Penbox CONNECT for External Partners
For external partners and providers, we put in place a CONNECT gateway that enable partners to authenticate on behalf of users and perform actions on Penbox API's.
Credentials
To be able to use the CONNECT gateway, partners require
- a
client_id(e.g. my-super-partner) - a
client_secret(e.g. 404D635166546A576D5A713474377721)
Both are provided by Penbox once partnership is acted.
Authorization
The first step for a partner to be able to perform actions on behalf of a Penbox user is to get the authorization from this user using a standard oAuth2 flow.
Concretely, you will add a connect your Penbox account button in your tool, that will successively:
- redirect the user on
[connect.penbox.io/authorize](http://connect.penbox.io/authorize), - there, allow the user to authenticate on Penbox and authorize the linking
- redirect back to your website with an authorization
codein the url parameters
Make sure you URL-decode the received token before using it in /token API POST
You will then use this code to get a access_token (and add custom_data on Penbox side, see below).
You will receive a token, and a refresh_token, that will enable you to get back a valid token once the initial one expires. It is your responsibility to manage tokens/refresh_tokens.
The refresh_token grant type is used by clients to exchange a refresh token for an access token when the access token has expired. This allows clients to continue to have a valid access token without further interaction with the user.
More info can be found here :
https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/