> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# How to Register an OAuth 2.0 Client

export const WhatComesNext = ({children, href}) => <div className="mt-4">
    <a href={href} className="
        inline-flex items-center justify-center
        rounded-full
        bg-black text-white dark:bg-[#1f262b]
        px-5 py-2.5 text-sm font-medium
        no-underline border-0
        hover:bg-[#ffe6ea] dark:hover:bg-[#2b1f23]
        hover:text-black
        transition-colors
      ">
      {children} →
    </a>
  </div>;

Registering an OAuth 2.0 client allows Pleo to identify your application, apply the correct redirect and scope configuration, and issue client credentials (**Client ID** and **Client Secret**) securely.

This how-to covers **advanced registration**, where you manage redirects and the access-token lifecycle yourself. For a simpler setup using Postman, see the [How to Register an OAuth 2.0 Client (Postman)](/docs/current/how-tos/oauth-postman/how-to-register-an-oauth-client-postman) article instead.

## Prerequisites

Before you begin:

* You are in the process of onboarding to Pleo’s [Staging environment](/docs/current/how-tos/environment-access/how-to-get-access-to-staging-oauth).
* Pleo has asked you to complete the **Developer Partner Registration** form.
* This how-to provides the **information** you need to submit in the registration form.

## Steps

### 1. Provide Registration Data

You provide information to Pleo in the following categories.

#### Human-Readable Information

<Warning>
  **Do not** use Pleo branding or claim your app is a Pleo client.
</Warning>

This information is shown to end users during authorisation:

| Parameter        | Description                                                 |
| ---------------- | ----------------------------------------------------------- |
| Client Name      | Your application’s brand name.                              |
| Client URI       | Link to your app homepage or integration announcement page. |
| Logo             | Square image (1:1 ratio) representing your application.     |
| Terms of Service | Link to the legal agreement governing use of your app.      |
| Privacy Policy   | Link explaining how user data is collected and processed.   |
| Contacts         | Email addresses for people responsible for the application. |

#### Pleo-Specific Information

This information allows Pleo to integrate your application into the product:

| Parameter      | Description                                              |
| -------------- | -------------------------------------------------------- |
| Initiation URI | Where users start connecting your app to Pleo.           |
| Settings URI   | Where users manage your app’s settings from within Pleo. |

#### Technical Information

Required details to establish a secure OAuth 2.0 flow for **your registered OAuth 2.0 client**:

| Parameter               | Description                                                                                                          |
| ----------------------- | -------------------------------------------------------------------------------------------------------------------- |
| Redirect URIs           | URL(s) where Pleo sends users after authentication. Must be HTTPS in production.                                     |
| Scopes                  | API permissions your OAuth 2.0 client needs to access on behalf of the integration.                                  |
| PKCE Support            | Required for public clients to prevent authorisation-code attacks. Contact your Pleo Partner Manager for exceptions. |
| Subject Type Preference | (Optional) Default resource type your OAuth 2.0 client operates on when calling Pleo APIs.                           |

<Tip>
  For local development, loopback redirect URIs (`localhost`, `127.0.0.1`, `[::1]`) may use HTTP.
</Tip>

<Note>
  Each Pleo API defines its own set of [scopes](/docs/current/authentication/api-scopes). Your registered OAuth 2.0 client can only access APIs and perform actions that correspond to the scopes you request during registration.
</Note>

#### Example Registration

| Parameter               | Value                                                                                |
| ----------------------- | ------------------------------------------------------------------------------------ |
| Client Name             | Example Client                                                                       |
| Client URI              | [https://client.example/](https://client.example/)                                   |
| Terms of Service        | [https://client.example/legal/tos.html](https://client.example/legal/tos.html)       |
| Privacy Policy          | [https://client.example/legal/privacy.pdf](https://client.example/legal/privacy.pdf) |
| Contacts                | [name.surname@example.io](mailto:name.surname@example.io)                            |
| Redirect URIs           | [https://client.example/callback](https://client.example/callback)                   |
| Scopes                  | users:read users:write                                                               |
| PKCE Support            | Supported                                                                            |
| Subject Type Preference | None                                                                                 |

<Tip>
  Verify all URLs and scopes before submitting. Incorrect redirect URIs or missing scopes commonly cause authorisation failures.
</Tip>

***

### 2. Receive Client Credentials

<Warning>
  Do **not** embed the Client Secret in frontend code or distribute it. Storing secrets on client devices is not supported by Pleo.
</Warning>

After registration, Pleo shares your credentials securely via 1Password:

| Credential    | Description                                                                                                            | Example Value                        |
| ------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |
| Client ID     | Public identifier used to request authorisation and identify your app.                                                 | 12a3b456-78c9-0d12-34e5-f678ab9bcd0e |
| Client Secret | Confidential secret used to authenticate your app. Must be stored securely on a server and never exposed to end users. | 12345a6bcd789ef012abcd34ef5a6b       |

## Result

After completing these steps:

* Your OAuth 2.0 client is registered in Pleo’s Staging environment.
* You have received a **Client ID** and **Client Secret**.
* No users are authorised.
* No access tokens exist.
* API calls are **not possible** at this stage.

## What Comes Next?

<WhatComesNext href="/docs/current/how-tos/oauth/how-to-direct-users-to-the-authorisation-endpoint">
  Redirect users to the authorisation endpoint
</WhatComesNext>

***

<div className="text-xs uppercase" style={{ fontVariant: 'small-caps' }}>
  this how-to is part of:
</div>

<div className="mt-4 flex flex-wrap gap-2">
  <a
    href="/docs/current/guides/oauth-workflow-guide"
    className="inline-flex items-center rounded-full border border-gray-300 dark:border-gray-600 
px-3 py-1 text-xs font-medium 
bg-white dark:bg-[#1f262b] text-black dark:text-white
hover:bg-gray-100 dark:hover:bg-[#2b2f33]
transition-colors"
  >
    OAuth 2.0 Setup Workflow Guide (Manual Token Lifecycle)
  </a>
</div>

***

## FAQs

<Accordion title="What is the difference between an integration, application, and OAuth 2.0 client?">
  These terms describe different parts of how OAuth 2.0 works in the Pleo platform.

  The difference between an **integration**, **application**, and **OAuth 2.0 client** is explained in the [OAuth 2.0 Concepts and Terminology](/docs/current/authentication/oauth/oauth-overview#concepts-and-terminology) section.
</Accordion>

***

## Related Reading

* [OAuth 2.0 Client Registration](/docs/current/integration-design/auth/oauth/getting-set-up/oauth-client-registration) – Step-by-step details of required fields, credentials, and redirect URIs.
* [OAuth 2.0 Client Configuration](/docs/current/integration-design/auth/oauth/getting-set-up/oauth-client-configuration) – How to configure your client with correct endpoints, PKCE, and authentication methods.
* [PKCE and Secured Patterns](/docs/current/integration-design/auth/oauth/implementing-oauth/integration-design-auth-oauth-pkce-and-secured-patterns) – Security requirements for public clients.

***