Phase 1.5 partner integration
Connect with MyTravelBuddy
Add a Connect button on your site so travelers can authorize your app. Use the same OAuth Authorization Server for authorization_code (user Connect) and client_credentials (confidential server-to-server tokens for Phase 2 APIs).
1. Register an OAuth client
Signed-in travelers can create confidential apps in Settings → Developer (My apps), including Perplexity credentials. Admins can still create clients in Admin → OAuth. MCP hosts such as ChatGPT, Claude, and Grok usually register via DCR at POST /oauth/register. For Connect buttons use authorization_code + PKCE. For server tokens, create a confidential client with client_secret_post or client_secret_basic and enable client_credentials.
2. Add the Connect button
Button preview
On partner sites, link this button to your PKCE authorize URL for MyTravelBuddy.
Build an authorize URL with PKCE S256, then embed a button that opens it. Example resource for Phase 2 APIs: https://app.mytravelbuddy.ai/api
<a href="https://app.mytravelbuddy.ai/oauth/authorize?response_type=code&client_id=oc_your_client_id&redirect_uri=https%3A%2F%2Fpartner.example%2Foauth%2Fcallback&scope=trips%3Aread+trips%3Awrite+user%3Aread&state=opaque-state&code_challenge=BASE64URL_SHA256_CODE_CHALLENGE&code_challenge_method=S256&resource=https%3A%2F%2Fapp.mytravelbuddy.ai%2Fapi" style="display:inline-flex;align-items:center;justify-content:center;padding:10px 16px;border-radius:8px;background:#0f172a;color:#fff;font:600 14px/1.2 system-ui,sans-serif;text-decoration:none;">Connect with MyTravelBuddy</a>3. Exchange the code
After the user approves consent, exchange code + code_verifier at POST /oauth/token with grant_type=authorization_code. Confidential clients must also authenticate with their client secret.
4. Client credentials (machine tokens)
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=oc_...&client_secret=...&scope=trips:readClient-credentials tokens authenticate the app itself (no end-user). User trip tools and Phase 2 user APIs require a Connect / authorization_code token. Keep client secrets server-side only.
5. Call Phase 2 APIs
Send Authorization: Bearer <access_token> to protected API routes. Prefer requesting resource=https://app.mytravelbuddy.ai/api during Connect so tokens are bound to the API surface.