Penbox CONNECT for External Partners

For external partners and providers, we put in place a CONNECT gateway that enable partners to authenticate on behalf of users and perform actions on Penbox API's.


To be able to use the CONNECT gateway, partners require

  1. client_id (e.g. my-super-partner)
  2. client_secret (e.g. 404D635166546A576D5A713474377721)

Both are provided by Penbox once partnership is acted.


The first step for a partner to be able to perform actions on behalf of a Penbox user is to get the authorization from this user using a standard oAuth2 flow.

Concretely, you will add a connect your Penbox account button in your tool, that will successively:

  1. redirect the user on [](,
  2. there, allow the user to authenticate on Penbox and authorize the linking
  3. redirect back to your website with an authorization code in the url parameters

Make sure you URL-decode the received token before using it in /token API POST

You will then use this code to get a access_token (and add custom_data on Penbox side, see below).

You will receive a token, and a refresh_token, that will enable you to get back a valid token once the initial one expires. It is your responsibility to manage tokens/refresh_tokens.

The refresh_token grant type is used by clients to exchange a refresh token for an access token when the access token has expired. This allows clients to continue to have a valid access token without further interaction with the user.

More info can be found here :