Don't build an API. Use the standard one for basic CRUD.
All following comments relate to trust/security:
An integration account is best practice for internal integrations, but a bad idea to share outside your company.
Resetting a password shared by all those partners is kinda painful.
If they're all using the same credentials, it'll be hard to tell which partner created the lead.
You can't do any record privacy (i.e., a partner can only see leads they created). Without record ownership you can't keep them from seeing each other's leads. Even if you restrict them to API only access, they can still query via the standard API.
Salesforce IDs are sequential, so it'd be fairly easy to guess the IDs that you didn't create (that other partners did) just by the gaps.
You could create a custom web service to do all this, capture which partner they're coming from, and restrict the query that way, but you probably would be better off getting partner licenses for them and avoiding the work. Every call would need to have some kind of authentication information included so you could determine who's calling.
Your partners likely have the expectation that you don't share leads they bring you with other partners.
Finally, consider that these leads are people, who may have shared their contact info with a single partner, but weren't planning on their data being made available to all the partners without their consent.
