> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Standalone API Keys Overview
export const RememberCallout = ({title, children, icon = "🪢"}) =>
{icon}
{title &&
{title}
}
{children}
;
export const WarningCallout = ({title, children, icon = "⚠️"}) =>
{icon}
{title &&
{title}
}
{children}
;
Standalone API Keys provide a simple way to authenticate requests to Pleo APIs using a **company-controlled credential** instead of delegated user authorisation.
A Standalone API Key is generated directly from the **Pleo Web App** and allows systems to access Pleo APIs for a **single organisation**, without requiring an OAuth 2.0 authorisation flow.
Standalone API Keys are primarily intended for **API exploration, internal tooling, and Pleo pre-approved single-company integrations**.
For most production integrations, especially those connecting multiple customers, **OAuth 2.0 remains the recommended authorisation method**.
Standalone API Keys are **restricted** and are **not available to most customers or partners**.
If you’re considering using them, note the following:
* Standalone API Keys are **not self-service**
* Access must be explicitly enabled by Pleo during onboarding
* Most customers currently use [**Legacy APIs**](#faqs), not the new External API platform
* Seeing this documentation **does not mean you have access**
* You must be an **admin** or **bookkeeper** to generate Standalone API Keys
If you do not see API Keys in the **Pleo Web App**, then Standalone API Key access has not been enabled for your organisation.
Standalone API Keys are **not available for customers using [Legacy APIs](#faqs)**.
**Support expectations:**
Standalone API Keys are provided only in approved scenarios. When access is granted:
* Pleo support is limited to information available in the public developer portal
* Custom implementation support is generally not provided by Pleo
* Integrations are expected to be self-managed by the customer/partner implementation and development teams
## Concepts and Terminology
Before getting started, it helps to understand how Standalone API Keys are used within the Pleo platform.
| **Concept** | **Term** | **Description** |
| ------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------- |
| Company credential | **Standalone API Key** | A secret key generated in the Pleo Web App used to authenticate API requests for a single company. |
| Environment | **Staging / Production** | The Pleo environment where the API Key is created and valid. Keys only work in the environment where they were generated. |
| Permission boundary | **API scopes** | Permissions assigned to a key that define which API actions it may perform. |
| Company identity | **Company\_id** | The Pleo company identity whose data the API Key can access. |
Unlike OAuth 2.0, Standalone API Keys do not represent a user or external application acting on behalf of multiple customers. Instead, they represent **direct access granted by a company to its own systems**.
## When to Use Standalone API Keys
Standalone API Keys are appropriate when API access is limited to a **single organisation** and user authorisation is not required.
Typical use cases include:
* Exploring or testing Pleo APIs during development
* Building internal tools or scripts
* Exporting data to internal systems or data warehouses
* One-off migrations or reporting workflows
* Approved integrations that cannot support OAuth 2.0 or Integrated API Keys (for example, legacy systems or restricted environments)
## When to Use OAuth 2.0 Instead
OAuth 2.0 should be used if your integration:
* Connects multiple Pleo customers
* Acts on behalf of users or external organisations
* Requires customer consent and revocable access
* Will be distributed as a partner or marketplace integration
OAuth 2.0 provides delegated, user-authorised access and is the default authentication method for most integrations.
See the [**OAuth 2.0 Overview**](/docs/current/authentication/oauth/oauth-overview) for details.
## How Standalone API Keys Work (Conceptually)
### Environment-Scoped Access
Each Standalone API Key is bound to the environment where it was created:
* A key created in **Staging** only works in Staging
* A key created in **Production** only works in Production
Keys cannot be reused across environments.
### Permission-Scoped Access
When creating a key, you select [**API scopes**](/docs/current/authentication/api-scopes) that define allowed actions.
For example:
* `users:read`
* `export-jobs:read`
* `export-jobs:write`
The key can only perform operations allowed by its assigned scopes.
### Company-Scoped Authentication
Standalone API Keys provide access to a **single Pleo company**.
API requests must include the correct `company_id`, ensuring requests operate within the intended organisational boundary.
This results in a **1-to-1 integration model** between a system and a Pleo organisation.
The same principle applies to [multi-entity](/docs/current/platform/multi-entity/multi-entity-and-api-scope) accounts.
Detailed guidance on API scopes, company scoping, and integration lifecycle is in [**Integration Design for Standalone API Keys**](/docs/current/integration-design/auth/api-keys/integration-design-for-standalone-api-keys).
## Security Responsibilities (High-Level)
Because Standalone API Keys act as secret credentials, your organisation is responsible for protecting them:
* Store API Keys securely and never expose them publicly
* Avoid embedding keys in client-side applications
* Use the minimum required API scopes
* Rotate or replace keys if compromised
For implementation best practices and lifecycle handling, see [**Security and Credential Management for Standalone API Keys**](/docs/current/integration-design/auth/api-keys/integration-design-security-for-standalone-api-keys).
## Standalone API Keys vs OAuth 2.0
| | **Standalone API Keys** | **OAuth 2.0** |
| --------------------------------------- | ----------------------- | --------------------- |
| Availability | Restricted | Available |
| Access model | Company-controlled | User-delegated |
| Typical usage | Internal or exploratory | Customer integrations |
| Customer consent | Not required | Required |
| Multi-customer support | No | Yes |
| Authentication | Static API key | Access tokens |
| Recommended for production integrations | Limited cases | Yes |
* **Multi-customer:** Multiple customers using your integration.
* **Multi-entity:** Your organisation has multiple companies.
## Typical Development Workflow
1. Explore APIs using Standalone API Keys
2. Prototype workflows and validate API usage
3. Implement Standalone API Keys for production integrations (where approved by Pleo)
4. Implement OAuth 2.0 for production integrations (recommended)
Implementation details for installation, activation, key updates, and error handling are covered in:
* [**Integration Design for Standalone API Keys**](/docs/current/integration-design/auth/api-keys/integration-design-for-standalone-api-keys)
* [**User Experience Guidelines for Standalone API Keys**](/docs/current/integration-design/auth/api-keys/integration-design-user-exp-guidelines-for-standalone-api-keys)
* [Security and Credential Management for Standalone API Keys](/docs/current/integration-design/auth/api-keys/integration-design-security-for-standalone-api-keys)
## What Comes Next?
* [**Standalone API Key Workflow Guide**](/docs/current/guides/standalone-api-keys-workflow-guide) – Generate a key and make your first API call
***
## Related Reading
* [**How to Generate an API Key**](/docs/current/how-tos/api-keys/how-to-generate-standalone-api-keys)
* [**OAuth 2.0 Overview**](/docs/current/integration-design/auth/oauth/integration-design-auth-oauth-overview) – Learn the recommended integration authentication model
***
## FAQs
**Legacy APIs (OpenAPI)**
* **Base URL:** `https://openapi.pleo.io`
* **Authentication:** API tokens (legacy tokens)
* **Availability:** Intended for existing/legacy use cases. Access can depend on your account setup and entitlements.
* **Lifecycle:** Deprecated. Pleo is working on a deprecation timeline and migration plan.
**New APIs (External API)**
* **Base URL:** `https://external.pleo.io`
* **Authentication:** API keys (and other authentication methods supported by the platform, including [OAuth 2.0](/docs/current/authentication/oauth/oauth-overview), depending on the use case)
* **Availability:** Restricted access. [Documentation](/reference/api-introduction) may be publicly visible, but access is not broadly enabled by default. Standalone API keys require explicit enablement.
* **What to expect:** Newer platform surface and improved structure, but not guaranteed feature parity with legacy APIs yet.
**Important:**
* Legacy API tokens **will not work** on `external.pleo.io`
* New API keys **will not work** on `openapi.pleo.io`
For more context on Standalone API Keys and environment restrictions, see the [Standalone API Keys Overview](/docs/current/authentication/standalone-api-keys-overview) article.
***