> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Connection and Authorisation Overview

This section explains how integrations establish and maintain a **secure connection** between Pleo and an external system.

Connection and authorisation ensure that:

* requests are authenticated securely
* permissions are correctly applied
* data is exchanged with the correct company
* integrations operate reliably over time

Pleo supports multiple authentication models designed for different integration scenarios.

## Authentication Policy Overview

All authentication methods are technically supported in both **Staging** and **Production** environments. The primary difference between methods is **who may use them and under what conditions**.

| If your integration…                                                                 | Use                                                                                                                                                  |
| ------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| Connects multiple customers and supports user consent flows                          | [**OAuth 2.0 (Required for Partners)**](/docs/current/integration-design/auth/oauth/integration-design-auth-oauth-overview)                          |
| Is an approved accounting or ERP integration that cannot support OAuth 2.0 redirects | [**Integrated API Keys (Approved Exception)**](/docs/current/integration-design/auth/integrated-api-keys/integration-design-for-integrated-api-keys) |
| Requires controlled API access for testing or internal tooling                       | [**Standalone API Keys (Limited Availability)**](/docs/current/integration-design/auth/api-keys/integration-design-for-standalone-api-keys)          |

## High-level Comparison

Below is a high-level overview of the characteristics of each authentication method.

| Aspect                                  | OAuth 2.0                     | Integrated API Keys                              | Standalone API Keys              |
| --------------------------------------- | ----------------------------- | ------------------------------------------------ | -------------------------------- |
| Recommended for production integrations | ✅ Yes                         | ⚠️ Approved exceptions                           | ⚠️ Limited                       |
| Multi-customer integrations             | ✅ Yes                         | ✅ Yes (one key per installation)                 | ⚠️ Limited                       |
| How access is granted                   | Redirect and user consent     | Installation approval in Pleo                    | Manual key creation              |
| Credential type                         | Access token + refresh token  | Installation-scoped API key                      | Manually created API key         |
| Credential lifecycle                    | Automatic token refresh       | Manual rotation if replaced                      | Manual rotation                  |
| Typical usage                           | Most marketplace integrations | Accounting/ERP systems without OAuth 2.0 support | Internal tooling and API testing |

## Credential Handling Principles

While implementation details vary by authentication method, the following principles apply to all integrations:

* Credentials, including **access tokens, refresh tokens, and API keys**, must be treated as sensitive secrets.
* Integrations must implement responsible credential management.
* Integrations should maintain long-lived operation without repeated manual intervention.
* Authentication failures must be detected and handled gracefully.

Each integration represents a **one-to-one connection** between:

* a Pleo company, and
* a corresponding company or tenant in the external system.

Correct entity association ensures data is synchronised with the appropriate accounts, as defined by the **[Multi-Entity model](/docs/current/platform/multi-entity/multi-entity-and-api-scope)**.

***

## Related Reading

**OAuth 2.0**

* **[OAuth 2.0 Overview](/docs/current/integration-design/auth/oauth/integration-design-auth-oauth-overview)** – recommended authentication model
* **[OAuth 2.0 Token Lifecycle](/docs/current/integration-design/auth/oauth/token-lifecycle/integration-design-auth-oauth-token-overview)** – managing OAuth tokens securely
* **[OAuth 2.0 Setup Workflow Guide](/docs/current/guides/oauth-workflow-guide)** – step-by-step OAuth implementation guide

**API Keys**

* **[Integrated API Keys Overview](/docs/current/authentication/integrated-api-keys-overview)** – authentication for approved integrations
* **[Standalone API Keys Overview](/docs/current/authentication/standalone-api-keys-overview)** – API keys for staging exploration

***