> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth 2.0 Setup with Postman

export const ExplorativeCallout = ({title, children, icon = "🧪"}) => <div style={{
  backgroundColor: 'var(--recommended-bg)',
  borderLeft: '4px solid #b5f63b',
  borderRadius: '10px',
  padding: '18px 22px',
  marginBottom: '20px',
  boxShadow: '1px 1px 3px rgba(0,0,0,0.06)'
}}>
    <div style={{
  display: 'flex',
  alignItems: 'flex-start',
  gap: '14px'
}}>
      <span style={{
  fontSize: '22px',
  lineHeight: '1',
  flexShrink: 0
}}>
        {icon}
      </span>
      <div>
        {title && <div style={{
  fontSize: '16px',
  fontWeight: 600,
  color: 'var(--recommended-title)',
  marginBottom: '6px'
}}>
            {title}
          </div>}
        <div style={{
  fontSize: '14px',
  lineHeight: 1.65
}}>
          {children}
        </div>
      </div>
    </div>
  </div>;

<ExplorativeCallout title="Explorative Workflow">
  Pleo Partners building **multi-customer integrations** must implement **OAuth 2.0** as the recommended authentication method. They may use Postman for initial testing.
</ExplorativeCallout>

This workflow explains how to use Postman to integrate with Pleo using OAuth 2.0.

Each step explains **what happens, why it matters, and the expected result**, while linking to detailed how-to guides for implementation.

Using Postman allows you to test and validate the OAuth 2.0 flow without implementing custom token lifecycle management, while still understanding how the full authorisation sequence works.

If you want to manage the token lifecycle yourself, see the [**OAuth 2.0 Setup Workflow Guide**](/docs/current/guides/oauth-workflow-guide).

## What You'll Have Built

After completing this workflow:

* Your integration is registered with Pleo as an OAuth 2.0 client
* You have securely received your **Client ID** and **Client Secret**
* Postman is configured to automatically retrieve and refresh **access tokens**
* You can successfully call Pleo APIs in the Staging environment

<Note>
  Registering an OAuth 2.0 client creates **authentication credentials** only. It does **not** create or publish a Marketplace app.
</Note>

## Who This Guide Is For

This guide is intended for developers and architects implementing OAuth 2.0 integrations with Pleo APIs.

It focuses on understanding the OAuth 2.0 workflow and configuring Postman correctly. The focus is **not** on implementing production-grade token handling.

## Scope

All instructions assume:

* An OAuth 2.0 integration with Pleo APIs
* Integration with the **Staging environment**

## OAuth 2.0 Workflow Steps

## 1. Register OAuth 2.0 Client (Postman)

### Purpose

Registering an OAuth 2.0 client for your integration enables it to participate in the OAuth 2.0 flow.

### Input

* Integration details (name, URI, terms, privacy policy)
* Postman redirect URI
* Required API scopes

### Output

* A **Client ID** and **Client Secret**
* OAuth 2.0 client authorised to initiate OAuth flows using Postman

### Why This Matters

* The **Client ID** identifies your **OAuth 2.0 client** to Pleo.
* The **Client Secret** authenticates your **OAuth 2.0 client** securely.
* The Postman registered redirect URIs prevent unauthorised token interception.
* Defined API scopes restrict access to approved resources only.

<section className="mt-4">
  <a
    href="/docs/current/how-tos/oauth-postman/how-to-register-an-oauth-client-postman"
    className="group flex items-center justify-between rounded-md border border-gray-200 dark:border-gray-700 px-4 py-3
bg-gray-50 dark:bg-[#1f262b] hover:bg-[#ffe6ea] dark:hover:bg-[#2b1f23]
transition-colors"
  >
    <div>
      <p className="text-sm font-medium text-gray-900 dark:text-white">
        How to Register an OAuth 2.0 Client (Postman)
      </p>

      <p className="text-xs text-gray-600 dark:text-gray-400">
        Complete client registration and receive your credentials securely.
      </p>
    </div>

    <span className="ml-4 text-gray-400 group-hover:text-gray-600 dark:group-hover:text-gray-300">
      →
    </span>
  </a>
</section>

***

## 2. Configure Postman for OAuth 2.0

### Purpose

Configure Postman to:

* Initiate the OAuth 2.0 Authorisation Code flow (with PKCE)
* Retrieve Access Tokens
* Automatically refresh expired tokens

### Input

* Client ID and Client Secret
* Authorisation server URLs
* Registered redirect URI
* Approved API scopes

### Output

* A configured OAuth 2.0 token setup in Postman
* A valid Access Token stored in Postman
* Automatic token refresh enabled

### Why This Matters

* Postman handles the full token exchange process.
* You do not need to manually implement token refresh logic.
* Proper configuration ensures secure and repeatable testing.

<section className="mt-4">
  <a
    href="/docs/current/how-tos/oauth-postman/how-to-configure-postman-for-oauth"
    className="group flex items-center justify-between rounded-md border border-gray-200 dark:border-gray-700 px-4 py-3
bg-gray-50 dark:bg-[#1f262b] hover:bg-[#ffe6ea] dark:hover:bg-[#2b1f23]
transition-colors"
  >
    <div>
      <p className="text-sm font-medium text-gray-900 dark:text-white">
        How to Configure Postman for OAuth 2.0
      </p>

      <p className="text-xs text-gray-600 dark:text-gray-400">
        Set up Postman to retrieve and refresh access tokens automatically.
      </p>
    </div>

    <span className="ml-4 text-gray-400 group-hover:text-gray-600 dark:group-hover:text-gray-300">
      →
    </span>
  </a>
</section>

***

## 3. Make a Pleo API Call Using Postman

### Purpose

Send authorised API requests using the Access Token retrieved by Postman.

### Input

* A configured OAuth 2.0 token in Postman
* A valid Pleo API endpoint URL (Staging)
* Required HTTP method (e.g., GET)

### Output

* An authorised HTTP request
* JSON response from the Pleo API
* Confirmation that OAuth 2.0 configuration works end-to-end

### Why This Matters

* Confirms your OAuth 2.0 setup is correct.
* Validates scopes and consent.
* Ensures tokens are being correctly injected into requests.

<section className="mt-4">
  <a
    href="/docs/current/how-tos/oauth-postman/how-to-make-an-api-call-postman"
    className="group flex items-center justify-between rounded-md border border-gray-200 dark:border-gray-700 px-4 py-3
bg-gray-50 dark:bg-[#1f262b] hover:bg-[#ffe6ea] dark:hover:bg-[#2b1f23]
transition-colors"
  >
    <div>
      <p className="text-sm font-medium text-gray-900 dark:text-white">
        How to Make an API Call (Postman)
      </p>

      <p className="text-xs text-gray-600 dark:text-gray-400">
        Send an authorised request and verify your integration works.
      </p>
    </div>

    <span className="ml-4 text-gray-400 group-hover:text-gray-600 dark:group-hover:text-gray-300">
      →
    </span>
  </a>
</section>

***

## What Comes Next?

Once API calls succeed:

* Test additional endpoints
* Validate different scope combinations
* Move from Staging to Production when ready
* Or implement full OAuth token handling in your own backend

***

## FAQs

<Accordion title="What is the difference between an integration, application, and OAuth 2.0 client?">
  These terms describe different parts of how OAuth 2.0 works in the Pleo platform.

  The difference between an **integration**, **application**, and **OAuth 2.0 client** is explained in the [OAuth 2.0 Concepts and Terminology](/docs/current/authentication/oauth/oauth-overview#concepts-and-terminology) section.
</Accordion>

***

## Related Reading

* [OAuth 2.0 Overview](/docs/current/integration-design/auth/oauth/integration-design-auth-oauth-overview)
* [OAuth 2.0 Setup Workflow Guide](/docs/current/guides/oauth-workflow-guide)

***
