Connect with Triangle
Build a Connect with Triangle button for your own product. Register an OAuth app, send users through Triangle consent with PKCE, exchange the code for access and refresh tokens, then call Triangle MCP today — with full HTTP API documentation coming soon.
Official Connect with Triangle documentationBefore you start
- A Triangle account with access to the developer portal at app.trianglehealth.com/developer/apps.
- An application you control that can open a browser for OAuth and receive a redirect callback.
- At least one redirect URI base registered on your OAuth app (https for production, or http://localhost for local development).
- Understanding of OAuth 2.1 authorization code flow with PKCE (S256). Dynamically registering via POST /oauth/register is limited to known AI platforms — third-party apps must use the developer portal.
Connection fields
| Field | Value |
|---|---|
| OAuth server URL | https://app.trianglehealth.com |
| Authorize | https://app.trianglehealth.com/oauth/authorize |
| Token | https://app.trianglehealth.com/oauth/token |
| Discovery | https://app.trianglehealth.com/.well-known/oauth-authorization-server |
| Developer portal | https://app.trianglehealth.com/developer/apps |
| MCP server URL (current data access) | https://app.trianglehealth.com/mcp |
| OAuth resource (MCP) | https://app.trianglehealth.com/mcp |
| Scopes | Requested on authorize and confirmed on Triangle’s consent screen (for example patient:read, notes:read, medical_records:read, care_team:read). |
Setup steps
01.Create an OAuth app in the developer portal
Third-party apps register in the Triangle developer portal. You do not use Dynamic Client Registration (that path is reserved for platforms such as ChatGPT, Claude, and Grok).
- Open https://app.trianglehealth.com/developer/apps and create an app. Follow the Developer Portal setup guide if you need field-by-field help.
- Choose a public client (PKCE, Client ID only) for SPAs and many native apps, or a confidential client (Client ID + one-time Client Secret) for server-side apps.
- Register redirect URI bases that match your callback URLs. Triangle allows longer paths under each registered base.
- Copy the Client ID (and Client Secret once, if confidential) into your app’s secure configuration — never ship confidential secrets in browser or mobile app binaries.
02.Build the Connect with Triangle button
Send the user to Triangle’s authorize endpoint in the browser. Use a random state and a PKCE code_verifier / code_challenge (S256).
- Generate a high-entropy code_verifier, derive code_challenge = BASE64URL(SHA256(code_verifier)), and store the verifier in the user session.
- Redirect to /oauth/authorize with client_id, redirect_uri, response_type=code, state, code_challenge, code_challenge_method=S256, and scope.
- For MCP tool access today, pass resource=https://app.trianglehealth.com/mcp (or omit resource — Triangle defaults to the MCP resource).
- Example authorize URL shape: https://app.trianglehealth.com/oauth/authorize?client_id=…&redirect_uri=…&response_type=code&scope=patient:read%20notes:read&state=…&code_challenge=…&code_challenge_method=S256&resource=https%3A%2F%2Fapp.trianglehealth.com%2Fmcp
<a
href="https://app.trianglehealth.com/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=https%3A%2F%2Fyour.app%2Foauth%2Fcallback&response_type=code&scope=patient%3Aread%20notes%3Aread&state=RANDOM_STATE&code_challenge=YOUR_S256_CHALLENGE&code_challenge_method=S256&resource=https%3A%2F%2Fapp.trianglehealth.com%2Fmcp"
>
Connect with Triangle
</a>03.Handle the callback and exchange the code
After the user signs in and approves consent, Triangle redirects to your redirect_uri with code and state. Verify state, then exchange the code at the token endpoint.
- Confirm state matches what you stored; reject the callback if it does not.
- POST application/x-www-form-urlencoded to /oauth/token with grant_type=authorization_code, code, redirect_uri, client_id, and code_verifier.
- Confidential clients also send client_secret (client_secret_post) or Authorization: Basic.
- Store the refresh_token securely server-side. Access tokens are Bearer JWEs (about one hour). Use refresh_token grants to rotate tokens.
curl -X POST 'https://app.trianglehealth.com/oauth/token' \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'grant_type=authorization_code' \
-d 'code=AUTHORIZATION_CODE' \
-d 'redirect_uri=https://your.app/oauth/callback' \
-d 'client_id=YOUR_CLIENT_ID' \
-d 'code_verifier=YOUR_CODE_VERIFIER'04.Call Triangle (MCP now; HTTP API coming soon)
Until the public HTTP API ships, use the access token with Triangle’s remote MCP server — the same tools available to ChatGPT, Claude, and other MCP clients.
- Send Authorization: Bearer
to https://app.trianglehealth.com/mcp (JSON-RPC methods such as tools/list and tools/call). - A small set of HTTP /api routes already accept OAuth bearers when they declare required scopes; full HTTP API documentation is coming soon.
- Do not rely on undocumented internal endpoints. Prefer MCP for production integrations until the public API guide is published.
05.Let users disconnect
Users can revoke your app anytime from Triangle Settings → AI Services.
- Link users to https://app.trianglehealth.com → Settings → AI Services and disconnect your app name.
- After disconnect, refresh tokens fail. Design for re-authorization with a fresh Connect with Triangle flow.
- You can also delete unused OAuth apps in the developer portal once no active connections remain.
What you can do after connecting
- OAuth 2.1 authorization code + PKCE (S256) against Triangle’s authorization server.
- Public and confidential clients via the developer portal (not open DCR for arbitrary apps).
- User consent with selectable scopes; installations appear under Settings → AI Services.
- Access and rotating refresh tokens for server-side token management.
- MCP tool access with the access token today; public HTTP API documentation coming soon.