# OAuth 2.0 Authentication Process
PandaDoc is an OAuth 2.0 provider
Security implementation is based on the final version of [The OAuth 2.0 Authorization Framework](http://tools.ietf.org/html/rfc6749). Every API request requires an `access_token` as part of the authentication header. This is a three-step process.
Before starting these steps, make sure API is available as part of your plan. If you don't have access to the Developer Dashboard, contact your Account Manager or [Customer Support](https://www.pandadoc.com/contact/) to get it enabled.
## Steps
### 1. [Setup an Application](https://app.pandadoc.com/a/#/settings/api-dashboard/configuration)
* You need to have a valid and active PandaDoc account with a verified email address.
* Register your application at the [Developer Dashboard](https://app.pandadoc.com/a/#/settings/api-dashboard/configuration). Please note, the application creation is only available with the production API access enabled, while you can test the public API with the Sandbox API key.
Create and manage your API application [now](https://app.pandadoc.com/a/#/settings/api-dashboard/configuration).
### 2. [Authorize a User](https://developers.pandadoc.com/reference/authorize-a-user)
* This is a one time browser-based request to associate a PandaDoc user with API requests.
* You can find `client_id` in the [Developer Dashboard](https://app.pandadoc.com/a/#/settings/api-dashboard/configuration).
* Returns authorization `code` which is required to generate an `access_token`
Send the authenticating user to the PandaDoc OAuth2 request URL. We recommend a button or link titled "Connect to PandaDoc" if you are connecting users from a custom application. Users will see the "Authorize Application" screen. When the user clicks "Authorize", PandaDoc redirects the user back to your site with an authorization code inside the URL.
```json Authorization URL
https://app.pandadoc.com/oauth2/authorize?client_id={client_id}&redirect_uri={redirect_uri}&scope=read+write&response_type=code
```
[Check your application settings here](https://app.pandadoc.com/a/#/settings/api-dashboard/configuration). `client_id` and `redirect_uri` values should match your application settings.
Browser Authorization View
> ๐ Scope
>
> If you're developing a server-side-only solution, you still need to perform the authentication process above to create an authorization `code` manually. Once associated with a user, `access_token` and `refresh_token` can be used by your application to automatically extend the validity of access tokens as needed. We suggest creating an API user in your PandaDoc workspace so that API methods create documents with this user.
### 3. [Create an Access Token](https://developers.pandadoc.com/reference/create-an-access_token)
* Authorization `code` is required to authorize a user. Returns `access_token`.
* Use this access token as a header in all API requests.
Learn more: [Create an `access_token`](https://developers.pandadoc.com/reference/create-an-access_token).
### 4. Optionally, [Refresh Access Token](https://developers.pandadoc.com/reference/refresh-access_token)
* Eventually, `access_token` will expire, and accessing an API method will return 401 unauthorized. Your application needs to refresh the OAuth2 token with the stored `refresh_token` returned when initially creating an `access token`.
* Once refreshed, calls on behalf of the originally authorized user can resume immediately. Use the newly returned `access_token` for all future API requests.
> ๐ Access & Refresh Tokens
>
> 1. You are able to create as many pairs of `access_token` & `refresh_token` as you want. For each pair creation, you need a newly generated `code`.
> 2. Please use any `GET` request to verify the token validity.
> 3. To invalidate an `access_token`, just generate a new one and don't share or save it.
## How to use **OAuth 2.0 Authentication**
If youโre using OAuth 2.0, use this header:
```yaml HTTP
Authorization: Bearer {{oauth_key}}
```
Example:
```yaml HTTP
Authorization: Bearer 3039ba033eb1410caa0a2227158d63c9d6502cd8
```