This how-to explains how your integration should respond when OAuth 2.0 tokens can no longer be refreshed, ensuring users can reauthenticate cleanly and integrations fail safely.Documentation Index
Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
Use this file to discover all available pages before exploring further.
Overview
OAuth 2.0 access relies on refresh tokens to maintain long-lived access to Pleo APIs.In some situations, refresh tokens become invalid and can no longer be used to obtain new access tokens. Common causes include:
- Refresh token expiry
- User revoking access
- Client credential rotation
- Security or policy changes
Steps
1. Detect Token Expiry or Revocation
Your integration may detect token expiry or revocation in the following ways. During token refresh:- The refresh token request returns an error (for example, an expired or invalid token)
- Pleo rejects the refresh request
- API requests fail with an authentication or authorisation error
- The error indicates that the access token is no longer valid and cannot be refreshed
2. Take Immediate Action
When token expiry or revocation is detected, your integration must:- Stop making further API requests using the invalid token
- Mark the connection as unauthenticated
- Invalidate stored access and refresh tokens
- Require the user to reauthenticate
3. Restart the Authorisation Flow
To restore access, the user must complete the OAuth 2.0 flow again. Your integration should:- Redirect the user to Pleo’s authorisation endpoint
- Request the required scopes again
- Handle the redirect and exchange a new authorisation code
- Store the newly issued access and refresh tokens
- How to Direct Users to the Authorisation Endpoint
- How to Handle Redirects and Exchange Authorisation Code
4. Design the Reauthentication Experience
Reauthentication should be:- Explicit — users understand that access needs to be restored
- Non-destructive — existing configuration remains intact
- Predictable — there is a clear recovery path
5. Log and Observe Failures
Your integration should log:- Token refresh failures
- Detection of token expiry or revocation
- Reauthentication triggers
6. Align With Integration Design Requirements
This how-to describes how to respond when tokens expire or are revoked. For design-level requirements, see Handling Refresh Token Expiry or RevocationResult
After completing these steps:- Invalid or revoked tokens are detected reliably
- API calls stop safely when access is no longer authorised
- Users are guided through a clean reauthentication flow
- Integrations recover predictably without data loss
What Comes Next?
this how-to is part of:
Related Reading
- Token Lifecycle
- OAuth 2.0 Client Registration – Step-by-step details of required fields, credentials, and redirect URIs.
- OAuth 2.0 Client Configuration – How to configure your client with correct endpoints, PKCE, and authentication methods.
- PKCE and Secured Patterns – Security requirements for public clients.