We have been using the existing API and the api token for a number of years to provide a custom search interface. All API calls are sent direct between client web browser and Pipedrive servers.
Looking at the documentation regarding Oauth its not clear if the access_token can be used in the same way.
Before converting to using Oauth authentication we like to confirm whether, if we pass the access_token to the client, we can use the same API calls direct between client browser and Pipedrive servers using access_token rather than api_token?
Technically, you could. But it’s definitely not advisable because you’re exposing the token.
Even with your current implementation, I would personally add an API layer in between where you contact your own server first, and your server relays Pipedrive’s response.
For example, if you need to get the deals, the browser would call
GET https://yoursite.com/api/deals
And https://yoursite.com/api/deals would call
GET https://companydomain.pipedrive.com/v1/deals/2?api_token=<your-token>
and return the exact response.
This way you would be passing the token only on server-to-server requests and keep it safer.
I guess that if you’re using the integration only within a protected network, you can afford being more loose about keeping the token hidden…
