consul",
+				Partition:  defaultEntMeta.PartitionOrDefault(),
 				Namespace:  "foo/bar",
 				Datacenter: "bar/baz",
 				Service:    "baz/qux",
diff --git a/agent/consul/auto_config_backend.go b/agent/consul/auto_config_backend.go
index 3274000d1..aef6ad7ba 100644
--- a/agent/consul/auto_config_backend.go
+++ b/agent/consul/auto_config_backend.go
@@ -31,13 +31,16 @@ func (b autoConfigBackend) GetCARoots() (*structs.IndexedCARoots, error) {
 
 // DatacenterJoinAddresses will return all the strings suitable for usage in
 // retry join operations to connect to the the LAN or LAN segment gossip pool.
-func (b autoConfigBackend) DatacenterJoinAddresses(segment string) ([]string, error) {
+func (b autoConfigBackend) DatacenterJoinAddresses(partition, segment string) ([]string, error) {
 	members, err := b.Server.LANMembers(LANMemberFilter{
 		Segment:   segment,
-		Partition: "", // TODO(partitions): figure out what goes here
+		Partition: partition,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("Failed to retrieve members for segment %s - %w", segment, err)
+		if segment != "" {
+			return nil, fmt.Errorf("Failed to retrieve members for segment %s: %w", segment, err)
+		}
+		return nil, fmt.Errorf("Failed to retrieve members for partition %s: %w", structs.PartitionOrDefault(partition), err)
 	}
 
 	var joinAddrs []string
diff --git a/agent/consul/auto_config_backend_test.go b/agent/consul/auto_config_backend_test.go
index 2e82e8882..f5078494b 100644
--- a/agent/consul/auto_config_backend_test.go
+++ b/agent/consul/auto_config_backend_test.go
@@ -27,7 +27,7 @@ func TestAutoConfigBackend_DatacenterJoinAddresses(t *testing.T) {
 	}
 
 	backend := autoConfigBackend{Server: nodes.Servers[0]}
-	actual, err := backend.DatacenterJoinAddresses("")
+	actual, err := backend.DatacenterJoinAddresses("", "")
 	require.NoError(t, err)
 	require.ElementsMatch(t, expected, actual)
 }
diff --git a/agent/consul/auto_config_endpoint.go b/agent/consul/auto_config_endpoint.go
index cbcf7ac85..c0b92ec67 100644
--- a/agent/consul/auto_config_endpoint.go
+++ b/agent/consul/auto_config_endpoint.go
@@ -25,11 +25,16 @@ import (
 type AutoConfigOptions struct {
 	NodeName    string
 	SegmentName string
+	Partition   string
 
 	CSR      *x509.CertificateRequest
 	SpiffeID *connect.SpiffeIDAgent
 }
 
+func (opts AutoConfigOptions) PartitionOrDefault() string {
+	return structs.PartitionOrDefault(opts.Partition)
+}
+
 type AutoConfigAuthorizer interface {
 	// Authorizes the request and returns a struct containing the various
 	// options for how to generate the configuration.
@@ -57,8 +62,9 @@ func (a *jwtAuthorizer) Authorize(req *pbautoconf.AutoConfigRequest) (AutoConfig
 	}
 
 	varMap := map[string]string{
-		"node":    req.Node,
-		"segment": req.Segment,
+		"node":      req.Node,
+		"segment":   req.Segment,
+		"partition": req.PartitionOrDefault(),
 	}
 
 	for _, raw := range a.claimAssertions {
@@ -86,6 +92,7 @@ func (a *jwtAuthorizer) Authorize(req *pbautoconf.AutoConfigRequest) (AutoConfig
 	opts := AutoConfigOptions{
 		NodeName:    req.Node,
 		SegmentName: req.Segment,
+		Partition:   req.Partition,
 	}
 
 	if req.CSR != "" {
@@ -94,8 +101,12 @@ func (a *jwtAuthorizer) Authorize(req *pbautoconf.AutoConfigRequest) (AutoConfig
 			return AutoConfigOptions{}, err
 		}
 
-		if id.Agent != req.Node {
-			return AutoConfigOptions{}, fmt.Errorf("Spiffe ID agent name (%s) of the certificate signing request is not for the correct node (%s)", id.Agent, req.Node)
+		if id.Agent != req.Node || !structs.EqualPartitions(id.Partition, req.Partition) {
+			return AutoConfigOptions{},
+				fmt.Errorf("Spiffe ID agent name (%s) of the certificate signing request is not for the correct node (%s)",
+					printNodeName(id.Agent, id.Partition),
+					printNodeName(req.Node, req.Partition),
+				)
 		}
 
 		opts.CSR = csr
@@ -107,7 +118,7 @@ func (a *jwtAuthorizer) Authorize(req *pbautoconf.AutoConfigRequest) (AutoConfig
 
 type AutoConfigBackend interface {
 	CreateACLToken(template *structs.ACLToken) (*structs.ACLToken, error)
-	DatacenterJoinAddresses(segment string) ([]string, error)
+	DatacenterJoinAddresses(partition, segment string) ([]string, error)
 	ForwardRPC(method string, info structs.RPCInfo, reply interface{}) (bool, error)
 	GetCARoots() (*structs.IndexedCARoots, error)
 	SignCertificate(csr *x509.CertificateRequest, id connect.CertURI) (*structs.IssuedCert, error)
@@ -200,7 +211,7 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautocon
 	if ac.config.ACLsEnabled {
 		// set up the token template - the ids and create
 		template := structs.ACLToken{
-			Description: fmt.Sprintf("Auto Config Token for Node %q", opts.NodeName),
+			Description: fmt.Sprintf("Auto Config Token for Node %q", printNodeName(opts.NodeName, opts.Partition)),
 			Local:       true,
 			NodeIdentities: []*structs.ACLNodeIdentity{
 				{
@@ -208,13 +219,12 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautocon
 					Datacenter: ac.config.Datacenter,
 				},
 			},
-			// TODO(partitions): support auto-config in different partitions
-			EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
+			EnterpriseMeta: *structs.DefaultEnterpriseMetaInPartition(opts.PartitionOrDefault()),
 		}
 
 		token, err := ac.backend.CreateACLToken(&template)
 		if err != nil {
-			return fmt.Errorf("Failed to generate an ACL token for node %q - %w", opts.NodeName, err)
+			return fmt.Errorf("Failed to generate an ACL token for node %q: %w", printNodeName(opts.NodeName, opts.Partition), err)
 		}
 
 		acl.Tokens = &pbconfig.ACLTokens{Agent: token.SecretID}
@@ -227,7 +237,7 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautocon
 // updateJoinAddressesInConfig determines the correct gossip endpoints that clients should
 // be connecting to for joining the cluster based on the segment given in the opts parameter.
 func (ac *AutoConfig) updateJoinAddressesInConfig(opts AutoConfigOptions, resp *pbautoconf.AutoConfigResponse) error {
-	joinAddrs, err := ac.backend.DatacenterJoinAddresses(opts.SegmentName)
+	joinAddrs, err := ac.backend.DatacenterJoinAddresses(opts.Partition, opts.SegmentName)
 	if err != nil {
 		return err
 	}
@@ -299,6 +309,7 @@ func (ac *AutoConfig) baseConfig(opts AutoConfigOptions, resp *pbautoconf.AutoCo
 	resp.Config.PrimaryDatacenter = ac.config.PrimaryDatacenter
 	resp.Config.NodeName = opts.NodeName
 	resp.Config.SegmentName = opts.SegmentName
+	resp.Config.Partition = opts.Partition
 
 	return nil
 }
@@ -422,3 +433,10 @@ func mapstructureTranslateToProtobuf(in interface{}, out interface{}) error {
 
 	return decoder.Decode(in)
 }
+
+func printNodeName(nodeName, partition string) string {
+	if structs.IsDefaultPartition(partition) {
+		return nodeName
+	}
+	return partition + "/" + nodeName
+}
diff --git a/agent/consul/auto_config_endpoint_test.go b/agent/consul/auto_config_endpoint_test.go
index 58b8c063f..f082a70ed 100644
--- a/agent/consul/auto_config_endpoint_test.go
+++ b/agent/consul/auto_config_endpoint_test.go
@@ -38,8 +38,8 @@ func (m *mockAutoConfigBackend) CreateACLToken(template *structs.ACLToken) (*str
 	return token, ret.Error(1)
 }
 
-func (m *mockAutoConfigBackend) DatacenterJoinAddresses(segment string) ([]string, error) {
-	ret := m.Called(segment)
+func (m *mockAutoConfigBackend) DatacenterJoinAddresses(partition, segment string) ([]string, error) {
+	ret := m.Called(partition, segment)
 	// this handles converting an untyped nil to a typed nil
 	addrs, _ := ret.Get(0).([]string)
 	return addrs, ret.Error(1)
@@ -215,6 +215,8 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
 		err           string
 	}
 
+	defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition()
+
 	cases := map[string]testCase{
 		"wrong-datacenter": {
 			request: pbautoconf.AutoConfigRequest{
@@ -304,6 +306,7 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
 				expectedID := connect.SpiffeIDAgent{
 					Host:       roots.TrustDomain,
 					Agent:      "test-node",
+					Partition:  defaultEntMeta.PartitionOrDefault(),
 					Datacenter: "dc1",
 				}
 
@@ -836,7 +839,7 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
 func TestAutoConfig_updateJoinAddressesInConfig(t *testing.T) {
 	addrs := []string{"198.18.0.7:8300", "198.18.0.1:8300"}
 	backend := &mockAutoConfigBackend{}
-	backend.On("DatacenterJoinAddresses", "").Return(addrs, nil).Once()
+	backend.On("DatacenterJoinAddresses", "", "").Return(addrs, nil).Once()
 
 	ac := AutoConfig{backend: backend}
 
diff --git a/proto/pbautoconf/auto_config.pb.go b/proto/pbautoconf/auto_config.pb.go
index 2fb0b0132..8a4c25b5d 100644
--- a/proto/pbautoconf/auto_config.pb.go
+++ b/proto/pbautoconf/auto_config.pb.go
@@ -37,6 +37,8 @@ type AutoConfigRequest struct {
 	Node string `protobuf:"bytes,2,opt,name=Node,proto3" json:"Node,omitempty"`
 	// Segment is the network segment that the requester would like to join
 	Segment string `protobuf:"bytes,4,opt,name=Segment,proto3" json:"Segment,omitempty"`
+	// Partition is the partition that the requester would like to join
+	Partition string `protobuf:"bytes,8,opt,name=Partition,proto3" json:"Partition,omitempty"`
 	// JWT is a signed JSON Web Token used to authorize the request
 	JWT string `protobuf:"bytes,5,opt,name=JWT,proto3" json:"JWT,omitempty"`
 	// ConsulToken is a Consul ACL token that the agent requesting the
@@ -104,6 +106,13 @@ func (m *AutoConfigRequest) GetSegment() string {
 	return ""
 }
 
+func (m *AutoConfigRequest) GetPartition() string {
+	if m != nil {
+		return m.Partition
+	}
+	return ""
+}
+
 func (m *AutoConfigRequest) GetJWT() string {
 	if m != nil {
 		return m.JWT
@@ -212,29 +221,30 @@ func init() {
 }
 
 var fileDescriptor_ccc5af992e5daf69 = []byte{
-	// 347 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x92, 0xc1, 0x4a, 0xc3, 0x30,
-	0x18, 0xc7, 0x8d, 0x9b, 0x9b, 0x4b, 0x41, 0x66, 0x76, 0x09, 0x13, 0xcb, 0xd8, 0x41, 0x86, 0x48,
-	0x2b, 0x13, 0xaf, 0xc2, 0x8c, 0x1e, 0xf4, 0xe0, 0x21, 0x1b, 0x08, 0x5e, 0xa4, 0xeb, 0xb2, 0xad,
-	0xb8, 0x25, 0xb5, 0xf9, 0x02, 0x3e, 0x8a, 0x6f, 0xe0, 0xab, 0x78, 0xd4, 0x37, 0x90, 0xf9, 0x22,
-	0xd2, 0xb4, 0x95, 0x20, 0x9e, 0xfa, 0xef, 0xff, 0xf7, 0xfb, 0xe0, 0x6b, 0x13, 0xdc, 0x4f, 0x33,
-	0x05, 0x2a, 0x4c, 0xa7, 0x91, 0x01, 0x15, 0x2b, 0x39, 0x0f, 0xf3, 0xf0, 0x98, 0xa7, 0x64, 0x11,
-	0x58, 0x48, 0x76, 0x2b, 0xd6, 0x3d, 0xa8, 0xec, 0x82, 0x87, 0xae, 0xd6, 0x3d, 0x74, 0xa0, 0x14,
-	0x31, 0x84, 0xe5, 0xb3, 0xc0, 0xfd, 0x37, 0x84, 0xf7, 0x47, 0x06, 0x14, 0xb3, 0x33, 0x5c, 0x3c,
-	0x1b, 0xa1, 0x81, 0xf8, 0x18, 0x5f, 0x45, 0x10, 0xc5, 0x42, 0x82, 0xc8, 0x28, 0xea, 0xa1, 0x41,
-	0x8b, 0x3b, 0x0d, 0x21, 0xb8, 0x7e, 0xa7, 0x66, 0x82, 0x6e, 0x5b, 0x62, 0x33, 0xa1, 0xb8, 0x39,
-	0x16, 0x8b, 0xb5, 0x90, 0x40, 0xeb, 0xb6, 0xae, 0x5e, 0x49, 0x1b, 0xd7, 0x6e, 0xef, 0x27, 0x74,
-	0xc7, 0xb6, 0x79, 0x24, 0x3d, 0xec, 0x31, 0x25, 0xb5, 0x59, 0x4d, 0xd4, 0x93, 0x90, 0xb4, 0x61,
-	0x89, 0x5b, 0xe5, 0x33, 0x6c, 0xcc, 0x69, 0xb3, 0x98, 0x61, 0x63, 0xde, 0xff, 0x44, 0x98, 0xb8,
-	0x9b, 0xea, 0x54, 0x49, 0x2d, 0xc8, 0x11, 0x6e, 0x14, 0x8d, 0x5d, 0xd3, 0x1b, 0xee, 0x05, 0xe5,
-	0xe7, 0x97, 0x5e, 0x49, 0xc9, 0x31, 0x6e, 0xb2, 0x11, 0x57, 0x0a, 0xb4, 0xdd, 0xda, 0x1b, 0xb6,
-	0x83, 0xea, 0x4f, 0x94, 0x3d, 0xaf, 0x04, 0x72, 0x8e, 0x3d, 0x26, 0x32, 0x48, 0xe6, 0x49, 0x1c,
-	0x81, 0xa0, 0x35, 0xeb, 0x77, 0x7e, 0xfd, 0x1b, 0xad, 0x8d, 0x98, 0xe5, 0x06, 0x77, 0x3d, 0x72,
-	0x8a, 0x3b, 0xd7, 0x2f, 0x90, 0x45, 0x6c, 0xe4, 0xb4, 0x9a, 0xd6, 0x7b, 0xb5, 0x41, 0x8b, 0xff,
-	0x87, 0x2e, 0x2f, 0xde, 0x37, 0x3e, 0xfa, 0xd8, 0xf8, 0xe8, 0x6b, 0xe3, 0xa3, 0xd7, 0x6f, 0x7f,
-	0xeb, 0xe1, 0x64, 0x91, 0xc0, 0xd2, 0x4c, 0x83, 0x58, 0xad, 0xc3, 0x65, 0xa4, 0x97, 0x49, 0xac,
-	0xb2, 0x34, 0x3f, 0x33, 0x6d, 0x56, 0xe1, 0xdf, 0x5b, 0x31, 0x6d, 0xd8, 0xe6, 0xec, 0x27, 0x00,
-	0x00, 0xff, 0xff, 0xe2, 0x1d, 0x6e, 0x48, 0x30, 0x02, 0x00, 0x00,
+	// 361 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x92, 0xcf, 0x4a, 0xc3, 0x40,
+	0x10, 0xc6, 0x8d, 0xad, 0xfd, 0xb3, 0x01, 0xa9, 0xdb, 0xcb, 0x52, 0x35, 0x94, 0x1e, 0xa4, 0x88,
+	0x24, 0x52, 0xf1, 0x2a, 0xd4, 0xe8, 0x41, 0x0f, 0x22, 0xdb, 0x82, 0xe0, 0x45, 0xd2, 0x74, 0xdb,
+	0x06, 0xdb, 0x9d, 0x98, 0x9d, 0x80, 0x8f, 0xe2, 0x0b, 0x09, 0x1e, 0xf5, 0x0d, 0xa4, 0xbe, 0x88,
+	0x64, 0x93, 0xe8, 0x22, 0x9e, 0xf2, 0xe5, 0xf7, 0xfb, 0xe6, 0x30, 0x93, 0x90, 0x5e, 0x9c, 0x00,
+	0x82, 0x17, 0x4f, 0x82, 0x14, 0x21, 0x04, 0x39, 0xf3, 0xb2, 0xf0, 0x90, 0xa5, 0x68, 0xee, 0x6a,
+	0x49, 0x1b, 0xa5, 0xeb, 0xec, 0x96, 0xed, 0xdc, 0x7b, 0x66, 0xad, 0xb3, 0x6f, 0x48, 0x29, 0x42,
+	0xf4, 0x8a, 0x67, 0xae, 0x7b, 0xaf, 0x16, 0xd9, 0x19, 0xa6, 0x08, 0xbe, 0x9e, 0xe1, 0xe2, 0x29,
+	0x15, 0x0a, 0xa9, 0x43, 0xc8, 0x45, 0x80, 0x41, 0x28, 0x24, 0x8a, 0x84, 0x59, 0x5d, 0xab, 0xdf,
+	0xe4, 0x06, 0xa1, 0x94, 0x54, 0x6f, 0x60, 0x2a, 0xd8, 0xa6, 0x36, 0x3a, 0x53, 0x46, 0xea, 0x23,
+	0x31, 0x5f, 0x09, 0x89, 0xac, 0xaa, 0x71, 0xf9, 0x4a, 0xf7, 0x48, 0xf3, 0x36, 0x48, 0x30, 0xc2,
+	0x08, 0x24, 0x6b, 0x68, 0xf7, 0x0b, 0x68, 0x8b, 0x54, 0xae, 0xef, 0xc6, 0x6c, 0x4b, 0xf3, 0x2c,
+	0xd2, 0x2e, 0xb1, 0x7d, 0x90, 0x2a, 0x5d, 0x8e, 0xe1, 0x51, 0x48, 0x56, 0xd3, 0xc6, 0x44, 0xd9,
+	0x8c, 0x3f, 0xe2, 0xac, 0x9e, 0xcf, 0xf8, 0x23, 0xde, 0xfb, 0xb0, 0x08, 0x35, 0xf7, 0x50, 0x31,
+	0x48, 0x25, 0xe8, 0x01, 0xa9, 0xe5, 0x44, 0x2f, 0x61, 0x0f, 0xb6, 0xdd, 0xe2, 0x38, 0x45, 0xaf,
+	0xb0, 0xf4, 0x90, 0xd4, 0xfd, 0x21, 0x07, 0x40, 0xa5, 0x77, 0xb2, 0x07, 0x2d, 0xb7, 0xbc, 0x53,
+	0xc1, 0x79, 0x59, 0xa0, 0xa7, 0xc4, 0xf6, 0x45, 0x82, 0xd1, 0x2c, 0x0a, 0x03, 0x14, 0xac, 0xa2,
+	0xfb, 0xed, 0x9f, 0xfe, 0x95, 0x52, 0xa9, 0x98, 0x66, 0x0d, 0x6e, 0xf6, 0xe8, 0x31, 0x69, 0x5f,
+	0x3e, 0x63, 0x12, 0xf8, 0x43, 0x83, 0x2a, 0x56, 0xed, 0x56, 0xfa, 0x4d, 0xfe, 0x9f, 0x3a, 0x3f,
+	0x7b, 0x5b, 0x3b, 0xd6, 0xfb, 0xda, 0xb1, 0x3e, 0xd7, 0x8e, 0xf5, 0xf2, 0xe5, 0x6c, 0xdc, 0x1f,
+	0xcd, 0x23, 0x5c, 0xa4, 0x13, 0x37, 0x84, 0x95, 0xb7, 0x08, 0xd4, 0x22, 0x0a, 0x21, 0x89, 0xb3,
+	0x2f, 0xaa, 0xd2, 0xa5, 0xf7, 0xf7, 0x9f, 0x99, 0xd4, 0x34, 0x39, 0xf9, 0x0e, 0x00, 0x00, 0xff,
+	0xff, 0x65, 0x57, 0x2e, 0x30, 0x4e, 0x02, 0x00, 0x00,
 }
 
 func (m *AutoConfigRequest) Marshal() (dAtA []byte, err error) {
@@ -261,6 +271,13 @@ func (m *AutoConfigRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.Partition) > 0 {
+		i -= len(m.Partition)
+		copy(dAtA[i:], m.Partition)
+		i = encodeVarintAutoConfig(dAtA, i, uint64(len(m.Partition)))
+		i--
+		dAtA[i] = 0x42
+	}
 	if len(m.CSR) > 0 {
 		i -= len(m.CSR)
 		copy(dAtA[i:], m.CSR)
@@ -419,6 +436,10 @@ func (m *AutoConfigRequest) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovAutoConfig(uint64(l))
 	}
+	l = len(m.Partition)
+	if l > 0 {
+		n += 1 + l + sovAutoConfig(uint64(l))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -682,6 +703,38 @@ func (m *AutoConfigRequest) Unmarshal(dAtA []byte) error {
 			}
 			m.CSR = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Partition", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAutoConfig
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAutoConfig
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthAutoConfig
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Partition = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipAutoConfig(dAtA[iNdEx:])
diff --git a/proto/pbautoconf/auto_config.proto b/proto/pbautoconf/auto_config.proto
index aa7f4e381..3a4db6575 100644
--- a/proto/pbautoconf/auto_config.proto
+++ b/proto/pbautoconf/auto_config.proto
@@ -7,7 +7,7 @@ option go_package = "github.com/hashicorp/consul/proto/pbautoconf";
 import "proto/pbconfig/config.proto";
 import "proto/pbconnect/connect.proto";
 
-// AutoConfigRequest is the data structure to be sent along with the 
+// AutoConfigRequest is the data structure to be sent along with the
 // AutoConfig.InitialConfiguration RPC
 message AutoConfigRequest {
    // Datacenter is the local datacenter name. This wont actually be set by clients
@@ -15,21 +15,24 @@ message AutoConfigRequest {
    // the leader. If it ever happens to be set and differs from the local datacenters
    // name then an error should be returned.
    string Datacenter = 1;
-   
+
    // Node is the node name that the requester would like to assume
    // the identity of.
    string Node = 2;
-   
+
    // Segment is the network segment that the requester would like to join
    string Segment = 4;
 
+   // Partition is the partition that the requester would like to join
+   string Partition = 8;
+
    // JWT is a signed JSON Web Token used to authorize the request
    string JWT = 5;
-   
+
    // ConsulToken is a Consul ACL token that the agent requesting the
    // configuration already has.
    string ConsulToken = 6;
-   
+
    // CSR is a certificate signing request to be used when generating the
    // agents TLS certificate
    string CSR = 7;
@@ -39,13 +42,13 @@ message AutoConfigRequest {
 message AutoConfigResponse {
    // Config is the partial Consul configuration to inject into the agents own configuration
    config.Config Config = 1;
-   
+
    // CARoots is the current list of Connect CA Roots
    connect.CARoots CARoots = 2;
    // Certificate is the TLS certificate issued for the agent
    connect.IssuedCert Certificate = 3;
-   
+
    // ExtraCACertificates holds non-Connect certificates that may be necessary
    // to verify TLS connections with the Consul servers
    repeated string ExtraCACertificates = 4;
-}
\ No newline at end of file
+}
diff --git a/proto/pbautoconf/auto_config_oss.go b/proto/pbautoconf/auto_config_oss.go
new file mode 100644
index 000000000..461bfb1a7
--- /dev/null
+++ b/proto/pbautoconf/auto_config_oss.go
@@ -0,0 +1,8 @@
+//go:build !consulent
+// +build !consulent
+
+package pbautoconf
+
+func (req *AutoConfigRequest) PartitionOrDefault() string {
+	return ""
+}
diff --git a/proto/pbconfig/config.pb.go b/proto/pbconfig/config.pb.go
index 90e743dc9..901e147de 100644
--- a/proto/pbconfig/config.pb.go
+++ b/proto/pbconfig/config.pb.go
@@ -27,6 +27,7 @@ type Config struct {
 	PrimaryDatacenter    string       `protobuf:"bytes,2,opt,name=PrimaryDatacenter,proto3" json:"PrimaryDatacenter,omitempty"`
 	NodeName             string       `protobuf:"bytes,3,opt,name=NodeName,proto3" json:"NodeName,omitempty"`
 	SegmentName          string       `protobuf:"bytes,4,opt,name=SegmentName,proto3" json:"SegmentName,omitempty"`
+	Partition            string       `protobuf:"bytes,9,opt,name=Partition,proto3" json:"Partition,omitempty"`
 	ACL                  *ACL         `protobuf:"bytes,5,opt,name=ACL,proto3" json:"ACL,omitempty"`
 	AutoEncrypt          *AutoEncrypt `protobuf:"bytes,6,opt,name=AutoEncrypt,proto3" json:"AutoEncrypt,omitempty"`
 	Gossip               *Gossip      `protobuf:"bytes,7,opt,name=Gossip,proto3" json:"Gossip,omitempty"`
@@ -97,6 +98,13 @@ func (m *Config) GetSegmentName() string {
 	return ""
 }
 
+func (m *Config) GetPartition() string {
+	if m != nil {
+		return m.Partition
+	}
+	return ""
+}
+
 func (m *Config) GetACL() *ACL {
 	if m != nil {
 		return m.ACL
@@ -679,58 +687,58 @@ func init() {
 func init() { proto.RegisterFile("proto/pbconfig/config.proto", fileDescriptor_aefa824db7b74d77) }
 
 var fileDescriptor_aefa824db7b74d77 = []byte{
-	// 802 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x55, 0xdd, 0x8e, 0x22, 0x45,
-	0x14, 0xb6, 0xa7, 0x77, 0x7a, 0x86, 0x83, 0x6e, 0x76, 0x6b, 0x57, 0xec, 0xf8, 0x83, 0xa4, 0x63,
-	0x36, 0xa3, 0x31, 0x83, 0xc1, 0x68, 0xd4, 0x78, 0xc3, 0xc0, 0x46, 0x71, 0x01, 0x49, 0x37, 0xae,
-	0x89, 0x37, 0xa6, 0x69, 0x0e, 0x50, 0xb1, 0xa9, 0xea, 0x54, 0x17, 0x3b, 0xe1, 0x4d, 0x7c, 0x0d,
-	0xaf, 0x7d, 0x01, 0x2f, 0x7d, 0x04, 0x1d, 0x5f, 0xc0, 0x47, 0x30, 0xf5, 0xd3, 0x4d, 0xf7, 0x08,
-	0x57, 0x70, 0xbe, 0xef, 0xab, 0x53, 0xe7, 0xaf, 0x4e, 0xc3, 0x3b, 0x99, 0xe0, 0x92, 0x77, 0xb3,
-	0x45, 0xc2, 0xd9, 0x8a, 0xae, 0xbb, 0xe6, 0xe7, 0x5a, 0xa3, 0xc4, 0x33, 0x56, 0xf0, 0xdb, 0x19,
-	0x78, 0x03, 0xfd, 0x97, 0xb4, 0x01, 0x86, 0xb1, 0x8c, 0x13, 0x64, 0x12, 0x85, 0xef, 0x74, 0x9c,
-	0xab, 0x46, 0x58, 0x41, 0xc8, 0xc7, 0xf0, 0x78, 0x26, 0xe8, 0x36, 0x16, 0xfb, 0x8a, 0xec, 0x4c,
-	0xcb, 0xfe, 0x4f, 0x90, 0xb7, 0xe1, 0x72, 0xca, 0x97, 0x38, 0x8d, 0xb7, 0xe8, 0xbb, 0x5a, 0x54,
-	0xda, 0xa4, 0x03, 0xcd, 0x08, 0xd7, 0x5b, 0x64, 0x52, 0xd3, 0x0f, 0x34, 0x5d, 0x85, 0xc8, 0x7b,
-	0xe0, 0xf6, 0x07, 0x63, 0xff, 0xbc, 0xe3, 0x5c, 0x35, 0x7b, 0xcd, 0x6b, 0x1b, 0x7a, 0x7f, 0x30,
-	0x0e, 0x15, 0x4e, 0x3e, 0x83, 0x66, 0x7f, 0x27, 0xf9, 0x73, 0x96, 0x88, 0x7d, 0x26, 0x7d, 0x4f,
-	0xcb, 0x9e, 0x94, 0xb2, 0x03, 0x15, 0x56, 0x75, 0xe4, 0x19, 0x78, 0xdf, 0xf0, 0x3c, 0xa7, 0x99,
-	0x7f, 0xa1, 0x4f, 0x3c, 0x2c, 0x4e, 0x18, 0x34, 0xb4, 0xac, 0xba, 0x7d, 0x3e, 0x8e, 0xfc, 0xcb,
-	0xfa, 0xed, 0xf3, 0x71, 0x14, 0x2a, 0x3c, 0x58, 0x15, 0x6e, 0xc8, 0x17, 0x00, 0xd6, 0x37, 0xe5,
-	0x4c, 0x97, 0xac, 0xd9, 0xf3, 0xeb, 0x4e, 0x0f, 0x7c, 0x58, 0xd1, 0x92, 0x00, 0x5e, 0x0f, 0x51,
-	0x8a, 0xfd, 0x77, 0x9c, 0xb2, 0x71, 0x7f, 0xea, 0x9f, 0x75, 0xdc, 0xab, 0x46, 0x58, 0xc3, 0x02,
-	0x09, 0x8f, 0xee, 0xfb, 0x20, 0x8f, 0xc0, 0x7d, 0x81, 0x7b, 0xdb, 0x1d, 0xf5, 0x97, 0x3c, 0x83,
-	0x87, 0x2f, 0x51, 0xd0, 0xd5, 0x7e, 0xc4, 0x12, 0xbe, 0xa5, 0x6c, 0xad, 0x7b, 0x72, 0x19, 0xde,
-	0x43, 0x0f, 0xba, 0xef, 0x77, 0x72, 0xcd, 0x95, 0xce, 0xad, 0xea, 0x0a, 0x34, 0xf8, 0xdb, 0xd1,
-	0xd9, 0x1f, 0xd1, 0x3b, 0xc7, 0xf4, 0xa4, 0x07, 0x4f, 0x0d, 0x12, 0xa1, 0x78, 0x85, 0xe2, 0x5b,
-	0x9e, 0x4b, 0xa6, 0xba, 0x6a, 0xa2, 0x38, 0xca, 0xa9, 0xec, 0x07, 0x34, 0xdb, 0xa0, 0x88, 0x76,
-	0x54, 0x62, 0x6e, 0x07, 0xa4, 0x86, 0xa9, 0x71, 0x9c, 0x50, 0xf6, 0x12, 0x45, 0xae, 0x6a, 0x6b,
-	0x66, 0xa4, 0x82, 0x90, 0xaf, 0xc0, 0x9f, 0x09, 0x5c, 0xa1, 0x30, 0xbe, 0x6b, 0xfe, 0xce, 0xf5,
-	0xdd, 0x27, 0xf9, 0xe0, 0x77, 0x57, 0xcf, 0x17, 0xf1, 0xe1, 0xe2, 0x39, 0x8b, 0x17, 0x29, 0x2e,
-	0x6d, 0x72, 0x85, 0x49, 0xde, 0x85, 0xc6, 0x8c, 0xa7, 0x34, 0xd9, 0xcf, 0xe7, 0x63, 0x3b, 0xe4,
-	0x07, 0x40, 0x9d, 0x0b, 0x79, 0x8a, 0x8a, 0x33, 0xa1, 0x17, 0xa6, 0x1a, 0xfb, 0x39, 0xff, 0x05,
-	0x99, 0xa2, 0x4c, 0xcc, 0xa5, 0xad, 0x1f, 0x18, 0xbf, 0x65, 0xc6, 0x8d, 0x8e, 0x51, 0x3d, 0xb0,
-	0x12, 0x21, 0x1f, 0xc0, 0x1b, 0x43, 0x5c, 0xc5, 0xbb, 0x54, 0x5a, 0x89, 0xa7, 0x25, 0x75, 0x90,
-	0x7c, 0x02, 0x4f, 0x4c, 0x90, 0x2f, 0x70, 0x3f, 0xa6, 0x79, 0xa1, 0xbd, 0xd0, 0xf1, 0x1f, 0xa3,
-	0xc8, 0x87, 0xe0, 0xe9, 0x18, 0x72, 0x3b, 0xd1, 0x8f, 0x2b, 0xef, 0xc9, 0x10, 0xa1, 0x15, 0x90,
-	0x2f, 0xa1, 0x35, 0xc4, 0x4c, 0x60, 0x12, 0x4b, 0x5c, 0xfe, 0x3c, 0xa4, 0xb9, 0xae, 0x86, 0x4a,
-	0xa6, 0xa1, 0x62, 0xb9, 0x39, 0xf3, 0x9d, 0xf0, 0xcd, 0x83, 0xa2, 0x22, 0x20, 0x9f, 0x43, 0xcb,
-	0x5c, 0xae, 0x5d, 0xcd, 0x54, 0x97, 0x72, 0x89, 0x2c, 0x41, 0x1f, 0x74, 0x68, 0x27, 0x58, 0x95,
-	0xcf, 0x24, 0x9a, 0x59, 0x4f, 0x37, 0x9c, 0xcb, 0x5c, 0x8a, 0x38, 0xf3, 0x9b, 0x26, 0x9f, 0x23,
-	0x54, 0xf0, 0xaf, 0x03, 0x8d, 0x32, 0x74, 0xd2, 0x02, 0x6f, 0x12, 0xe7, 0x87, 0x95, 0x65, 0x2d,
-	0xb5, 0x64, 0x42, 0xcc, 0x52, 0x9a, 0xc4, 0xfa, 0x71, 0x9a, 0x1e, 0x56, 0x21, 0xa5, 0xe8, 0xaf,
-	0x91, 0x49, 0x7b, 0xdc, 0x74, 0xb2, 0x0a, 0xa9, 0x3e, 0xdb, 0xe2, 0xdb, 0x66, 0x16, 0x26, 0x79,
-	0x0a, 0xe7, 0x5a, 0x68, 0xdb, 0x68, 0x0c, 0xf2, 0x23, 0xb4, 0x26, 0x31, 0x8b, 0xd7, 0xb8, 0x54,
-	0x43, 0x47, 0x13, 0x9c, 0x09, 0xfe, 0x8a, 0x2e, 0x51, 0xf8, 0x5e, 0xc7, 0xbd, 0x6a, 0xf6, 0xde,
-	0xaf, 0x54, 0xfe, 0x9e, 0x42, 0x67, 0x13, 0x9e, 0x38, 0x1e, 0xfc, 0x00, 0x6f, 0x9d, 0x38, 0xa2,
-	0xa6, 0xaa, 0x9f, 0x24, 0x98, 0xe7, 0x5c, 0x8c, 0x86, 0xc5, 0xda, 0x3e, 0x20, 0x6a, 0x22, 0x23,
-	0x4c, 0x04, 0xca, 0xd1, 0xd0, 0x16, 0xa1, 0xb4, 0x03, 0x5a, 0xdb, 0xa3, 0x6a, 0xb9, 0xa8, 0xbd,
-	0x67, 0x9e, 0x82, 0x5e, 0x02, 0x2d, 0xf0, 0x86, 0xd3, 0x28, 0x2a, 0x17, 0x94, 0xb5, 0x54, 0xfa,
-	0xa3, 0x99, 0x82, 0x5d, 0x0d, 0x1b, 0x43, 0x5d, 0xd5, 0x4f, 0x53, 0x7e, 0xab, 0x9c, 0x3c, 0xd0,
-	0x4e, 0x4a, 0xfb, 0xe6, 0xeb, 0x3f, 0xee, 0xda, 0xce, 0x9f, 0x77, 0x6d, 0xe7, 0xaf, 0xbb, 0xb6,
-	0xf3, 0xeb, 0x3f, 0xed, 0xd7, 0x7e, 0xfa, 0x68, 0x4d, 0xe5, 0x66, 0xb7, 0xb8, 0x4e, 0xf8, 0xb6,
-	0xbb, 0x89, 0xf3, 0x0d, 0x4d, 0xb8, 0xc8, 0xd4, 0x57, 0x2a, 0xdf, 0xa5, 0xdd, 0xfa, 0xb7, 0x6b,
-	0xe1, 0x69, 0xfb, 0xd3, 0xff, 0x02, 0x00, 0x00, 0xff, 0xff, 0x54, 0x4a, 0x4e, 0xf1, 0xd4, 0x06,
-	0x00, 0x00,
+	// 811 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x55, 0xdb, 0x8e, 0xe3, 0x44,
+	0x10, 0xc5, 0xe3, 0x1d, 0xcf, 0xa4, 0x02, 0xab, 0xdd, 0xde, 0x25, 0x58, 0x5c, 0x42, 0x64, 0xa1,
+	0xd5, 0x80, 0xd0, 0x0c, 0x1a, 0x04, 0x02, 0xc4, 0x4b, 0x26, 0x59, 0x41, 0xd8, 0x24, 0x44, 0x76,
+	0x58, 0x24, 0x5e, 0x90, 0xe3, 0x54, 0x92, 0x16, 0x4e, 0xb7, 0xd5, 0xee, 0xec, 0x28, 0x7f, 0xc2,
+	0xbf, 0xf0, 0x03, 0xbc, 0xc1, 0x27, 0xc0, 0xf0, 0x03, 0x7c, 0x02, 0xea, 0x8b, 0x6f, 0x43, 0xf2,
+	0x94, 0xd4, 0x39, 0xa7, 0xab, 0xab, 0xba, 0x2e, 0x86, 0x77, 0x32, 0xc1, 0x25, 0xbf, 0xca, 0x16,
+	0x09, 0x67, 0x2b, 0xba, 0xbe, 0x32, 0x3f, 0x97, 0x1a, 0x25, 0x9e, 0xb1, 0x82, 0x3f, 0x4e, 0xc0,
+	0x1b, 0xe8, 0xbf, 0xa4, 0x0b, 0x30, 0x8c, 0x65, 0x9c, 0x20, 0x93, 0x28, 0x7c, 0xa7, 0xe7, 0x5c,
+	0xb4, 0xc2, 0x1a, 0x42, 0x3e, 0x86, 0xc7, 0x33, 0x41, 0xb7, 0xb1, 0xd8, 0xd7, 0x64, 0x27, 0x5a,
+	0xf6, 0x7f, 0x82, 0xbc, 0x0d, 0xe7, 0x53, 0xbe, 0xc4, 0x69, 0xbc, 0x45, 0xdf, 0xd5, 0xa2, 0xd2,
+	0x26, 0x3d, 0x68, 0x47, 0xb8, 0xde, 0x22, 0x93, 0x9a, 0x7e, 0xa0, 0xe9, 0x3a, 0x44, 0xde, 0x85,
+	0xd6, 0x2c, 0x16, 0x92, 0x4a, 0xca, 0x99, 0xdf, 0xd2, 0x7c, 0x05, 0x90, 0xf7, 0xc0, 0xed, 0x0f,
+	0xc6, 0xfe, 0x69, 0xcf, 0xb9, 0x68, 0x5f, 0xb7, 0x2f, 0x6d, 0x62, 0xfd, 0xc1, 0x38, 0x54, 0x38,
+	0xf9, 0x0c, 0xda, 0xfd, 0x9d, 0xe4, 0xcf, 0x59, 0x22, 0xf6, 0x99, 0xf4, 0x3d, 0x2d, 0x7b, 0x52,
+	0xca, 0x2a, 0x2a, 0xac, 0xeb, 0xc8, 0x33, 0xf0, 0xbe, 0xe1, 0x79, 0x4e, 0x33, 0xff, 0x4c, 0x9f,
+	0x78, 0x58, 0x9c, 0x30, 0x68, 0x68, 0x59, 0x75, 0xfb, 0x7c, 0x1c, 0xf9, 0xe7, 0xcd, 0xdb, 0xe7,
+	0xe3, 0x28, 0x54, 0x78, 0xb0, 0x2a, 0xdc, 0x90, 0x2f, 0x00, 0xac, 0x6f, 0x95, 0x85, 0xa3, 0xf5,
+	0x7e, 0xd3, 0x69, 0xc5, 0x87, 0x35, 0x2d, 0x09, 0xe0, 0xf5, 0x10, 0xa5, 0xd8, 0x7f, 0xc7, 0x29,
+	0x1b, 0xf7, 0xa7, 0xfe, 0x49, 0xcf, 0xbd, 0x68, 0x85, 0x0d, 0x2c, 0x90, 0xf0, 0xe8, 0xbe, 0x0f,
+	0xf2, 0x08, 0xdc, 0x17, 0xb8, 0xb7, 0xb5, 0x53, 0x7f, 0xc9, 0x33, 0x78, 0xf8, 0x12, 0x05, 0x5d,
+	0xed, 0x47, 0x2c, 0xe1, 0x5b, 0xca, 0xd6, 0xba, 0x62, 0xe7, 0xe1, 0x3d, 0xb4, 0xd2, 0x7d, 0xbf,
+	0x93, 0x6b, 0xae, 0x74, 0x6e, 0x5d, 0x57, 0xa0, 0xc1, 0xdf, 0x8e, 0xce, 0xfe, 0x80, 0xde, 0x39,
+	0xa4, 0x27, 0xd7, 0xf0, 0xd4, 0x20, 0x11, 0x8a, 0x57, 0x28, 0xbe, 0xe5, 0xb9, 0x64, 0xaa, 0xe6,
+	0x26, 0x8a, 0x83, 0x9c, 0xca, 0x7e, 0x40, 0xb3, 0x0d, 0x8a, 0x68, 0x47, 0x25, 0xe6, 0xb6, 0x7d,
+	0x1a, 0x98, 0x6a, 0xd6, 0x09, 0x65, 0x2f, 0x51, 0xe4, 0xea, 0x6d, 0x4d, 0x07, 0xd5, 0x10, 0xf2,
+	0x15, 0xf8, 0x33, 0x81, 0x2b, 0x14, 0xc6, 0x77, 0xc3, 0xdf, 0xa9, 0xbe, 0xfb, 0x28, 0x1f, 0xfc,
+	0xe6, 0xea, 0xfe, 0x22, 0x3e, 0x9c, 0x3d, 0x67, 0xf1, 0x22, 0xc5, 0xa5, 0x4d, 0xae, 0x30, 0x75,
+	0x7b, 0xf2, 0x94, 0x26, 0xfb, 0xf9, 0x7c, 0x6c, 0x47, 0xa0, 0x02, 0xd4, 0xb9, 0x90, 0xa7, 0xa8,
+	0x38, 0x13, 0x7a, 0x61, 0xaa, 0xa1, 0x98, 0xf3, 0x5f, 0x90, 0x29, 0xca, 0xc4, 0x5c, 0xda, 0x7a,
+	0xfc, 0xf8, 0x2d, 0x33, 0x6e, 0x74, 0x8c, 0x6a, 0xfc, 0x4a, 0x84, 0x7c, 0x00, 0x6f, 0x0c, 0x71,
+	0x15, 0xef, 0x52, 0x69, 0x25, 0x9e, 0x96, 0x34, 0x41, 0xf2, 0x09, 0x3c, 0x31, 0x41, 0xbe, 0xc0,
+	0xfd, 0x98, 0xe6, 0x85, 0xf6, 0x4c, 0xc7, 0x7f, 0x88, 0x22, 0x1f, 0x82, 0xa7, 0x63, 0xc8, 0x6d,
+	0x47, 0x3f, 0xae, 0xcd, 0x93, 0x21, 0x42, 0x2b, 0x20, 0x5f, 0x42, 0x67, 0x88, 0x99, 0xc0, 0x24,
+	0x96, 0xb8, 0xfc, 0x79, 0x48, 0x73, 0xfd, 0x1a, 0x2a, 0x19, 0x3d, 0xa2, 0x37, 0x27, 0xbe, 0x13,
+	0xbe, 0x59, 0x29, 0x6a, 0x02, 0xf2, 0x39, 0x74, 0xcc, 0xe5, 0xda, 0xd5, 0x4c, 0x55, 0x29, 0x97,
+	0xc8, 0x12, 0xf4, 0x41, 0x87, 0x76, 0x84, 0x55, 0xf9, 0x4c, 0xa2, 0x99, 0xf5, 0x74, 0xc3, 0xb9,
+	0xcc, 0xa5, 0x88, 0x33, 0xbf, 0x6d, 0xf2, 0x39, 0x40, 0x05, 0xff, 0x3a, 0xd0, 0x2a, 0x43, 0x27,
+	0x1d, 0xf0, 0x26, 0x71, 0x5e, 0x2d, 0x34, 0x6b, 0xa9, 0x15, 0x14, 0x62, 0x96, 0xd2, 0x24, 0xd6,
+	0xc3, 0x69, 0x6a, 0x58, 0x87, 0x94, 0xa2, 0xbf, 0x46, 0x26, 0xed, 0x71, 0x53, 0xc9, 0x3a, 0xa4,
+	0xea, 0x6c, 0x1f, 0xdf, 0x16, 0xb3, 0x30, 0xc9, 0x53, 0x38, 0xd5, 0x42, 0x5b, 0x46, 0x63, 0x90,
+	0x1f, 0xa1, 0x33, 0x89, 0x59, 0xbc, 0xc6, 0xa5, 0x6a, 0x3a, 0x9a, 0xe0, 0x4c, 0xf0, 0x57, 0x74,
+	0x89, 0xc2, 0xf7, 0x7a, 0xee, 0x45, 0xfb, 0xfa, 0xfd, 0xda, 0xcb, 0xdf, 0x53, 0xe8, 0x6c, 0xc2,
+	0x23, 0xc7, 0x83, 0x1f, 0xe0, 0xad, 0x23, 0x47, 0x54, 0x57, 0xf5, 0x93, 0x04, 0xf3, 0x9c, 0x8b,
+	0xd1, 0xb0, 0x58, 0xea, 0x15, 0xa2, 0x3a, 0x32, 0xc2, 0x44, 0xa0, 0x1c, 0x0d, 0xed, 0x23, 0x94,
+	0x76, 0x40, 0x1b, 0x7b, 0x54, 0x2d, 0x17, 0xb5, 0xf7, 0xcc, 0x28, 0xe8, 0x25, 0xd0, 0x01, 0x6f,
+	0x38, 0x8d, 0xa2, 0x72, 0x41, 0x59, 0x4b, 0xa5, 0x3f, 0x9a, 0x29, 0xd8, 0xd5, 0xb0, 0x31, 0xd4,
+	0x55, 0xfd, 0x34, 0xe5, 0xb7, 0xca, 0xc9, 0x03, 0xed, 0xa4, 0xb4, 0x6f, 0xbe, 0xfe, 0xfd, 0xae,
+	0xeb, 0xfc, 0x79, 0xd7, 0x75, 0xfe, 0xba, 0xeb, 0x3a, 0xbf, 0xfe, 0xd3, 0x7d, 0xed, 0xa7, 0x8f,
+	0xd6, 0x54, 0x6e, 0x76, 0x8b, 0xcb, 0x84, 0x6f, 0xaf, 0x36, 0x71, 0xbe, 0xa1, 0x09, 0x17, 0x99,
+	0xfa, 0x86, 0xe5, 0xbb, 0xf4, 0xaa, 0xf9, 0x65, 0x5b, 0x78, 0xda, 0xfe, 0xf4, 0xbf, 0x00, 0x00,
+	0x00, 0xff, 0xff, 0x2f, 0xdd, 0x30, 0x50, 0xf2, 0x06, 0x00, 0x00,
 }
 
 func (m *Config) Marshal() (dAtA []byte, err error) {
@@ -757,6 +765,13 @@ func (m *Config) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.Partition) > 0 {
+		i -= len(m.Partition)
+		copy(dAtA[i:], m.Partition)
+		i = encodeVarintConfig(dAtA, i, uint64(len(m.Partition)))
+		i--
+		dAtA[i] = 0x4a
+	}
 	if m.TLS != nil {
 		{
 			size, err := m.TLS.MarshalToSizedBuffer(dAtA[:i])
@@ -1361,6 +1376,10 @@ func (m *Config) Size() (n int) {
 		l = m.TLS.Size()
 		n += 1 + l + sovConfig(uint64(l))
 	}
+	l = len(m.Partition)
+	if l > 0 {
+		n += 1 + l + sovConfig(uint64(l))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -1887,6 +1906,38 @@ func (m *Config) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Partition", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowConfig
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthConfig
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthConfig
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Partition = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipConfig(dAtA[iNdEx:])
diff --git a/proto/pbconfig/config.proto b/proto/pbconfig/config.proto
index 25b80f94e..19cb356e5 100644
--- a/proto/pbconfig/config.proto
+++ b/proto/pbconfig/config.proto
@@ -9,6 +9,7 @@ message Config {
    string      PrimaryDatacenter = 2;
    string      NodeName = 3;
    string      SegmentName = 4;
+   string      Partition = 9;
    ACL         ACL = 5;
    AutoEncrypt AutoEncrypt = 6;
    Gossip      Gossip = 7;
@@ -69,4 +70,4 @@ message AutoEncrypt {
    repeated string DNSSAN = 2;
    repeated string IPSAN = 3;
    bool            AllowTLS = 4;
-}
\ No newline at end of file
+}
diff --git a/website/content/docs/agent/options.mdx b/website/content/docs/agent/options.mdx
index 0d509dce3..e3ae0d589 100644
--- a/website/content/docs/agent/options.mdx
+++ b/website/content/docs/agent/options.mdx
@@ -1065,6 +1065,8 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
 
         - `segment` <EnterpriseAlert inline /> - The network segment name the client is requesting.
 
+        - `partition` <EnterpriseAlert inline /> - The admin partition name the client is requesting.
+
 - `auto_encrypt` This object allows setting options for the `auto_encrypt` feature.
 
   The following sub-keys are available: