Once your OAuth 2.0 client is registered with Pleo and you have received your Client ID and Client Secret, you must configure your application to communicate with Pleo’s Authorisation Server.
Client registration establishes your application’s identity with Pleo.
Client configuration enables your application to actually perform the OAuth 2.0 protocol, including:
- Redirecting users to Pleo for authorisation
- Receiving authorisation codes
- Exchanging codes for access and refresh tokens
- Refreshing tokens securely
- Calling Pleo APIs on behalf of authorised users
This configuration is completed within your application using your chosen OAuth 2.0 library or framework.
When You Need This
You should complete OAuth 2.0 client configuration after:
- Registering your OAuth 2.0 client with Pleo
- Receiving your Client ID and Client Secret
- Selecting an OAuth 2.0 client library or framework
This page describes what must be configured, not how to implement it in a specific programming language.
Configuration Checklist
Ensure your application is configured with:
- Client ID
- Authorisation endpoint
- Token endpoint
- Redirect URI (must match registered values exactly)
- Requested scopes
- PKCE enabled (S256)
Required OAuth 2.0 Configuration Parameters
Configure your OAuth 2.0 client using the following values:
| Parameter | Value |
|---|
| Authorisation Endpoint | {AUTHORIZATION_SERVER_URL}/oauth/authorize |
| Token Endpoint | {AUTHORIZATION_SERVER_URL}/oauth/token |
| Grant Type | Authorisation Code (with PKCE) |
| PKCE | Required (S256 only) |
| Redirect URI | One of the registered redirect URIs |
| Scopes | Approved scopes from client registration |
Exact configuration keys depend on the OAuth 2.0 library you use. Refer to your library’s documentation for precise mappings.
PKCE Requirements
Pleo requires Proof Key for Code Exchange (PKCE) where supported by the client.
- Only the S256 code challenge method is supported
- Plain (
plain) PKCE is not allowed
- PKCE is mandatory for public clients (SPAs, mobile apps)
- PKCE is strongly recommended for confidential clients
Ensure your OAuth 2.0 library is configured to:
- Generate a
code_verifier
- Send the corresponding
code_challenge during authorisation
- Provide the
code_verifier during token exchange
Authorisation Server URLs
Replace {AUTHORIZATION_SERVER_URL} with the base URL of the environment you are targeting:
| Environment | Authorisation Server URL |
|---|
| Staging | https://auth.staging.pleo.io |
| Production | https://auth.pleo.io |
Redirect URI Configuration
Your OAuth 2.0 client must use redirect URIs that:
- Exactly match the URIs registered with Pleo
- Are publicly accessible (except
localhost for development)
- Use HTTPS in production environments
- Do not contain wildcards
If your application supports multiple post-login destinations, use the OAuth 2.0 state parameter to route users internally after authorisation.
Client Authentication Method
Pleo supports client authentication at the token endpoint only for confidential clients.
- Supported method:
client_secret_basic
Confidential clients must:
- Send the Client ID and Client Secret via HTTP Basic Authentication
- Store the Client Secret securely on the server
- Never expose the Client Secret in frontend or public code
Public clients (SPAs, mobile apps):
- Must not use a client secret
- Must rely on PKCE for security
What This Configuration Enables
Once configured correctly, your OAuth 2.0 client can:
- Redirect users to Pleo for authorisation
- Receive authorisation codes securely
- Exchange codes for access and refresh tokens
- Refresh access tokens without re-prompting users
- Access Pleo APIs on behalf of authorised users
