Phase 1.5 partner integration

Connect with MyTravelBuddy

Add a Connect button on your site so travelers can authorize your app. Use the same OAuth Authorization Server for authorization_code (user Connect) and client_credentials (confidential server-to-server tokens for Phase 2 APIs).

1. Register an OAuth client

Signed-in travelers can create confidential apps in Settings → Developer (My apps), including Perplexity credentials. Admins can still create clients in Admin → OAuth. MCP hosts such as ChatGPT, Claude, and Grok usually register via DCR at POST /oauth/register. For Connect buttons use authorization_code + PKCE. For server tokens, create a confidential client with client_secret_post or client_secret_basic and enable client_credentials.

2. Add the Connect button

Button preview

Connect with MyTravelBuddy

On partner sites, link this button to your PKCE authorize URL for MyTravelBuddy.

Build an authorize URL with PKCE S256, then embed a button that opens it. Example resource for Phase 2 APIs: https://app.mytravelbuddy.ai/api

<a href="https://app.mytravelbuddy.ai/oauth/authorize?response_type=code&client_id=oc_your_client_id&redirect_uri=https%3A%2F%2Fpartner.example%2Foauth%2Fcallback&scope=trips%3Aread+trips%3Awrite+user%3Aread&state=opaque-state&code_challenge=BASE64URL_SHA256_CODE_CHALLENGE&code_challenge_method=S256&resource=https%3A%2F%2Fapp.mytravelbuddy.ai%2Fapi" style="display:inline-flex;align-items:center;justify-content:center;padding:10px 16px;border-radius:8px;background:#0f172a;color:#fff;font:600 14px/1.2 system-ui,sans-serif;text-decoration:none;">Connect with MyTravelBuddy</a>

3. Exchange the code

After the user approves consent, exchange code + code_verifier at POST /oauth/token with grant_type=authorization_code. Confidential clients must also authenticate with their client secret.

4. Client credentials (machine tokens)

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=oc_...&client_secret=...&scope=trips:read

Client-credentials tokens authenticate the app itself (no end-user). User trip tools and Phase 2 user APIs require a Connect / authorization_code token. Keep client secrets server-side only.

5. Call Phase 2 APIs

Send Authorization: Bearer <access_token> to protected API routes. Prefer requesting resource=https://app.mytravelbuddy.ai/api during Connect so tokens are bound to the API surface.