Authentication Methods
Integrations may authenticate using:- OAuth 2.0 – recommended for systems that support standard OAuth 2.0 flows.
- API keys – suitable for systems with constraints that prevent OAuth 2.0.
Credential Lifecycle Management
Credentials must be stored securely and managed throughout their lifecycle. This includes:- Refreshing credentials before they expire
- Handling revocation or invalid credentials
- Ensuring uninterrupted operation during normal use
Secure Storage
All credentials, including access tokens, refresh tokens, and API keys, must be stored securely to prevent accidental exposure or misuse. Follow the secure storage patterns defined for both OAuth 2.0 and API key–based integrations:- For frontend clients (SPAs, mobile apps): use HTTP-only cookies or encrypted key stores
- Avoid insecure locations such as local storage or client-side plain text
Entity Association
Each integration represents a one-to-one connection between a Pleo entity and a company in the accounting system. Correct entity association is essential to ensure all exported and synchronised data is recorded in the appropriate accounts, as defined by the Multi-Entity model.Reliability and Failure Handling
Integrations must handle authorisation failures gracefully, including:- Expired credentials
- Revoked access
- Transient connectivity issues
Related Reading
- OAuth 2.0 Overview - introduction to OAuth 2.0 for Pleo integrations
- API Keys Overview – alternative authentication method
- Tokens Overview – understanding access and refresh tokens
- Secure Token Storage – storing credentials securely
- Centralised Token Refresh – safe token refresh patterns
- Race Condition Prevention – avoid duplicate token refresh attempts
- OAuth 2.0 Setup Workflow Guide - Step-by-step guide to configure OAuth 2.0 for your integration