Skip to main content

Most Pax8 Partners Never Touch the API They Already Pay Nothing For. Here Is the Power Automate Setup

Nick Ross4 min read

TL;DR

  • The Pax8 API is available to partners at no additional cost and covers customers, orders, subscriptions, products, contacts, invoices, and usage summaries.
  • Pax8's API uses the client credentials grant type, which Power Automate custom connectors do not support as of August 2022, so access tokens must be requested with HTTP actions inside the flow.
  • Storing the Pax8 client ID and secret in Azure Key Vault keeps credentials out of plain text and lets flows pull them dynamically at run time.
  • The HTTP actions needed for this integration are premium, so a premium Power Platform license is required, and Silver or Gold partner internal-use rights may already include one.
  • Every authenticated call after the token request just adds an Authorization header in the format Bearer, a space, then the access token.

If you work with Pax8 today, the API is one of the better unadvertised parts of the relationship. Many Pax8 partners do not know it exists, it costs nothing extra to use, and it exposes the following endpoints:

  • Customers
  • Orders (purchase net new)
  • Subscriptions (increment and decrement seats)
  • Products (catalog info and rate plans)
  • Contacts
  • Invoices
  • Usage Summaries (think Azure billing)

There is a lot you can build on that surface. The common starting point is user onboarding and offboarding, where the flow modifies seat counts. A step further is billing: integrate directly into QuickBooks Online or whatever ERP you invoice from, instead of relying on Pax8's fixed set of native integrations. An open vendor makes that choice yours.

A working example: we run a Power Automate flow against the Pax8 API that automatically creates a PSA ticket when an NCE subscription is coming up for renewal, so the team evaluates license counts before the strict contract terms lock in again. With renewal dates scattered across customers, that one flow removes a real liability. The full build is documented in the NCE renewal notices walkthrough.

Prefer PowerShell over flows? Luke Whitelock has published a PowerShell module for the Pax8 API on GitHub: lwhitelock/Pax8API (opens in new tab).

What you need on the Pax8 side

Get a client ID and client secret:

  1. As a Primary Partner Admin or Partner Admin, go to Tools > Partner Shells and find the Pax8 Partner API Partner Shell:
Pax8 Partner Shells page with the Partner API shell
  1. Fill out the fields and submit. Once you do, you will get information about the API docs. You can always find the API documentation later under the ? icon in the top right corner:
Pax8 API documentation accessible from the help icon
  1. Click your name in the right-hand corner > User Settings > Developer Apps > Create:
Creating a developer app under Pax8 user settings
  1. Give it a name of your choosing and click Create.
  2. You will be given a client ID and secret. Store these somewhere secure like Azure Key Vault or IT Glue.

What you need on the Microsoft side

A premium Power Platform license. The flow uses premium actions (HTTP requests) to get access tokens and call the Pax8 API. Power Platform licensing is confusing, but any one of the plans below covers it, and you only need one:

Power Platform licensing options that include premium actions

If you hold a Silver or Gold membership in Microsoft's partner program, you may already be receiving these licenses through your internal-use rights.

Azure Key Vault (optional, recommended). Storing the client ID and secret in Key Vault lets the flow populate them dynamically instead of carrying them in plain text. There are other ways to handle this, but Key Vault is what this walkthrough uses.

Why this is not a custom connector tutorial

Normally we would recommend setting Pax8 up as a custom connector in Power Automate, the same pattern shown in Creating Syncro as a Custom Connector in Power Automate. Pax8's API, however, uses client credentials as the grant type for issuing access tokens, and custom connectors do not support that grant type as of August 2022. That blocks authentication at the connector level, so the token request has to live inside the flow itself. Here is that build.

Build the flow: credentials first

  1. Navigate to https://make.powerautomate.com/ (opens in new tab).
  2. Click Create > Instant Cloud Flow.
  3. Give it a name and choose Manually trigger a flow. The manual trigger is just for testing this example; in production you would give it whatever trigger fits.
Creating an instant cloud flow with a manual trigger
  1. The flow will use your client ID and secret to request an access token, and exposing those in plain text is best avoided. Pull them from Azure Key Vault instead: click New Step > search Azure Key Vault > click Get Secret under Actions:
Adding the Azure Key Vault Get Secret action
  1. Populate your client ID:
Retrieving the Pax8 client ID from Key Vault

One gotcha worth knowing: if you get an error about not being able to connect to a vault, click Connectors in the left navigation and edit your Key Vault connection from there. In our experience the vault could not be selected from the flow screen after signing in, and the Connectors page was the fix.

  1. Repeat the Get Secret step for the client secret:
Retrieving the Pax8 client secret from Key Vault

Request the access token

  1. Click New Step > search HTTP > choose the HTTP action:
Adding the HTTP action to the flow
  1. Make the POST call to get the access token per the Pax8 API documentation (viewable from the Pax8 portal). Add the URL and the body by copying them straight from the docs:
HTTP POST request for the Pax8 access token
  1. Adjust the body so client_id and client_secret are populated with the dynamic values coming from Azure Key Vault, and add a Content-Type header:
Token request body with dynamic Key Vault values and Content-Type header
  1. Parse the JSON response to extract the access token for later calls. Search for Parse JSON as the next step:
Adding the Parse JSON action for the token response
  1. For the Content field, dynamically populate the Body value from the previous step. Then copy the access token response example from the Pax8 API documentation, click Generate from Sample in Power Automate, and paste it in. The schema generates itself from the sample:
Generating the Parse JSON schema from the Pax8 sample response

Make your first authenticated call

  1. With an access token in hand, every other endpoint is open. To test, call the companies endpoint with another HTTP action, using the Fetch a paginated list of your companies GET request from the docs. One of the headers is Authorization, populated dynamically in the format Bearer, then a space, then the access token:
GET request to the Pax8 companies endpoint with Bearer authorization
  1. Save the flow and run a test. The flow runs and the output shows your company records:
Successful flow run returning Pax8 company records

What to build next

That is the whole connection. From here, Parse JSON actions pull values out of any call so you can feed them into other steps: PSA tickets, Teams messages, billing systems. The renewal-notice flow mentioned above is the natural next build. The full video version of this setup is on YouTube; post any questions there: watch the tutorial (opens in new tab).

Frequently asked questions

Why not set Pax8 up as a custom connector like other vendor APIs?

Pax8's API issues access tokens through the client credentials grant type, which Power Automate custom connectors do not support as of August 2022. That blocks authentication at the connector level, so the token request has to happen inside the flow with an HTTP action.

Is there a PowerShell option instead of Power Automate?

Yes. Luke Whitelock maintains an open-source PowerShell wrapper for the Pax8 API at github.com/lwhitelock/Pax8API if you would rather script it than build flows.

Where do the request URLs and body formats come from?

The Pax8 API documentation, reachable from the question mark icon in the top right corner of the Pax8 portal once your API access is set up. Copy the token request body and response samples straight from there.

Procurement runs itself. Posture should too

Automating seat counts and invoices is the easy half of MSP operations. CloudCapsule handles the other half: 250+ Microsoft 365 security controls checked per tenant in about 60 seconds, across every customer.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading