Most Pax8 Partners Never Touch the API They Already Pay Nothing For. Here Is the Power Automate Setup
TL;DR
- The Pax8 API is available to partners at no additional cost and covers customers, orders, subscriptions, products, contacts, invoices, and usage summaries.
- Pax8's API uses the client credentials grant type, which Power Automate custom connectors do not support as of August 2022, so access tokens must be requested with HTTP actions inside the flow.
- Storing the Pax8 client ID and secret in Azure Key Vault keeps credentials out of plain text and lets flows pull them dynamically at run time.
- The HTTP actions needed for this integration are premium, so a premium Power Platform license is required, and Silver or Gold partner internal-use rights may already include one.
- Every authenticated call after the token request just adds an Authorization header in the format Bearer, a space, then the access token.
If you work with Pax8 today, the API is one of the better unadvertised parts of the relationship. Many Pax8 partners do not know it exists, it costs nothing extra to use, and it exposes the following endpoints:
- Customers
- Orders (purchase net new)
- Subscriptions (increment and decrement seats)
- Products (catalog info and rate plans)
- Contacts
- Invoices
- Usage Summaries (think Azure billing)
There is a lot you can build on that surface. The common starting point is user onboarding and offboarding, where the flow modifies seat counts. A step further is billing: integrate directly into QuickBooks Online or whatever ERP you invoice from, instead of relying on Pax8's fixed set of native integrations. An open vendor makes that choice yours.
A working example: we run a Power Automate flow against the Pax8 API that automatically creates a PSA ticket when an NCE subscription is coming up for renewal, so the team evaluates license counts before the strict contract terms lock in again. With renewal dates scattered across customers, that one flow removes a real liability. The full build is documented in the NCE renewal notices walkthrough.
Prefer PowerShell over flows? Luke Whitelock has published a PowerShell module for the Pax8 API on GitHub: lwhitelock/Pax8API (opens in new tab).
What you need on the Pax8 side
Get a client ID and client secret:
- As a Primary Partner Admin or Partner Admin, go to Tools > Partner Shells and find the Pax8 Partner API Partner Shell:

- Fill out the fields and submit. Once you do, you will get information about the API docs. You can always find the API documentation later under the ? icon in the top right corner:

- Click your name in the right-hand corner > User Settings > Developer Apps > Create:

- Give it a name of your choosing and click Create.
- You will be given a client ID and secret. Store these somewhere secure like Azure Key Vault or IT Glue.
What you need on the Microsoft side
A premium Power Platform license. The flow uses premium actions (HTTP requests) to get access tokens and call the Pax8 API. Power Platform licensing is confusing, but any one of the plans below covers it, and you only need one:

If you hold a Silver or Gold membership in Microsoft's partner program, you may already be receiving these licenses through your internal-use rights.
Azure Key Vault (optional, recommended). Storing the client ID and secret in Key Vault lets the flow populate them dynamically instead of carrying them in plain text. There are other ways to handle this, but Key Vault is what this walkthrough uses.
Why this is not a custom connector tutorial
Normally we would recommend setting Pax8 up as a custom connector in Power Automate, the same pattern shown in Creating Syncro as a Custom Connector in Power Automate. Pax8's API, however, uses client credentials as the grant type for issuing access tokens, and custom connectors do not support that grant type as of August 2022. That blocks authentication at the connector level, so the token request has to live inside the flow itself. Here is that build.
Build the flow: credentials first
- Navigate to https://make.powerautomate.com/ (opens in new tab).
- Click Create > Instant Cloud Flow.
- Give it a name and choose Manually trigger a flow. The manual trigger is just for testing this example; in production you would give it whatever trigger fits.

- The flow will use your client ID and secret to request an access token, and exposing those in plain text is best avoided. Pull them from Azure Key Vault instead: click New Step > search Azure Key Vault > click Get Secret under Actions:

- Populate your client ID:

One gotcha worth knowing: if you get an error about not being able to connect to a vault, click Connectors in the left navigation and edit your Key Vault connection from there. In our experience the vault could not be selected from the flow screen after signing in, and the Connectors page was the fix.
- Repeat the Get Secret step for the client secret:

Request the access token
- Click New Step > search HTTP > choose the HTTP action:

- Make the POST call to get the access token per the Pax8 API documentation (viewable from the Pax8 portal). Add the URL and the body by copying them straight from the docs:

- Adjust the body so client_id and client_secret are populated with the dynamic values coming from Azure Key Vault, and add a Content-Type header:

- Parse the JSON response to extract the access token for later calls. Search for Parse JSON as the next step:

- For the Content field, dynamically populate the Body value from the previous step. Then copy the access token response example from the Pax8 API documentation, click Generate from Sample in Power Automate, and paste it in. The schema generates itself from the sample:

Make your first authenticated call
- With an access token in hand, every other endpoint is open. To test, call the companies endpoint with another HTTP action, using the Fetch a paginated list of your companies GET request from the docs. One of the headers is Authorization, populated dynamically in the format Bearer, then a space, then the access token:

- Save the flow and run a test. The flow runs and the output shows your company records:

What to build next
That is the whole connection. From here, Parse JSON actions pull values out of any call so you can feed them into other steps: PSA tickets, Teams messages, billing systems. The renewal-notice flow mentioned above is the natural next build. The full video version of this setup is on YouTube; post any questions there: watch the tutorial (opens in new tab).
Frequently asked questions
Why not set Pax8 up as a custom connector like other vendor APIs?
Pax8's API issues access tokens through the client credentials grant type, which Power Automate custom connectors do not support as of August 2022. That blocks authentication at the connector level, so the token request has to happen inside the flow with an HTTP action.
Is there a PowerShell option instead of Power Automate?
Yes. Luke Whitelock maintains an open-source PowerShell wrapper for the Pax8 API at github.com/lwhitelock/Pax8API if you would rather script it than build flows.
Where do the request URLs and body formats come from?
The Pax8 API documentation, reachable from the question mark icon in the top right corner of the Pax8 portal once your API access is set up. Copy the token request body and response samples straight from there.
Procurement runs itself. Posture should too
Automating seat counts and invoices is the easy half of MSP operations. CloudCapsule handles the other half: 250+ Microsoft 365 security controls checked per tenant in about 60 seconds, across every customer.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


