PandaDoc is an OAuth 2.0 provider
Security implementation is based on the final version of The OAuth 2.0 Authorization Framework. Every API request requires an access_token
as part of the authentication header. This is a three-step process.
Before starting these steps, make sure API is available as part of your plan. If you don't have access to the Developer Dashboard, contact your Account Manager or Customer Support to get it enabled.
Steps
- You need to have a valid and active PandaDoc account with a verified email address.
- Register your application at the Developer Dashboard. Please note, the application creation is only available with the production API access enabled, while you can test the public API with the Sandbox API key.
- This is a one time browser-based request to associate a PandaDoc user with API requests.
- You can find
client_id
in the Developer Dashboard. - Returns authorization
code
which is required to generate anaccess_token
- Authorization
code
is required to authorize a user. Returnsaccess_token
. - Use this access token as a header in all API requests.
Learn more: Create an access_token
.
4. Optionally, Refresh Access Token
- Eventually,
access_token
will expire, and accessing an API method will return 401 unauthorized. Your application needs to refresh the OAuth2 token with the storedrefresh_token
returned when initially creating anaccess token
. - Once refreshed, calls on behalf of the originally authorized user can resume immediately. Use the newly returned
access_token
for all future API requests.
Access & Refresh Tokens
- You are able to create as many pairs of
access_token
&refresh_token
as you want. For each pair creation, you need a newly generatedcode
.- Please use any
GET
request to verify the token validity.- To invalidate an
access_token
, just generate a new one and don't share or save it.