Registering an OAuth 2.0 client allows Pleo to identify your application, apply the correct redirect and scope configuration, and issue client credentials (Client ID and Client Secret) securely.
This how-to covers advanced registration, where you manage redirects and the access-token lifecycle yourself. For a simpler setup using Postman, see the Postman guide (coming soon).
Prerequisites
Before you begin:
- You have access to Pleo’s Staging environment.
- Pleo has asked you to complete the Developer Partner Registration form.
- Pleo will use the information you provide below to register your application in Staging.
Steps
1. Provide Registration Data
You provide information to Pleo in the following categories.
Do not use Pleo branding or claim your app is a Pleo client.
| Parameter | Description |
|---|
| Client Name | Your application’s brand name. |
| Client URI | Link to your app homepage or integration announcement page. |
| Logo | Square image (1:1 ratio) representing your application. |
| Terms of Service | Link to the legal agreement governing use of your app. |
| Privacy Policy | Link explaining how user data is collected and processed. |
| Contacts | Email addresses for people responsible for the application. |
| Parameter | Description |
|---|
| Initiation URI | Where users start connecting your app to Pleo. |
| Settings URI | Where users manage your app’s settings from within Pleo. |
| Parameter | Description |
|---|
| Redirect URIs | Endpoint(s) Pleo redirects users to after authentication. Must be HTTPS in production. |
| Scopes | API scopes your application requests access to. |
| PKCE Support | Required for public clients to mitigate authorisation-code attacks. Exceptions are allowed on request. |
| Subject Type Preference | (Optional) Default resource type your application operates on. |
For local development, loopback redirect URIs (localhost, 127.0.0.1, [::1]) may use HTTP.
Available API Scopes
Each Pleo API defines its own set of scopes. Your application can only access APIs and perform actions that correspond to the scopes you request during registration.
Refer to the scope reference for each API:
Ensure you request all scopes required for your integration. Missing scopes will prevent your application from accessing the corresponding API endpoints.
Example Registration
| Parameter | Value |
|---|
| Client Name | Example Client |
| Client URI | https://client.example/ |
| Terms of Service | https://client.example/legal/tos.html |
| Privacy Policy | https://client.example/legal/privacy.pdf |
| Contacts | name.surname@example.io |
| Redirect URIs | https://client.example/callback |
| Scopes | users:read users:write |
| PKCE Support | Supported |
| Subject Type Preference | None |
Verify all URLs and scopes before submitting. Incorrect redirect URIs or missing scopes commonly cause authorisation failures.
2. Receive Client Credentials
Do not embed the Client Secret in frontend code or distribute it. Storing secrets on client devices is not supported by Pleo.
| Credential | Description | Example Value |
|---|
| Client ID | Public identifier used to request authorisation and identify your app. | 12a3b456-78c9-0d12-34e5-f678ab9bcd0e |
| Client Secret | Confidential secret used to authenticate your app. Must be stored securely on a server and never exposed to end users. | 12345a6bcd789ef012abcd34ef5a6b |
Result
After completing these steps:
- Your application is registered as an OAuth 2.0 client in Pleo’s Staging environment.
- You have received a Client ID and Client Secret.
- No users are authorised.
- No access tokens exist.
- API calls are not possible at this stage.
What Comes Next?
