Security Ownership Model
Security responsibilities are shared between Pleo and the integration developer.Pleo Responsibilities
Pleo manages:- Key generation during installation
- Permission scoping
- Association between key, integration, and company
- Key visibility within the Pleo Web App
Integration Responsibilities
Your integration is responsible for:- Receiving the key securely from the customer
- Validating API connectivity
- Secure storage and protection
- Managing credential lifecycle events
- Handling reconnection and key replacement
Key Security Principles
Integrated API Keys must be treated as high-sensitivity secrets.Core Principles
- Treat keys like passwords or private tokens
- Store keys only on trusted backend systems
- Apply least-privilege thinking even with pre-scoped permissions
- Prevent exposure through logs, analytics, or client-side code
- Isolate credentials per customer tenant
Secure Storage Requirements
Each Integrated API Key represents access to one customer company and must be stored securely.Required Practices
Integrations must:- Store keys encrypted at rest
- Persist keys only in backend systems
- Mask keys after initial entry
- Prevent retrieval of full keys after saving
- Segregate credentials per customer tenant
- Frontend applications
- Mobile apps
- Browser storage
- Client-side JavaScript
Recommended Storage Options
- Managed secrets vaults (AWS Secrets Manager, HashiCorp Vault)
- Encrypted environment variables
- Secure server-side credential stores
Transmission and Handling
When transmitting or processing Integrated API Keys:- Always use HTTPS
- Send keys using headers, not query parameters
- Avoid temporary storage in logs or debug output
- Validate format before submission where possible
Multi-Customer Credential Isolation
Integrated API Keys are per installation, meaning your integration will store multiple keys. Your system must ensure:- Each key maps to exactly one customer tenant
- Keys are never shared across customers
- Requests always use the correct associated
company_id - Credential access is scoped internally by tenant context
Permission and Scope Awareness
Integrated API Keys are created with pre-configured scopes defined by Pleo. Integrations should:- Verify required permissions during activation
- Surface clear errors if permissions are insufficient
- Avoid assuming unrestricted API access
Key Rotation and Replacement
Customers may rotate or recreate Integrated API Keys within the Pleo Web App. Integrations must support secure replacement.Required Workflow
- Customer generates a replacement key in Pleo
- User updates the key inside the integration
- Integration revalidates API connectivity
- Associated
company_idis confirmed - Previous credential is invalidated internally
Compromise and Incident Response
If a key is suspected to be exposed: Integrations must:- Immediately disable affected authentication
- Prompt the user to replace the key
- Revalidate the new credential
- Review logs for suspicious activity
Logging and Monitoring
Logging must balance observability with credential protection.Required Behaviour
- Never log full API Keys
- Mask sensitive values
- Store only minimal identifiers if required (e.g. last 4 characters)
- Monitor authentication failures and permission errors
Recommended Monitoring
- Detect repeated authentication failures
- Alert users when reconnection is required
- Surface degraded integration states clearly
Lifecycle Expectations
Integrated API Keys may become invalid if they:- Are rotated or replaced
- Are revoked
- Lose required permissions
- Become disconnected during configuration changes
Summary
Integrated API Keys introduce a shared security model:- Pleo manages generation and permission scoping
- Integrations manage storage, lifecycle, and operational security
- Each customer installation requires independent credential handling