This article describes integration architecture, lifecycle behaviour, and UX expectations when building integrations that use Integrated API Keys. If you are unfamiliar with Integrated API Keys, start with the Integrated API Keys Overview, which explains availability, intended usage, and conceptual behaviour. This document focuses on how integrations must behave technically and securely when using Integrated API Keys.Documentation Index
Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
Use this file to discover all available pages before exploring further.
Integration Model
Integrated API Keys enforce a 1-to-1 integration model:Integration Model Assumptions
Integrated API Keys are per-customer (per installation):- The integration itself is multi-customer (one integration can be installed by many customers)
- Each customer installation gets a unique key generated by Pleo, scoped to that installation
- Integrations must store one key per customer tenant and support rotation/reconnect per customer
- No delegated user authorisation within the integration context
- Key generation and permissions are controlled by Pleo
Design Implication
Treat each Integrated API Key as a company-level installation credential for a specific customer, not a user login or session.Your integration must manage key storage, validation, and rotation per customer.
Authentication Responsibilities
When using Integrated API Keys, your integration is responsible for:- Receiving the key from the customer (generated by Pleo during install)
- Validating API connectivity
- Persisting the integration context (
company_idor other identifiers) per customer - Maintaining the key lifecycle state (reconnect, update, rotate) for each customer
Installation and Activation Requirements
After the customer provides the Pleo-generated Integrated API Key, the integration must complete an activation process to verify connectivity.Required Activation Behaviour
Integrations must:- Call a test API endpoint to validate the key
- Confirm that the key is valid and linked to the correct
company_id - Store the
company_idand key securely for future requests - Prevent the integration from becoming active if validation fails
Error Handling Expectations
If activation fails:- Prevent the integration from entering an active state
- Display actionable error messaging
- Allow the customer to re-enter the key and retry activation
Company ID Handling
Thecompany_id links an Integrated API Key to the correct customer.
Required Integration Behaviour
Integrations must:- Persist the
company_idobtained during validation - Use the correct
company_idin all subsequent API requests - Ensure requests are always scoped to the associated customer
Validation Expectations
Integrations should prevent:- Using a key with the wrong
company_id - Sending requests without proper customer scoping
- Silent connection to a different customer after key replacement
Permission and Scope Awareness
Integrated API Keys are created with pre-configured scopes per customer installation. Integrations should:- Validate required scopes during activation
- Surface clear errors if permissions are insufficient
- Avoid assuming full API access
Pre-scoped permissions reduce risk and simplify integration logic.
Key Updates and Re-Authentication
Customers may rotate or replace Integrated API Keys via the Pleo Web App.Required Integration Behaviour
Integrations must:- Allow entry of a new key to replace the previous credential for that customer
- Repeat validation and company association after key replacement
- Confirm required API scopes are present
- Prevent activation if validation fails
Expected System Behaviour
After a key update:- Invalidate previous authentication state for that customer
- Validate the new key
- Confirm or update the associated
company_id - Resume normal operation only after successful validation
Failure and Expiry Handling
Keys may become invalid if they:- Are rotated or replaced
- Lose required permissions
- Are revoked
- Detect authentication failures per customer
- Notify users clearly
- Allow immediate replacement and revalidation
Security Responsibilities
Integrated API Keys are static, company-level credentials per customer installation. Integrations must:- Store keys securely and encrypted at rest
- Mask keys in the UI; avoid logs or analytics exposure
- Rotate or replace compromised keys
- Validate that keys have the required scopes
- Use keys only for the intended customer context
User Interface / UX Expectations
- Provide a dedicated secure input field for the Pleo-generated key
- Mask the key after entry
- Show the connected
company_idclearly - Validate the key immediately and confirm connection
- Support Update / Reconnect flows for rotated keys
- Provide actionable, non-technical error messaging
Integrated API Keys vs OAuth 2.0
| UX / Integration Aspect | Integrated API Keys | OAuth 2.0 |
|---|---|---|
| Availability | Restricted / approved integrations only | Available |
| Access model | Company-scoped per customer | User-delegated |
| Typical usage | Accounting / ERP single-company per install | Multi-customer integrations |
| Customer consent | Implicit in install | Explicit consent required |
| Multi-customer support | Yes — one integration, multiple customer installs | Yes |
| Authentication | Static pre-scoped key | Access tokens |
| Recommended for production | Approved exceptions | Default for all integrations |
Typical Development Workflow (Conceptual)
- Onboard with Pleo and confirm Integrated API Key eligibility
- Implement secure connect screen with key input
- Validate key with a test API call for each customer
- Support reconnect / key rotation flows per customer
- Optional: implement health checks for integration functionality
What Comes Next?
Related Reading
- Integrated API Keys Overview
- Security and Credential Management for Integrated API Keys
- Integrated API Key Customer Installation Flow
- OAuth 2.0 Overview