I’ve created an App and a JSON Panel App Extension. This panel includes info from our data warehouse in Pipedrive.
I’m storing the user access_token and refresh_token I got in the OAuth2 dance in a server side database.
When the Panel is drawn on the screen, Pipedrive makes a HTTP request to the API Endpoint that includes the expected parameters in the query string (according to the documentation, resource, selectedIds, userId, companyId) and an unexpected parameter: token.
This is an example request, with some details hidden:
The token parameter in the URL is not for making any API requests. It’s there to help verify that the request came from a specific user/company in Pipedrive. Otherwise, anyone who knows the panel request URL could make requests on behalf of other users/companies.
The token can be decoded with either the panel’s JWT secret. Or if that’s not specified, then the client_secret.
I hope this helps? Please let us know if you have further questions.