Skip to main content
Once your OAuth 2.0 client is registered with Pleo and you have received your Client ID and Client Secret, you must configure your OAuth 2.0 client to communicate with Pleo’s Authorisation Server. OAuth 2.0 client registration establishes your OAuth 2.0 client’s identity with Pleo. OAuth 2.0 client configuration enables your integration to perform the OAuth 2.0 protocol, including:
  • Redirecting users to Pleo for authorisation
  • Receiving authorisation codes
  • Exchanging codes for access and refresh tokens
  • Refreshing tokens securely
  • Calling Pleo APIs on behalf of authorised users
This configuration is completed within your OAuth 2.0 client using your chosen OAuth 2.0 library or framework.

When You Need This

You should complete OAuth 2.0 client configuration after:
  • Registering your OAuth 2.0 client with Pleo
  • Receiving your Client ID and Client Secret
  • Selecting an OAuth 2.0 client library or framework
This page describes what must be configured, not how to implement it in a specific programming language.

Configuration Checklist

Ensure your OAuth 2.0 client is configured with:
  • Client ID
  • Authorisation endpoint
  • Token endpoint
  • Redirect URI (must match registered values exactly)
  • Requested scopes
  • PKCE enabled (S256)

Required OAuth 2.0 Configuration Parameters

Configure your OAuth 2.0 client using the following values:
ParameterValue
Authorisation Endpoint{AUTHORIZATION_SERVER_URL}/oauth/authorize
Token Endpoint{AUTHORIZATION_SERVER_URL}/oauth/token
Grant TypeAuthorisation Code (with PKCE)
PKCERequired (S256 only)
Redirect URIOne of the registered redirect URIs
ScopesApproved scopes from client registration
Exact configuration keys depend on the OAuth 2.0 library you use. Refer to your library’s documentation for precise mappings.

PKCE Requirements

Pleo requires Proof Key for Code Exchange (PKCE) where supported by the client.
  • Only the S256 code challenge method is supported
  • Plain (plain) PKCE is not allowed
  • PKCE is mandatory for public clients (SPAs, mobile apps)
  • PKCE is strongly recommended for confidential clients
Ensure your OAuth 2.0 library is configured to:
  • Generate a code_verifier
  • Send the corresponding code_challenge during authorisation
  • Provide the code_verifier during token exchange

Authorisation Server URLs

Replace {AUTHORIZATION_SERVER_URL} with the base URL of the environment you are targeting:
EnvironmentAuthorisation Server URL
Staginghttps://auth.staging.pleo.io
Productionhttps://auth.pleo.io
Always test your integration fully in staging before switching to production.

Redirect URI Configuration

Your OAuth 2.0 client must use redirect URIs that:
  • Exactly match the URIs registered with Pleo
  • Are publicly accessible (except localhost for development)
  • Use HTTPS in production environments
  • Do not contain wildcards
If your integration supports multiple post-login destinations, use the OAuth 2.0 state parameter to route users internally after authorisation.

Client Authentication Method

Pleo supports client authentication at the token endpoint only for confidential clients.
  • Supported method: client_secret_basic
Confidential clients must:
  • Send the Client ID and Client Secret via HTTP Basic Authentication
  • Store the Client Secret securely on the server
  • Never expose the Client Secret in frontend or public code
Public clients (SPAs, mobile apps):
  • Must not use a client secret
  • Must rely on PKCE for security

What This Configuration Enables

Once configured correctly, your OAuth 2.0 client can:
  • Redirect users to Pleo for authorisation
  • Receive authorisation codes securely
  • Exchange codes for access and refresh tokens
  • Refresh access tokens without re-prompting users
  • Access Pleo APIs on behalf of authorised users

FAQs

These terms describe different parts of how OAuth 2.0 works in the Pleo platform.The difference between an integration, application, and OAuth 2.0 client is explained in the OAuth 2.0 Concepts and Terminology section.