> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth 2.0 Overview

OAuth 2.0 is an industry-standard authorisation framework that allows **integrations** to access Pleo data securely on behalf of a customer, **without requiring the customer to share their login credentials**.

Instead of passwords, OAuth 2.0 uses **access tokens**, which grant limited, controlled access to specific resources and actions.

This allows integrations to operate securely while ensuring customers remain in control of their data.

OAuth 2.0 is the **recommended authorisation method for most Pleo integrations**.

Because OAuth 2.0 terminology can vary between platforms, the following definitions explain how these concepts are used within the Pleo Partner platform.

## Concepts and terminology

Before getting started, it helps to understand how key terms are used in Pleo's platform.

| **Concept**          | **Term**              | **Description**                                                                                                             |
| -------------------- | --------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| Partner-built system | **Integration**       | The external system or service you build that connects to Pleo APIs (for example, an accounting platform or internal tool). |
| Registered identity  | **OAuth 2.0 client**  | The technical identity registered in Pleo that allows your integration to authenticate and request access tokens.           |
| Marketplace product  | **App / Application** | The user-facing representation of your integration shown during authorisation and within the Pleo Marketplace.              |

Throughout this documentation, **integration** refers to your system that connects to Pleo, **OAuth 2.0 client** refers to the technical identity registered with Pleo, and **application** (or **app**) refers to the user-facing representation of your integration in the Pleo UI or Marketplace.

Understanding these distinctions will help you correctly interpret the instructions in the OAuth 2.0 documentation and avoid confusion between the system you build, its registered identity, and its user-facing representation.

## When to use OAuth 2.0

OAuth 2.0 is the required default authentication method for technology partners participating in the [Early Access Program](/docs/current/getting-started/developer-partnership-programme). You should use OAuth 2.0 if your integration needs to:

* Access Pleo APIs on behalf of a customer
* Allow customers to connect their Pleo account to your integration
* Access or modify customer data, such as expenses, employees, or accounting information
* Maintain secure, long-lived access without storing user credentials

OAuth 2.0 ensures customers explicitly grant permission and can revoke access at any time.

Alternative authentication methods, such as Integrated API keys, may be used in [limited scenarios](/docs/current/getting-started/developer-partnership-programme#authentication-requirements).

## How OAuth 2.0 protects customer data

OAuth 2.0 improves security by:

* Never exposing user passwords to third-party integrations
* Issuing **access tokens** with limited permissions
* Allowing integrations to request only the access they need using [API scopes](/docs/current/authentication/api-scopes)
* Allowing access to be revoked without affecting user login credentials

This ensures integrations operate within clearly defined permission boundaries.

## OAuth 2.0 roles (as used by Pleo)

OAuth 2.0 defines four roles involved in granting and using access:

* **Resource Owner**\
  The Pleo customer who owns the data and grants access to it.

* **Client**\
  The OAuth 2.0 client representing your integration when requesting access tokens.

* **Authorisation Server**\
  Pleo’s service that authenticates users, collects consent, and issues access tokens.

* **Resource Server**\
  Pleo APIs that store and provide access to protected data.

## What happens when a customer connects your integration

At a high level:

1. Your integration directs the customer to Pleo to approve access
2. The customer reviews and approves the requested permissions
3. Pleo issues access tokens to your integration
4. Your integration uses those tokens to access Pleo APIs securely

The customer can revoke access at any time.

## What Comes Next?

Once you decide that OAuth 2.0 is the right authorisation method for your integration, the next step is to design and implement it correctly.

See:

* [OAuth 2.0 Overview](/docs/current/integration-design/auth/oauth/integration-design-auth-oauth-overview) – Understand how OAuth 2.0 works at the implementation level
* [OAuth 2.0 Setup Workflow Guide](/docs/current/guides/oauth-workflow-guide) – Follow a step-by-step implementation guide