Penbox CONNECT for External Partners

For external partners and providers, we put in place a CONNECT gateway that enable partners to authenticate on behalf of users and perform actions on Penbox API's.

Credentials

To be able to use the CONNECT gateway, partners require

  1. client_id (e.g. my-super-partner)
  2. client_secret (e.g. 404D635166546A576D5A713474377721)

Both are provided by Penbox once partnership is acted.

Authorization

The first step for a partner to be able to perform actions on behalf of a Penbox user is to get the authorization from this user using a standard oAuth2 flow.

Concretely, you will add a connect your Penbox account button in your tool, that will successively:

  1. redirect the user on [connect.penbox.io/authorize](http://connect.penbox.io/authorize),
  2. there, allow the user to authenticate on Penbox and authorize the linking
  3. redirect back to your website with an authorization code in the url parameters

You will then use this code to get a access_token (and add custom_data on Penbox side, see below).

You will receive a token, and a refresh_token, that will enable you to get back a valid token once the initial one expires. It is your responsibility to manage tokens/refresh_tokens.

The refresh_token grant type is used by clients to exchange a refresh token for an access token when the access token has expired. This allows clients to continue to have a valid access token without further interaction with the user.

More info can be found here :

https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/