> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# How to Call Pleo APIs Using an Access Token

export const WhatComesNext = ({children, href}) => <div className="mt-4">
    <a href={href} className="
        inline-flex items-center justify-center
        rounded-full
        bg-black text-white dark:bg-[#1f262b]
        px-5 py-2.5 text-sm font-medium
        no-underline border-0
        hover:bg-[#ffe6ea] dark:hover:bg-[#2b1f23]
        hover:text-black
        transition-colors
      ">
      {children} →
    </a>
  </div>;

This how-to explains how to authenticate requests to Pleo APIs using an OAuth 2.0 **access token** obtained during the authorisation flow.

## Overview

Once your OAuth 2.0 client has exchanged an authorisation code for tokens, the **access token** is used to authenticate requests to Pleo APIs.

At this stage:

* User consent has already been granted
* Tokens are stored securely on your backend
* Your integration can begin interacting with Pleo resources

## Prerequisites

Before you begin:

* You have completed the OAuth 2.0 authorisation flow
* You have successfully exchanged an authorisation code for tokens
* You have a valid, unexpired access token stored securely

## Steps

### 1. Include the Access Token in API Requests

All authenticated requests to Pleo APIs must include the access token in the `Authorization` header.

#### Required Header

```http theme={null}
Authorization: Bearer <access_token>
```

* The token must be prefixed with Bearer
* The header must be included on every request to protected endpoints

<Tip> Never include access tokens in query parameters or request bodies. </Tip>

***

### 2. Ensure Required Scopes Are Granted

Access tokens are issued with one or more **scopes**, which define what your integration is allowed to do.

Before making an API call:

* Confirm the required scope was requested during authorisation
* Ensure the endpoint you are calling is covered by that scope

Requests made outside the granted scopes are rejected.

***

### 3. Make API Requests Over HTTPS

Access tokens can be used to:

* Fetch data from Pleo (for example, expenses or export jobs)
* Create or update resources
* Trigger workflows such as exports

All requests **must** be made over HTTPS.

<Tip>
  Use a centralised API client in your integration to ensure consistent authentication, logging, and error handling.
</Tip>

***

### 4. Handle Authentication Errors

API requests may fail due to authentication-related issues.

Common causes include:

* Expired access token
* Invalid or revoked token
* Insufficient scopes

When an authentication error occurs:

* Do not retry the same request blindly
* Determine whether the token needs refreshing
* Restart the authorisation flow if required

***

### 5. Track Access Token Expiry

Access tokens are **short-lived**.

Your integration must:

* Track the token expiry time (`expires_in`)
* Refresh the token before or immediately after it expires
* Avoid making API calls with expired tokens

<Note>
  For refresh strategies and race-condition handling, see [Centralised Token Refresh](/docs/current/integration-design/auth/oauth/token-lifecycle/integration-design-auth-oauth-centralised-token-refresh)
</Note>

***

### 6. Follow Security Best Practices

* Never expose access tokens to frontend clients
* Store tokens only on secure backend systems
* Encrypt tokens at rest where possible
* Log authentication failures with sufficient context for troubleshooting
* Avoid hardcoding tokens or scopes

***

## Result

After completing these steps:

* Your OAuth 2.0 client can authenticate requests using a valid access token
* API calls are authorised according to the granted scopes
* Authentication failures are handled safely and predictably

***

## What Comes Next?

<WhatComesNext href="/docs/current/how-tos/oauth/how-to-refresh-tokens">
  Learn how to refresh access tokens securely and handle expiry
</WhatComesNext>

***

<div className="text-xs uppercase" style={{ fontVariant: 'small-caps' }}>
  this how-to is part of:
</div>

<div className="mt-4 flex flex-wrap gap-2">
  <a
    href="/docs/current/guides/oauth-workflow-guide"
    className="inline-flex items-center rounded-full border border-gray-300 dark:border-gray-600 
px-3 py-1 text-xs font-medium 
bg-white dark:bg-[#1f262b] text-black dark:text-white
hover:bg-gray-100 dark:hover:bg-[#2b2f33]
transition-colors"
  >
    OAuth 2.0 Setup Workflow Guide (Manual Token Lifecycle)
  </a>
</div>

***

## Related Reading

* [Token Lifecycle](/docs/current/integration-design/auth/oauth/token-lifecycle/integration-design-auth-oauth-token-overview)
* [OAuth 2.0 Client Registration](/docs/current/integration-design/auth/oauth/getting-set-up/oauth-client-registration) – Step-by-step details of required fields, credentials, and redirect URIs.
* [OAuth 2.0 Client Configuration](/docs/current/integration-design/auth/oauth/getting-set-up/oauth-client-configuration) – How to configure your client with correct endpoints, PKCE, and authentication methods.
* [PKCE and Secured Patterns](/docs/current/integration-design/auth/oauth/implementing-oauth/integration-design-auth-oauth-pkce-and-secured-patterns) – Security requirements for public clients.

***