When to use OAuth 2.0
You should use OAuth 2.0 if your integration needs to:- Access Pleo APIs on behalf of a customer
- Allow customers to connect their Pleo account to your application
- Access or modify customer data, such as expenses, employees, or accounting information
- Maintain secure, long-lived access without storing user credentials
How OAuth 2.0 protects customer data
OAuth 2.0 improves security by:- Never exposing user passwords to third-party applications
- Issuing access tokens with limited permissions
- Allowing integrations to request only the access they need using API scopes
- Allowing access to be revoked without affecting user login credentials
OAuth 2.0 roles (as used by Pleo)
OAuth 2.0 defines four roles involved in granting and using access:-
Resource Owner
The Pleo customer who owns the data and grants access to it. -
Client
The third-party application requesting access to Pleo data. -
Authorisation Server
Pleo’s service that authenticates users, collects consent, and issues access tokens. -
Resource Server
Pleo APIs that store and provide access to protected data.
What happens when a customer connects your integration
At a high level:- Your application directs the customer to Pleo to approve access
- The customer reviews and approves the requested permissions
- Pleo issues access tokens to your application
- Your application uses those tokens to access Pleo APIs securely
What Comes Next?
Once you decide to use OAuth 2.0, the next step is to design and implement the integration correctly. See:- OAuth 2.0 Integration Design Overview – Understand how OAuth 2.0 works at the implementation level
- OAuth 2.0 Setup Workflow Guide – Follow a step-by-step implementation guide