Overview
This workflow explains how to use Postman to integrate with Pleo using OAuth 2.0. Each step explains what happens, why it matters, and the expected result, while linking to detailed how-to guides for implementation. Using Postman allows you to test and validate the OAuth 2.0 flow without implementing custom token lifecycle management, while still understanding how the full authorisation sequence works. If you want to manage the token lifecycle yourself, see the OAuth 2.0 Setup Workflow Guide.What You’ll Have Built
After completing this workflow:- Your application is registered with Pleo as an OAuth 2.0 client
- You have securely received your Client ID and Client Secret
- Postman is configured to automatically retrieve and refresh Access Tokens
- You can successfully call Pleo APIs in the Staging environment
Who This Guide Is For
This guide is intended for developers and architects implementing OAuth 2.0 integrations with Pleo APIs. It focuses on understanding the OAuth 2.0 workflow and configuring Postman correctly. The focus is not on implementing production-grade token handling.Versioning
All instructions assume OAuth 2.0 integration with Pleo APIs.Environment Assumption
All steps assume integration with the Staging environment.OAuth 2.0 Workflow Steps
1. Register OAuth 2.0 Client (Postman)
Purpose
Registering your application with Pleo enables it to participate in the OAuth 2.0 flow. This establishes your application’s identity and defines redirect URIs and scopes.Input
- Application details (name, URI, terms, privacy policy)
- Postman redirect URI
- Required API scopes
Output
- A Client ID and Client Secret
- Application authorised to initiate OAuth 2.0 flows using Postman
Why This Matters
- The Client ID identifies your application to Pleo.
- The Client Secret authenticates your application securely.
- The Postman registered redirect URIs prevent unauthorised token interception.
- Defined API scopes restrict access to approved resources only.
How to Register an OAuth 2.0 Client (Postman)
Complete client registration and receive your credentials securely.
2. Configure Postman for OAuth 2.0
Purpose
Configure Postman to:- Initiate the OAuth 2.0 Authorisation Code flow (with PKCE)
- Retrieve Access Tokens
- Automatically refresh expired tokens
Input
- Client ID and Client Secret
- Authorisation server URLs
- Registered redirect URI
- Approved API scopes
Output
- A configured OAuth 2.0 token setup in Postman
- A valid Access Token stored in Postman
- Automatic token refresh enabled
Why This Matters
- Postman handles the full token exchange process.
- You do not need to manually implement token refresh logic.
- Proper configuration ensures secure and repeatable testing.
How to Configure Postman for OAuth 2.0
Set up Postman to retrieve and refresh access tokens automatically.
3. Make a Pleo API Call Using Postman
Purpose
Send authorised API requests using the Access Token retrieved by Postman.Input
- A configured OAuth 2.0 token in Postman
- A valid Pleo API endpoint URL (Staging)
- Required HTTP method (e.g., GET)
Output
- An authorised HTTP request
- JSON response from the Pleo API
- Confirmation that OAuth 2.0 configuration works end-to-end
Why This Matters
- Confirms your OAuth 2.0 setup is correct.
- Validates scopes and consent.
- Ensures tokens are being correctly injected into requests.
How to Make an API Call (Postman)
Send an authorised request and verify your integration works.
What Comes Next?
Once API calls succeed:- Test additional endpoints
- Validate different scope combinations
- Move from Staging to Production when ready
- Or implement full OAuth token handling in your own backend