Skip to main content
OAuth 2.0 is an industry-standard authorisation framework that allows integrations to access Pleo data securely on behalf of a customer, without requiring the customer to share their login credentials. Instead of passwords, OAuth 2.0 uses access tokens, which grant limited, controlled access to specific resources and actions. This allows integrations to operate securely while ensuring customers remain in control of their data. OAuth 2.0 is the recommended authorisation method for most Pleo integrations. Because OAuth 2.0 terminology can vary between platforms, the following definitions explain how these concepts are used within the Pleo Partner platform.

Concepts and terminology

Before getting started, it helps to understand how key terms are used in Pleo’s platform.
ConceptTermDescription
Partner-built systemIntegrationThe external system or service you build that connects to Pleo APIs (for example, an accounting platform or internal tool).
Registered identityOAuth 2.0 clientThe technical identity registered in Pleo that allows your integration to authenticate and request access tokens.
Marketplace productApp / ApplicationThe user-facing representation of your integration shown during authorisation and within the Pleo Marketplace.
Throughout this documentation, integration refers to your system that connects to Pleo, OAuth 2.0 client refers to the technical identity registered with Pleo, and application (or app) refers to the user-facing representation of your integration in the Pleo UI or Marketplace. Understanding these distinctions will help you correctly interpret the instructions in the OAuth 2.0 documentation and avoid confusion between the system you build, its registered identity, and its user-facing representation.

When to use OAuth 2.0

OAuth 2.0 is the required default authentication method for technology partners participating in the Early Access Program. You should use OAuth 2.0 if your integration needs to:
  • Access Pleo APIs on behalf of a customer
  • Allow customers to connect their Pleo account to your integration
  • Access or modify customer data, such as expenses, employees, or accounting information
  • Maintain secure, long-lived access without storing user credentials
OAuth 2.0 ensures customers explicitly grant permission and can revoke access at any time. Alternative authentication methods, such as Integrated API keys, may be used in limited scenarios.

How OAuth 2.0 protects customer data

OAuth 2.0 improves security by:
  • Never exposing user passwords to third-party integrations
  • Issuing access tokens with limited permissions
  • Allowing integrations to request only the access they need using API scopes
  • Allowing access to be revoked without affecting user login credentials
This ensures integrations operate within clearly defined permission boundaries.

OAuth 2.0 roles (as used by Pleo)

OAuth 2.0 defines four roles involved in granting and using access:
  • Resource Owner
    The Pleo customer who owns the data and grants access to it.
  • Client
    The OAuth 2.0 client representing your integration when requesting access tokens.
  • Authorisation Server
    Pleo’s service that authenticates users, collects consent, and issues access tokens.
  • Resource Server
    Pleo APIs that store and provide access to protected data.

What happens when a customer connects your integration

At a high level:
  1. Your integration directs the customer to Pleo to approve access
  2. The customer reviews and approves the requested permissions
  3. Pleo issues access tokens to your integration
  4. Your integration uses those tokens to access Pleo APIs securely
The customer can revoke access at any time.

What Comes Next?

Once you decide that OAuth 2.0 is the right authorisation method for your integration, the next step is to design and implement it correctly. See: