Security implementation is based on the final version of The OAuth 2.0 Authorization Framework. Every API request requires an
access_token as part of the authentication header. This is a three-step process.
Before starting these steps, make sure API is available as part of your plan. If you don't have access to the Developer Dashboard, contact your Account Manager or Customer Support to get it enabled.
- You need to have a valid and active PandaDoc account with a verified email address.
- Register your application at the Developer Dashboard. Please note, the application creation is only available with the production API access enabled, while you can test the public API with the Sandbox API key.
- This is a one time browser-based request to associate a PandaDoc user with API requests.
- You can find
client_idin the Developer Dashboard.
- Returns authorization
codewhich is required to generate an
codeis required to authorize a user. Returns
- Use this access token as a header in all API requests.
For additional information and visuals on how to create an
access_token [click here] (ref:create-an-access_token).
4. Optionally, Refresh Access Token
access_tokenwill expire, and accessing an API method will return 401 unauthorized. Your application needs to refresh the OAuth2 token with the stored
refresh_tokenreturned when initially creating an
- Once refreshed, calls on behalf of the originally authorized user can resume immediately. Use the newly returned
access_tokenfor all future API requests.
Access & Refresh Tokens
- You are able to create as many pairs of
refresh_tokenas you want. For each pair creation, you need a newly generated
- Please use any
GETrequest to verify the token validity.
- Unfortunately, we don't have an
access_tokeninvalidation mechanism, the invalidation + new