- requests are authenticated securely
- permissions are correctly applied
- data is exchanged with the correct company
- integrations operate reliably over time
Authentication Policy Overview
All authentication methods are technically supported in both Staging and Production environments. The primary difference between methods is who may use them and under what conditions.| If your integration… | Use |
|---|---|
| Connects multiple customers and supports user consent flows | OAuth 2.0 (Required for Partners) |
| Is an approved accounting or ERP integration that cannot support OAuth 2.0 redirects | Integrated API Keys (Approved Exception) |
| Requires controlled API access for testing or internal tooling | Standalone API Keys (Limited Availability) |
High-level Comparison
Below is a high-level overview of the characteristics of each authentication method.| Aspect | OAuth 2.0 | Integrated API Keys | Standalone API Keys |
|---|---|---|---|
| Recommended for production integrations | ✅ Yes | ⚠️ Approved exceptions | ⚠️ Limited |
| Multi-customer integrations | ✅ Yes | ✅ Yes (one key per installation) | ⚠️ Limited |
| How access is granted | Redirect and user consent | Installation approval in Pleo | Manual key creation |
| Credential type | Access token + refresh token | Installation-scoped API key | Manually created API key |
| Credential lifecycle | Automatic token refresh | Manual rotation if replaced | Manual rotation |
| Typical usage | Most marketplace integrations | Accounting/ERP systems without OAuth 2.0 support | Internal tooling and API testing |
Credential Handling Principles
While implementation details vary by authentication method, the following principles apply to all integrations:- Credentials, including access tokens, refresh tokens, and API keys, must be treated as sensitive secrets.
- Integrations must implement responsible credential management.
- Integrations should maintain long-lived operation without repeated manual intervention.
- Authentication failures must be detected and handled gracefully.
- a Pleo company, and
- a corresponding company or tenant in the external system.
Related Reading
OAuth 2.0- OAuth 2.0 Overview – recommended authentication model
- OAuth 2.0 Token Lifecycle – managing OAuth tokens securely
- OAuth 2.0 Setup Workflow Guide – step-by-step OAuth implementation guide
- Integrated API Keys Overview – authentication for approved integrations
- Standalone API Keys Overview – API keys for staging exploration