Skip to main content
All developer guides

Connect with Triangle

Build a Connect with Triangle button for your own product. Register an OAuth app, send users through Triangle consent with PKCE, exchange the code for access and refresh tokens, then call Triangle MCP today — with full HTTP API documentation coming soon.

Official Connect with Triangle documentation

Before you start

  • A Triangle account with access to the developer portal at app.trianglehealth.com/developer/apps.
  • An application you control that can open a browser for OAuth and receive a redirect callback.
  • At least one redirect URI base registered on your OAuth app (https for production, or http://localhost for local development).
  • Understanding of OAuth 2.1 authorization code flow with PKCE (S256). Dynamically registering via POST /oauth/register is limited to known AI platforms — third-party apps must use the developer portal.

Connection fields

FieldValue
OAuth server URLhttps://app.trianglehealth.com
Authorizehttps://app.trianglehealth.com/oauth/authorize
Tokenhttps://app.trianglehealth.com/oauth/token
Discoveryhttps://app.trianglehealth.com/.well-known/oauth-authorization-server
Developer portalhttps://app.trianglehealth.com/developer/apps
MCP server URL (current data access)https://app.trianglehealth.com/mcp
OAuth resource (MCP)https://app.trianglehealth.com/mcp
ScopesRequested on authorize and confirmed on Triangle’s consent screen (for example patient:read, notes:read, medical_records:read, care_team:read).

Setup steps

01.Create an OAuth app in the developer portal

Third-party apps register in the Triangle developer portal. You do not use Dynamic Client Registration (that path is reserved for platforms such as ChatGPT, Claude, and Grok).

  • Open https://app.trianglehealth.com/developer/apps and create an app. Follow the Developer Portal setup guide if you need field-by-field help.
  • Choose a public client (PKCE, Client ID only) for SPAs and many native apps, or a confidential client (Client ID + one-time Client Secret) for server-side apps.
  • Register redirect URI bases that match your callback URLs. Triangle allows longer paths under each registered base.
  • Copy the Client ID (and Client Secret once, if confidential) into your app’s secure configuration — never ship confidential secrets in browser or mobile app binaries.
Screenshot coming soon

02.Build the Connect with Triangle button

Send the user to Triangle’s authorize endpoint in the browser. Use a random state and a PKCE code_verifier / code_challenge (S256).

  • Generate a high-entropy code_verifier, derive code_challenge = BASE64URL(SHA256(code_verifier)), and store the verifier in the user session.
  • Redirect to /oauth/authorize with client_id, redirect_uri, response_type=code, state, code_challenge, code_challenge_method=S256, and scope.
  • For MCP tool access today, pass resource=https://app.trianglehealth.com/mcp (or omit resource — Triangle defaults to the MCP resource).
  • Example authorize URL shape: https://app.trianglehealth.com/oauth/authorize?client_id=…&redirect_uri=…&response_type=code&scope=patient:read%20notes:read&state=…&code_challenge=…&code_challenge_method=S256&resource=https%3A%2F%2Fapp.trianglehealth.com%2Fmcp
connect-button.html
<a
  href="https://app.trianglehealth.com/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=https%3A%2F%2Fyour.app%2Foauth%2Fcallback&response_type=code&scope=patient%3Aread%20notes%3Aread&state=RANDOM_STATE&code_challenge=YOUR_S256_CHALLENGE&code_challenge_method=S256&resource=https%3A%2F%2Fapp.trianglehealth.com%2Fmcp"
>
  Connect with Triangle
</a>

03.Handle the callback and exchange the code

After the user signs in and approves consent, Triangle redirects to your redirect_uri with code and state. Verify state, then exchange the code at the token endpoint.

  • Confirm state matches what you stored; reject the callback if it does not.
  • POST application/x-www-form-urlencoded to /oauth/token with grant_type=authorization_code, code, redirect_uri, client_id, and code_verifier.
  • Confidential clients also send client_secret (client_secret_post) or Authorization: Basic.
  • Store the refresh_token securely server-side. Access tokens are Bearer JWEs (about one hour). Use refresh_token grants to rotate tokens.
token-exchange.sh
curl -X POST 'https://app.trianglehealth.com/oauth/token' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -d 'grant_type=authorization_code' \
  -d 'code=AUTHORIZATION_CODE' \
  -d 'redirect_uri=https://your.app/oauth/callback' \
  -d 'client_id=YOUR_CLIENT_ID' \
  -d 'code_verifier=YOUR_CODE_VERIFIER'

04.Call Triangle (MCP now; HTTP API coming soon)

Until the public HTTP API ships, use the access token with Triangle’s remote MCP server — the same tools available to ChatGPT, Claude, and other MCP clients.

  • Send Authorization: Bearer to https://app.trianglehealth.com/mcp (JSON-RPC methods such as tools/list and tools/call).
  • A small set of HTTP /api routes already accept OAuth bearers when they declare required scopes; full HTTP API documentation is coming soon.
  • Do not rely on undocumented internal endpoints. Prefer MCP for production integrations until the public API guide is published.
Screenshot coming soon

05.Let users disconnect

Users can revoke your app anytime from Triangle Settings → AI Services.

  • Link users to https://app.trianglehealth.com → Settings → AI Services and disconnect your app name.
  • After disconnect, refresh tokens fail. Design for re-authorization with a fresh Connect with Triangle flow.
  • You can also delete unused OAuth apps in the developer portal once no active connections remain.
Screenshot coming soon

What you can do after connecting

  • OAuth 2.1 authorization code + PKCE (S256) against Triangle’s authorization server.
  • Public and confidential clients via the developer portal (not open DCR for arbitrary apps).
  • User consent with selectable scopes; installations appear under Settings → AI Services.
  • Access and rotating refresh tokens for server-side token management.
  • MCP tool access with the access token today; public HTTP API documentation coming soon.

Troubleshooting