PandaDoc is an OAuth 2.0 provider
Security implementation is based on the final version of The OAuth 2.0 Authorization Framework. Every API request requires an access_token as part of the authentication header. This is a three-step process.
Before starting these steps, make sure API is available as part of your plan. If you don't have access to the Developer Dashboard, contact your Account Manager or Customer Support to get it enabled.
Steps
- You need to have a valid and active PandaDoc account with a verified email address.
- Register your application at the Developer Dashboard. Please note, the application creation is only available with the production API access enabled, while you can test the public API with the Sandbox API key.
Create and manage your API application now.
- This is a one time browser-based request to associate a PandaDoc user with API requests.
- You can find
client_idin the Developer Dashboard. - Returns authorization
codewhich is required to generate anaccess_token
- Authorization
codeis required to authorize a user. Returnsaccess_token. - Use this access token as a header in all API requests.
Learn more: Create an access_token.
4. Optionally, Refresh Access Token
- Eventually,
access_tokenwill expire, and accessing an API method will return 401 unauthorized. Your application needs to refresh the OAuth2 token with the storedrefresh_tokenreturned when initially creating anaccess token. - Once refreshed, calls on behalf of the originally authorized user can resume immediately. Use the newly returned
access_tokenfor all future API requests.
Access & Refresh Tokens
- You are able to create as many pairs of
access_token&refresh_tokenas you want. For each pair creation, you need a newly generatedcode.- Please use any
GETrequest to verify the token validity.- Unfortunately, we don't have an
access_tokeninvalidation mechanism, the invalidation + newaccess_tokengeneration only.