> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# API Base URLs

The **API Base URL** determines which environment your API requests are sent to.

## How Base URLs Are Constructed

`Base URL + Endpoint Path = Final Request URL`

| Environment | Base URL                           | Example Endpoint | Final Request URL                               |
| ----------- | ---------------------------------- | ---------------- | ----------------------------------------------- |
| Staging     | `https://external.staging.pleo.io` | `/v2/employees`  | `https://external.staging.pleo.io/v2/employees` |
| Production  | `https://external.pleo.io`         | `/v2/employees`  | `https://external.pleo.io/v2/employees`         |

See: [API Reference pages](/reference/employees/search-for-employees) for all API endpoints.

## Choosing an Environment

We offer **Staging** and **Production** [environments](/docs/current/getting-started/testing-and-environments).

* **Staging:** safe testing, experiments, pre-production validation
* **Production:** live data, ready integrations

## Authentication

Pleo APIs support multiple authentication methods depending on the integration type.

| Method              | Typical Use                                    |
| ------------------- | ---------------------------------------------- |
| OAuth 2.0           | Partner integrations                           |
| Integrated API Keys | Approved exception only                        |
| Standalone API Keys | Restricted integrations and specific use cases |

All authentication methods work with the **External API base URLs** shown above.

### OAuth 2.0 (Bearer Token)

Partner integrations must use **OAuth 2.0**.

API requests must include the following header:

```text theme={null}
Authorization: Bearer <access_token>
```

Follow the [**OAuth 2.0 Setup Workflow Guide (Manual Token Lifecycle)**](/docs/current/guides/oauth-workflow-guide) to generate an access token.

### Integrated API Keys

Upon [approval](/docs/current/getting-started/developer-partnership-programme#integrated-api-keys-approved-exception-only) from Pleo, some partner integrations may be permitted to use Integrated API Keys.

### Standalone API Keys

Standalone API Keys have [**restricted availability**](/docs/current/authentication/standalone-api-keys-overview) and are only supported by Pleo's [NEW](#faqs) **External APIs**.

If enabled for your account, follow the **Standalone API Key Workflow Guide** to create a key and make your first API request.

Authentication uses **Basic HTTP authentication**:

* API key as the username
* Empty password
* Credentials are automatically Base64 encoded

***

## Rate Limits

All Pleo APIs have a rate limit of 600 requests per minute unless stated otherwise in the API Reference.

***

## What Comes Next?

### Review Integration Requirements

* Integration Design for [OAuth 2.0 Overview](/docs/current/integration-design/auth/oauth/integration-design-auth-oauth-overview)
* Integration Design for [Standalone API Keys](/docs/current/integration-design/auth/api-keys/integration-design-for-standalone-api-keys)

### Setup Authentication

* [OAuth 2.0 Access to Staging Workflow Guide](/docs/current/guides/environment-access/staging-oauth-workflow)
* [OAuth 2.0 Setup Workflow Guide (Manual Token Lifecycle)](/docs/current/guides/oauth-workflow-guide)
* [OAuth 2.0 Setup with Postman](/docs/current/guides/oauth-workflow-guide-postman)
* [Standalone API Key Workflow Guide](/docs/current/guides/standalone-api-keys-workflow-guide)

***

## FAQs

<Accordion title="What is the difference between legacy APIs and new APIs?">
  **Legacy APIs (OpenAPI)**

  * **Base URL:** `https://openapi.pleo.io`
  * **Authentication:** API tokens (legacy tokens)
  * **Availability:** Intended for existing/legacy use cases. Access can depend on your account setup and entitlements.
  * **Lifecycle:** Deprecated. Pleo is working on a deprecation timeline and migration plan.

  **New APIs (External API)**

  * **Base URL:** `https://external.pleo.io`
  * **Authentication:** API keys (and other authentication methods supported by the platform, including [OAuth 2.0](/docs/current/authentication/oauth/oauth-overview), depending on the use case)
  * **Availability:** Restricted access. [Documentation](/reference/api-introduction) may be publicly visible, but access is not broadly enabled by default. Standalone API keys require explicit enablement.
  * **What to expect:** Newer platform surface and improved structure, but not guaranteed feature parity with legacy APIs yet.

  **Important:**

  * Legacy API tokens **will not work** on `external.pleo.io`
  * New API keys **will not work** on `openapi.pleo.io`

  For more context on Standalone API Keys and environment restrictions, see the [Standalone API Keys Overview](/docs/current/authentication/standalone-api-keys-overview) article.
</Accordion>

***