Authorization
This API leverages OAuth 2.0, the industry-standard protocol for authorization. OAuth 2.0 provides a secure and efficient way for users to grant websites and applications access to their information on other websites without compromising their credentials. This API’s OAuth 2.0 implementation ensures secure and controlled access to user resources without exposing user credentials to the consuming applications.
Authorization Grant Types
The API supports the OAuth 2.0 Authorization Code grant type.
Refresh Tokens
For long-term access, the API issues refresh tokens along with access tokens. When the access token expires, the application can request a new one using the refresh token without further interaction from the user.
Getting Started
To gain access to the API, developers need to contact support and request a client id and client secret.
Authorization Code Grant
The Authorization Code grant type is used by web and mobile apps. It’s considered the most secure, as it authenticates the client and authorizes the application.
How it Works
- User Authorization Request: The application directs the user to an authorization server with a query string including the client ID, redirect URI, and a list of scopes.
- User Consent: The user consents to grant the application access.
- Authorization Code: The authorization server redirects the user back to the application with an authorization code in the query string.
- Exchange Code for Token: The application requests an access token from the authorization server’s token endpoint by including the authorization code received in the previous step.
- Access Token: The authorization server validates the request and issues an access token.
The authorization server is located at https://example.api.pxmo.com/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&scope=SCOPES` where:
exampleis your teams subdomain.CLIENT_IDis the client ID provided to you.REDIRECT_URIis the URL to which the authorization server redirects the user after authorization is complete.SCOPESis a space-delimited list of scopes that identify the resources the application can access.
Note: the REDIRECT_URI must match the redirect URI registered with your application.
Once an access_token is obtained, it can be used to make requests to the API. The access_token is passed in the Authorization header as a Bearer token.
curl https://example.api.pxmo.com/api/proposals \
-H 'Authorization: Bearer {access_token}'
Scopes
Each API endpoint requires a specific scope. The scope is passed in the scope query parameter when requesting an authorization code. The following scopes are available:
Here’s the provided information formatted into a markdown table:
| Scope | Description |
|---|---|
profile:read | View your user profile |
profile:update | Make changes to your user profile |
notifications:read | View your notifications |
notifications:update | Make changes to your notifications |
team:update | Make changes to your team including managing its users, invitations, and subscription related information |
team:read | View your team including its users, invitations, and subscription related information |
webhooks | Subscribe, delete and sample webhooks |
proposal:create | Create new proposals |
proposal:read | View proposals |
proposal:update | Make changes to proposals |
proposal:delete | Delete proposals |
template:create | Create new templates |
template:read | View templates |
template:update | Make changes to templates |
template:delete | Delete templates |
inventory:create | Create new inventory lists and inventory items |
inventory:read | View inventory lists and inventory items |
inventory:update | Make changes to inventory lists and inventory items |
inventory:delete | Delete inventory lists and inventory items |