Prerequisites
Before you begin, ensure that:- You have registered an OAuth 2.0 client with Pleo
- You have implemented the authorisation redirect flow
- You have a backend endpoint registered as your
redirect_uri - You are using PKCE and have stored the original
code_verifier - You can make secure server-to-server HTTP requests
Steps
1. Understand the Redirect
After a user grants consent on Pleo’s authorisation screen, Pleo redirects the user’s browser back to your application. The redirect contains a short-lived authorisation code that must be exchanged for tokens before any API access is possible. At this stage:- User consent has already been granted
- No API access is possible yet
- Tokens must be obtained securely on the backend
2. Receive the Redirect
Pleo redirects the browser to your registeredredirect_uri with query parameters.
A successful redirect includes:
code— the authorisation codestate— the original value sent in the authorisation request
errorerror_description(optional)state
3. Validate the Redirect
Before exchanging the authorisation code, perform the following checks:-
Verify the
statevalue
Ensure it matches the value you generated before redirecting the user.
This protects against CSRF attacks. -
Ensure a
codeis present
If no authorisation code is returned, treat the flow as failed.
4. Exchange the Authorisation Code for Tokens
The authorisation code must be exchanged server-to-server using Pleo’s token endpoint. This request must never be made from a frontend or client-side application.5. Send the Token Exchange Request
The token exchange request must include the following parameters:| Parameter | Description |
|---|---|
grant_type | Must be authorization_code |
code | Authorisation code received from Pleo |
redirect_uri | Must match the registered redirect URI |
client_id | Your OAuth 2.0 Client ID |
client_secret | Your OAuth 2.0 Client Secret |
code_verifier | Original PKCE code verifier |
Example Request
6. Handle the Token Response
A successful token exchange returns:access_tokenrefresh_tokenexpires_intoken_typescope
- Store tokens securely
- Associate tokens with the correct Pleo company or entity
- Track token expiry time for future refresh operations
7. Handle Token Exchange Errors
Token exchange can fail for several reasons:- Invalid or expired authorisation code
- Mismatched redirect URI
- Invalid client credentials
- Incorrect or missing PKCE verifier
- Do not retry with the same authorisation code
- Restart the OAuth 2.0 flow if required
- Log failures for troubleshooting
8. Follow Authorisation Code Rules
- Authorisation codes are single-use and expire quickly
- Any used or expired code will be rejected by Pleo
9. Store Tokens Securely
Tokens must be stored according to security best practices:- Store tokens only on secure backend systems
- Never expose tokens to end users
- Encrypt tokens at rest where possible
See Secure Token Storage for detailed guidelines and recommended patterns.
10. Track and Manage Token Expiry
To maintain uninterrupted access:- Track the
expires_invalue for each access token - Schedule refresh operations before access tokens expire
- Ensure refresh operations follow Centralised Token Refresh and Race Condition Prevention patterns
Result
After completing these steps:- Your backend has securely validated the OAuth 2.0 redirect
- Your application has exchanged a single-use authorisation code for tokens
- Access and refresh tokens are stored securely
- Your application is now authorised to access Pleo APIs
What Comes Next?
How to Call Pleo APIs Using Access Tokens
Use your access token to make authenticated requests to Pleo APIs.
Related Reading
- Token Lifecycle
- OAuth 2.0 Client Registration – Step-by-step details of required fields, credentials, and redirect URIs.
- OAuth 2.0 Client Configuration – How to configure your client with correct endpoints, PKCE, and authentication methods.
- PKCE and Secured Patterns – Security requirements for public clients.