What You’ll Have Built
After completing this workflow:- Your integration is registered with Pleo as an OAuth 2.0 client
- You have securely received your Client ID and Client Secret
- Postman is configured to automatically retrieve and refresh access tokens
- You can successfully call Pleo APIs in the Staging environment
Registering an OAuth 2.0 client creates authentication credentials only. It does not create or publish a Marketplace app.
Who This Guide Is For
This guide is intended for developers and architects implementing OAuth 2.0 integrations with Pleo APIs. It focuses on understanding the OAuth 2.0 workflow and configuring Postman correctly. The focus is not on implementing production-grade token handling.Scope
All instructions assume:- An OAuth 2.0 integration with Pleo APIs
- Integration with the Staging environment
OAuth 2.0 Workflow Steps
1. Register OAuth 2.0 Client (Postman)
Purpose
Registering an OAuth 2.0 client for your integration enables it to participate in the OAuth 2.0 flow.Input
- Integration details (name, URI, terms, privacy policy)
- Postman redirect URI
- Required API scopes
Output
- A Client ID and Client Secret
- OAuth 2.0 client authorised to initiate OAuth flows using Postman
Why This Matters
- The Client ID identifies your OAuth 2.0 client to Pleo.
- The Client Secret authenticates your OAuth 2.0 client securely.
- The Postman registered redirect URIs prevent unauthorised token interception.
- Defined API scopes restrict access to approved resources only.
How to Register an OAuth 2.0 Client (Postman)
Complete client registration and receive your credentials securely.
2. Configure Postman for OAuth 2.0
Purpose
Configure Postman to:- Initiate the OAuth 2.0 Authorisation Code flow (with PKCE)
- Retrieve Access Tokens
- Automatically refresh expired tokens
Input
- Client ID and Client Secret
- Authorisation server URLs
- Registered redirect URI
- Approved API scopes
Output
- A configured OAuth 2.0 token setup in Postman
- A valid Access Token stored in Postman
- Automatic token refresh enabled
Why This Matters
- Postman handles the full token exchange process.
- You do not need to manually implement token refresh logic.
- Proper configuration ensures secure and repeatable testing.
How to Configure Postman for OAuth 2.0
Set up Postman to retrieve and refresh access tokens automatically.
3. Make a Pleo API Call Using Postman
Purpose
Send authorised API requests using the Access Token retrieved by Postman.Input
- A configured OAuth 2.0 token in Postman
- A valid Pleo API endpoint URL (Staging)
- Required HTTP method (e.g., GET)
Output
- An authorised HTTP request
- JSON response from the Pleo API
- Confirmation that OAuth 2.0 configuration works end-to-end
Why This Matters
- Confirms your OAuth 2.0 setup is correct.
- Validates scopes and consent.
- Ensures tokens are being correctly injected into requests.
How to Make an API Call (Postman)
Send an authorised request and verify your integration works.
What Comes Next?
Once API calls succeed:- Test additional endpoints
- Validate different scope combinations
- Move from Staging to Production when ready
- Or implement full OAuth token handling in your own backend
FAQs
What is the difference between an integration, application, and OAuth 2.0 client?
What is the difference between an integration, application, and OAuth 2.0 client?
These terms describe different parts of how OAuth 2.0 works in the Pleo platform.The difference between an integration, application, and OAuth 2.0 client is explained in the OAuth 2.0 Concepts and Terminology section.