OAuth 2.0 Authentication Process

PandaDoc is an OAuth 2.0 provider

Security implementation is based on the final version of The OAuth 2.0 Authorization Framework. Every API request requires an access_token as part of the authentication header. This is a three-step process.

Before starting these steps, make sure API is available as part of your plan. If you don't have access to the Developer Dashboard, contact your Account Manager or Customer Support to get it enabled.

Steps

  • You need to have a valid and active PandaDoc account with a verified email address.
  • Register your application at the Developer Dashboard. Please note, the application creation is only available with the production API access enabled, while you can test the public API with the Sandbox API key.
28602860

Create and manage your API application now.

  • This is a one time browser-based request to associate a PandaDoc user with API requests.
  • You can find client_id in the Developer Dashboard.
  • Returns authorization code which is required to generate an access_token

  • Authorization code is required to authorize a user. Returns access_token.
  • Use this access token as a header in all API requests.

For additional information and visuals on how to create an access_token click here.

4. Optionally, Refresh Access Token

  • Eventually, access_token will expire, and accessing an API method will return 401 unauthorized. Your application needs to refresh the OAuth2 token with the stored refresh_token returned when initially creating an access token.
  • Once refreshed, calls on behalf of the originally authorized user can resume immediately. Use the newly returned access_token for all future API requests.

📘

Access & Refresh Tokens

  1. You are able to create as many pairs of access_token & refresh_token as you want. For each pair creation, you need a newly generated code.
  2. Please use any GET request to verify the token validity.
  3. Unfortunately, we don't have an access_token invalidation mechanism, the invalidation + new access_token generation only.