Resources/The Agent API Atlas/Legal/PandaDoc

Everything an AI agent can do with the PandaDoc API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints27

API versionv1

Last updated23 June 2026

Orientation

How the PandaDoc API works.

The PandaDoc API is how an app or AI agent works with a PandaDoc workspace: creating a document from a template, sending it to recipients for signature, tracking its status as it is viewed and completed, and downloading the signed copy. Access is granted through an API key tied to a user, or an OAuth token carrying a read or read+write scope, and that credential reaches only what its user or scope allows. A document is processed in the background after it is created, and a change to its state emits an event PandaDoc can push to a registered endpoint.

27Endpoints

7Capability groups

16Read

11Write

2Permissions

Authentication

PandaDoc accepts two credentials. An API key is sent as the header 'Authorization: API-Key {key}', is tied to the user who created it, never expires, and stops working if that user leaves the workspace. OAuth 2.0 uses the authorization-code flow and returns a long-lived bearer token plus a refresh token, for integrations that connect to other companies' accounts.

Permissions

OAuth scopes are coarse. There are only two, read for read-only access and read+write for full access, with no per-resource breakdown, so a read+write token can act across every area the API exposes. An API key instead inherits its user's role, so its reach matches what that person can do in the workspace. A 403 response means the credential lacks the permission the request needs.

Versioning

PandaDoc serves one continuously updated REST API under a single path version rather than minting a new dated version per change. Improvements ship through a running changelog, so an integration tracks the changelog rather than pinning a version string.

Data model

PandaDoc is resource-oriented REST with JSON requests and responses under /public/v1. A document is created from a template or an uploaded PDF, populated with fields, tokens, and pricing, then sent to recipients drawn from contacts. Creation is asynchronous, so a new document must be polled until it reaches draft. A state change emits an event delivered by webhook.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to PandaDoc determines what it can reach. There is a route for making calls, a route for receiving events when a document changes, and a hosted server that exposes PandaDoc tools to agents, and each is governed by the key or token behind it.

Ways to connect

REST API

The REST API takes JSON request bodies, returns JSON, and pages lists with page and count parameters, at https://api.pandadoc.com/public/v1. A call authenticates with an API key sent as 'Authorization: API-Key {key}', or with an OAuth 2.0 bearer token.

Best forConnecting an app or AI agent to PandaDoc.

Governed byThe API key or OAuth token and the read or read+write scope behind it.

Docs ↗

MCP server

A hosted Model Context Protocol server at https://mcp.pandadoc.com/v1/mcp exposes PandaDoc tools to AI agents and LLM clients like Claude, Cursor, and ChatGPT. It authenticates with OAuth, so an agent can drive a full agreement flow, like creating a proposal from a template and sending it for signature, from a single prompt. Announced September 2025.

Best forConnecting an AI agent to PandaDoc through MCP.

Governed byThe OAuth grant and the scope it carries.

Docs ↗

Webhooks

PandaDoc POSTs an event to an HTTPS endpoint registered as a webhook subscription when a document changes state, a recipient completes, a signed PDF is ready, or a template changes. The receiver verifies the request signature against the subscription's shared key to confirm it came from PandaDoc.

Best forReceiving PandaDoc events at an app or AI agent.

Governed byThe shared key on the subscription.

Docs ↗

Authentication

API key

An API key is sent on every request as the header 'Authorization: API-Key {key}'. It is tied to the user who generated it, so the key can do only what that user's role allows, and it stops working if that user is removed from the workspace. A sandbox key works only on test data; a production key requires approval before activation. API keys do not expire.

TokenAPI key (Authorization: API-Key {key})

Best forServer-side calls in a single workspace.

Docs ↗

OAuth 2.0

OAuth 2.0 uses the authorization-code flow: an app sends the user to https://app.pandadoc.com/oauth2/authorize with a scope of read or read+write, then exchanges the returned code at https://api.pandadoc.com/oauth2/access_token for an access token and a refresh token. The scopes are coarse: read allows read-only access and read+write allows full access, with no per-resource breakdown. Access tokens are long-lived and can be renewed with the refresh token.

TokenOAuth 2.0 bearer access token

Best forBuilding a public integration that connects to other companies' PandaDoc accounts.

Docs ↗

Capability map

What an AI agent can do in PandaDoc.

The PandaDoc API is split into areas an agent can act on, like documents, templates, contacts, folders, and team members. Each area has its own methods, and a write in the documents area can create a contract or send it out for a legally binding signature.

Documents

10 endpoints

Methods for creating, sending, tracking, and downloading documents.

A write here can create a contract or send it out for a binding signature.

View endpoints →

Templates

2 endpoints

Methods for listing and reading the templates documents are built from.

Reads here expose the content and structure of reusable templates.

View endpoints →

Contacts

5 endpoints

Methods for working with the contacts that become document recipients.

A write here changes recipient contact records, including email addresses.

View endpoints →

Folders

4 endpoints

Methods for organising documents and templates into folders.

A write here creates or renames a folder in the workspace.

View endpoints →

Webhooks

2 endpoints

Methods for managing the subscriptions that deliver document events.

A write here changes where document events are delivered.

View endpoints →

Members

3 endpoints

Methods for reading the people in a PandaDoc workspace.

Reads here expose member names, emails, and roles.

View endpoints →

Forms

1 endpoint

Methods for listing the forms in a workspace.

Reads here expose the forms set up to collect signed responses.

View endpoints →

Endpoint reference

Every PandaDoc API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Documents Methods for creating, sending, tracking, and downloading documents.10
POST	`/public/v1/documents`	Create a document from a template or an uploaded PDF, with recipients, fields, and pricing.	write	`write`	Current
OAuth scopes are coarse: this needs the read+write scope, or an API key whose user can create documents. Creation is asynchronous; the document starts in document.uploaded and must be polled until document.draft. Acts ondocument Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`document_state_changed` Rate limit300 requests/min (from PDF), 500/min (from template) SourceOfficial documentation ↗
GET	`/public/v1/documents`	List and search documents in the workspace, filtered by status, folder, tag, or date.	read	`read`	Current
Readable with the read scope or any API key. Paginated by page and count (default 50, max 100). Acts ondocument Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limit2000 requests/min SourceOfficial documentation ↗
GET	`/public/v1/documents/{id}`	Get a document's current status, used to poll an async create until it reaches draft.	read	`read`	Current
Readable with the read scope or any API key. Used to track a document through document.draft, sent, viewed, completed, and paid. Acts ondocument Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limit2000 requests/min SourceOfficial documentation ↗
GET	`/public/v1/documents/{id}/details`	Get full document data, including recipients, field values, tokens, and pricing.	read	`read`	Current
Readable with the read scope or any API key. Returns the full content of the document. Acts ondocument Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limit600 requests/min SourceOfficial documentation ↗
POST	`/public/v1/documents/{id}/send`	Send a draft document to its recipients, optionally with an email subject and message.	write	`write`	Current
Needs the read+write scope, or an API key whose user can send. This moves a document to the recipients and starts the signing process. Acts ondocument Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`document_state_changed` Rate limit400 requests/min SourceOfficial documentation ↗
GET	`/public/v1/documents/{id}/download`	Download a document as a PDF.	read	`read`	Current
Readable with the read scope or any API key. Returns the document file. Acts ondocument Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limit100 requests/min SourceOfficial documentation ↗
GET	`/public/v1/documents/{id}/download-protected`	Download the completed, signed copy of a document as a protected PDF.	read	`read`	Current
Readable with the read scope or any API key. Returns the final, completed version of the document. Acts ondocument Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limit300 requests/min SourceOfficial documentation ↗
DELETE	`/public/v1/documents/{id}`	Delete a document.	write	`write`	Current
Needs the read+write scope, or an API key whose user can delete. Removes the document. Acts ondocument Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`document_deleted` Rate limit2000 requests/min SourceOfficial documentation ↗
POST	`/public/v1/documents/{id}/draft`	Move a sent or completed document back to draft status for further editing.	write	`write`	Current
Needs the read+write scope, or an API key whose user can edit. Returns the document to an editable draft state. Acts ondocument Permission (capability)`write` VersionAvailable since the API’s base version Webhook event`document_updated` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/public/v1/documents/{id}/session`	Create a short-lived session link to embed signing or viewing of a document.	write	`write`	Current
Needs the read+write scope, or an API key whose user can share. Returns a temporary session key for embedding the document. Acts ondocument Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Templates Methods for listing and reading the templates documents are built from.2
GET	`/public/v1/templates`	List the templates in the workspace, with optional filtering by tag or folder.	read	`read`	Current
Readable with the read scope or any API key. Returns template ids used when creating documents. Acts ontemplate Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limit300 requests/min SourceOfficial documentation ↗
GET	`/public/v1/templates/{id}`	Get the details of a template, including its roles, fields, tokens, and pricing tables.	read	`read`	Current
Readable with the read scope or any API key. Returns the structure an integration needs to populate a document from this template. Acts ontemplate Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limit300 requests/min SourceOfficial documentation ↗
Contacts Methods for working with the contacts that become document recipients.5
POST	`/public/v1/contacts`	Create a contact that can be used as a document recipient.	write	`write`	Current
Needs the read+write scope, or an API key whose user can manage contacts. Acts oncontact Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/public/v1/contacts`	List the contacts in the workspace.	read	`read`	Current
Readable with the read scope or any API key. Returns contact records, including email addresses. Acts oncontact Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/public/v1/contacts/{id}`	Get the details of a single contact.	read	`read`	Current
Readable with the read scope or any API key. Acts oncontact Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/public/v1/contacts/{id}`	Update the details of a contact.	write	`write`	Current
Needs the read+write scope, or an API key whose user can manage contacts. Acts oncontact Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/public/v1/contacts/{id}`	Delete a contact.	write	`write`	Current
Needs the read+write scope, or an API key whose user can manage contacts. Acts oncontact Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Folders Methods for organising documents and templates into folders.4
POST	`/public/v1/documents/folders`	Create a folder to organise documents.	write	`write`	Current
Needs the read+write scope, or an API key whose user can manage folders. Acts ondocuments_folder Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/public/v1/documents/folders`	List the document folders in the workspace.	read	`read`	Current
Readable with the read scope or any API key. Acts ondocuments_folder Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/public/v1/templates/folders`	Create a folder to organise templates.	write	`write`	Current
Needs the read+write scope, or an API key whose user can manage folders. Acts ontemplates_folder Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/public/v1/templates/folders`	List the template folders in the workspace.	read	`read`	Current
Readable with the read scope or any API key. Acts ontemplates_folder Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Webhooks Methods for managing the subscriptions that deliver document events.2
POST	`/public/v1/webhook-subscriptions`	Create a webhook subscription that delivers document and other events to a URL.	write	`write`	Current
Needs the read+write scope, or an API key whose user can manage webhooks. Sets the endpoint and the events it receives. Acts onwebhook_subscription Permission (capability)`write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/public/v1/webhook-subscriptions`	List the webhook subscriptions configured in the workspace.	read	`read`	Current
Readable with the read scope or any API key. Acts onwebhook_subscription Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Members Methods for reading the people in a PandaDoc workspace.3
GET	`/public/v1/members/me`	Get the details of the member whose key or token made the request.	read	`read`	Current
Readable with the read scope or any API key. Returns the calling user's own member record. Acts onmember Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/public/v1/members`	List the members of the workspace.	read	`read`	Current
Readable with the read scope or any API key. Returns member names, emails, and roles. Acts onmember Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/public/v1/members/{id}`	Get the details of a single workspace member.	read	`read`	Current
Readable with the read scope or any API key. Acts onmember Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Forms Methods for listing the forms in a workspace.1
GET	`/public/v1/forms`	List the forms in the workspace.	read	`read`	Current
Readable with the read scope or any API key. Acts onform Permission (capability)`read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

PandaDoc can notify an app when something happens to a document, like its state changing as it is viewed, completed, or paid, or its signed PDF becoming ready. It posts an event describing what changed, so an integration learns about activity without polling.

Event	What it signals	Triggered by
`document_state_changed`	A document changed status, like moving to draft, being sent, viewed, completed, or paid. This is the main signal for tracking a document through its lifecycle.	`/public/v1/documents` `/public/v1/documents/{id}/send`
`document_updated`	A document was updated, such as being returned to draft status.	`/public/v1/documents/{id}/draft`
`document_deleted`	A document was removed.	`/public/v1/documents/{id}`
`document_completed_pdf_ready`	A document was completed and its signed PDF was generated and saved, so it can be downloaded.	`/public/v1/documents/{id}/send`
`recipient_completed`	A recipient finished signing a document, including who completed it and when.	`/public/v1/documents/{id}/send`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

PandaDoc limits how often an app can call each method, measured as requests per minute over a rolling 60-second window, with a much tighter ceiling on sandbox keys than on production keys.

Request rate

PandaDoc sets a separate requests-per-minute limit for each method, measured over a rolling 60-second window, and counts every HTTP method against it. On production keys the ceilings vary by action: listing, status, and delete calls allow 2000 per minute, document details 600, sending a document 400, creating from a template 500 and from a PDF 300, and downloading a document 100. A sandbox key is capped at 10 requests per minute on any endpoint. Limits apply per user and are shared across all keys that user owns; going over returns HTTP 429.

Pagination

List endpoints page with two query parameters: page selects the page, and count sets the page size, defaulting to 50 and capped at 100. Increase page to walk through the full result set.

Request size

A list response returns at most 100 records per page, the maximum value of count. Document creation is asynchronous, so a created document is not immediately ready and must be polled until its status reaches document.draft.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`request_error / validation_error`	The request was malformed or failed validation. The body returns a 'type' and a 'detail' object that names the fields at fault, like a missing template_id or form_id.	Read the type and detail, fix the request body, and resend. The request is not retryable as-is.
401	`authentication_error`	No valid credential was provided, or the API key or OAuth token is wrong or inactive.	Confirm the Authorization header carries a valid API key or bearer token for an active user, and refresh an expired OAuth token.
403	`forbidden`	The credential is valid but lacks permission for this request, for example a read-only token, or a user whose role does not allow the action.	Use a read+write scope or an API key whose user has the needed role.
404	`not_found`	The requested object does not exist, or is not visible to this key, token, or workspace.	Verify the object id and confirm it lives in the same workspace as the credential.
429	`too_many_requests`	The per-method request rate was exceeded within the rolling 60-second window. Sandbox keys are capped at 10 requests per minute on any endpoint.	Back off and retry with exponential backoff, and smooth the request rate below the method's limit.
500	`server_error`	An error on PandaDoc's side. It is rare.	Retry with backoff, and contact PandaDoc support if it persists.

Versioning & freshness

Version history.

PandaDoc serves a single, continuously updated REST API at one path version rather than minting a new dated version for each change, and ships improvements through a running changelog.

Version history

What changed, and when

Latest versionv1

v1Current version

Public REST API (v1, continuously updated)

PandaDoc serves a single, path-versioned REST API at /public/v1. Rather than minting a new dated version for each change, it ships additive improvements and new endpoints through a running changelog, so integrations track the changelog rather than pinning a version string.

What changed

Documents, templates, contacts, folders, members, forms, and webhook subscriptions exposed under /public/v1.
API key and OAuth 2.0 (read / read+write) authentication.
Per-method rate limits with a tighter sandbox cap.

2025-09

Official MCP server released

PandaDoc launched an official, OAuth-authenticated Model Context Protocol server at https://mcp.pandadoc.com/v1/mcp, letting AI agents drive complete agreement flows from a single prompt across clients like Claude, Cursor, and ChatGPT.

What changed

Hosted MCP server at https://mcp.pandadoc.com/v1/mcp.
OAuth authentication for MCP clients.
Tools for creating, routing, signing, and tracking documents.

There is one live API; track the changelog rather than pinning a version.

PandaDoc API changelog ↗

Questions

PandaDoc API, answered.

How do I authenticate, with an API key or OAuth?+

Both work. For a single workspace, generate an API key in the Dev Center and send it as the header 'Authorization: API-Key {key}'. For a public integration that connects to other companies' PandaDoc accounts, use OAuth 2.0: send the user to app.pandadoc.com/oauth2/authorize, then exchange the returned code at api.pandadoc.com/oauth2/access_token for a bearer token. An API key never expires; an OAuth token is long-lived and renewable with its refresh token.

What permissions or scopes does the API use?+

OAuth has just two scopes: read for read-only access and read+write for full access. They are coarse, with no per-resource control, so a read+write token can act across documents, contacts, templates, folders, and more. An API key has no scopes of its own; it inherits the role of the user who created it, so its reach is whatever that person can do in the workspace.

Why isn't my new document ready right after I create it?+

Document creation is asynchronous. The create call returns a document in document.uploaded status, and PandaDoc processes it in the background. Poll the Document Status method until the status changes to document.draft before sending or modifying it.

What are the rate limits?+

Limits are per method and measured over a rolling 60-second window. On production keys they range from 2000 requests per minute for list, status, and delete calls down to 100 per minute for downloading a document, with sending capped at 400 and creating from a template at 500. A sandbox key is limited to 10 requests per minute on any endpoint. Limits apply per user and are shared across that user's keys; exceeding one returns HTTP 429.

How do I get notified when a document is signed?+

Register a webhook subscription pointing at an HTTPS endpoint and subscribe to document events. PandaDoc posts document_state_changed as the document moves through viewed, completed, and paid, recipient_completed when someone finishes signing, and document_completed_pdf_ready when the signed PDF is generated and ready to download. Verify the request signature against the subscription's shared key.

Does PandaDoc have an MCP server for AI agents?+

Yes. PandaDoc hosts an official Model Context Protocol server at https://mcp.pandadoc.com/v1/mcp, announced in September 2025. It authenticates with OAuth and exposes PandaDoc tools to AI clients like Claude, Cursor, and ChatGPT, so an agent can drive a full agreement flow, like creating a proposal from a template and sending it for signature, from a single prompt.

What plan do I need to use the API?+

API access requires at least a Business plan. Production API keys also require approval from PandaDoc before they activate. A sandbox key is available for testing and runs only against test data, with a tighter rate limit of 10 requests per minute.

What is Bollard AI?

Control what every AI agent can do in PandaDoc.

Bollard AI sits between a team's AI agents and PandaDoc. Grant each agent exactly the access it needs, read or write, and decide on its own whether an agent can send a document out for signature, with every call checked and logged.

Set read, write, or full access per agent, never a shared PandaDoc key.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control PandaDoc access in Bollard Browse all APIs →

PandaDoc

Proposal Agent

View documents ResourceOffReadFull use

Create from template ActionOffReadFull use

Send for signature ActionOffReadFull use

Contacts ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in PandaDoc

How the PandaDoc API works.

Connection & authentication methods.

REST API

MCP server

Webhooks

API key

OAuth 2.0

What an AI agent can do in PandaDoc.

Documents

Templates

Contacts

Folders

Webhooks

Members

Forms

Every PandaDoc API method.

Documents

Templates

Contacts

Folders

Webhooks

Members

Forms

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

PandaDoc API, answered.

More legal API guides for agents

Dropbox Sign

Ironclad

Adobe Acrobat Sign

DocuSign

Control what every AI agent can do in PandaDoc.