> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth 2.0 Client Configuration

Once your OAuth 2.0 client is registered with Pleo and you have received your **Client ID** and **Client Secret**, you must configure your **OAuth 2.0 client** to communicate with Pleo’s Authorisation Server.

OAuth 2.0 client [registration establishes](/docs/current/integration-design/auth/oauth/getting-set-up/oauth-client-registration) your **OAuth 2.0 client’s identity** with Pleo.

OAuth 2.0 client configuration enables your integration to perform the OAuth 2.0 protocol, including:

* Redirecting users to Pleo for authorisation
* Receiving authorisation codes
* Exchanging codes for access and refresh tokens
* Refreshing tokens securely
* Calling Pleo APIs on behalf of authorised users

This configuration is completed within your **OAuth 2.0 client** using your chosen OAuth 2.0 library or framework.

## When You Need This

You should complete OAuth 2.0 client configuration after:

* Registering your OAuth 2.0 client with Pleo
* Receiving your **Client ID** and **Client Secret**
* Selecting an OAuth 2.0 client library or framework

This page describes **what must be configured**, not how to implement it in a specific programming language.

## Configuration Checklist

Ensure your **OAuth 2.0 client** is configured with:

* Client ID
* Authorisation endpoint
* Token endpoint
* Redirect URI (must match registered values exactly)
* Requested scopes
* PKCE enabled (S256)

## Required OAuth 2.0 Configuration Parameters

Configure your OAuth 2.0 client using the following values:

| Parameter              | Value                                        |
| ---------------------- | -------------------------------------------- |
| Authorisation Endpoint | `{AUTHORIZATION_SERVER_URL}/oauth/authorize` |
| Token Endpoint         | `{AUTHORIZATION_SERVER_URL}/oauth/token`     |
| Grant Type             | Authorisation Code (with PKCE)               |
| PKCE                   | Required (S256 only)                         |
| Redirect URI           | One of the registered redirect URIs          |
| Scopes                 | Approved scopes from client registration     |

<Note>
  Exact configuration keys depend on the OAuth 2.0 library you use. Refer to your library’s documentation for precise mappings.
</Note>

## PKCE Requirements

Pleo requires [**Proof Key for Code Exchange (PKCE)**](/docs/current/integration-design/auth/oauth/implementing-oauth/integration-design-auth-oauth-pkce-and-secured-patterns) where supported by the client.

* Only the **S256** code challenge method is supported
* Plain (`plain`) PKCE is not allowed
* PKCE is **mandatory for public clients** (SPAs, mobile apps)
* PKCE is **strongly recommended for confidential clients**

Ensure your OAuth 2.0 library is configured to:

* Generate a `code_verifier`
* Send the corresponding `code_challenge` during authorisation
* Provide the `code_verifier` during token exchange

## Authorisation Server URLs

Replace `{AUTHORIZATION_SERVER_URL}` with the base URL of the environment you are targeting:

| Environment | Authorisation Server URL       |
| ----------- | ------------------------------ |
| Staging     | `https://auth.staging.pleo.io` |
| Production  | `https://auth.pleo.io`         |

Always test your integration fully in **staging** before switching to production.

## Redirect URI Configuration

Your OAuth 2.0 client must use redirect URIs that:

* Exactly match the URIs registered with Pleo
* Are publicly accessible (except `localhost` for development)
* Use HTTPS in production environments
* Do not contain wildcards

If your integration supports multiple post-login destinations, use the OAuth 2.0 `state` parameter to route users internally **after** authorisation.

## Client Authentication Method

Pleo supports **client authentication at the token endpoint only for confidential clients**.

* Supported method: `client_secret_basic`

Confidential clients must:

* Send the Client ID and Client Secret via HTTP Basic Authentication
* Store the Client Secret securely on the server
* Never expose the Client Secret in frontend or public code

Public clients (SPAs, mobile apps):

* **Must not use a client secret**
* Must rely on PKCE for security

## What This Configuration Enables

Once configured correctly, your OAuth 2.0 client can:

* Redirect users to Pleo for authorisation
* Receive authorisation codes securely
* Exchange codes for access and refresh tokens
* Refresh access tokens without re-prompting users
* Access Pleo APIs on behalf of authorised users

## FAQs

<Accordion title="What is the difference between an integration, application, and OAuth 2.0 client?">
  These terms describe different parts of how OAuth 2.0 works in the Pleo platform.

  The difference between an **integration**, **application**, and **OAuth 2.0 client** is explained in the [OAuth 2.0 Concepts and Terminology](/docs/current/authentication/oauth/oauth-overview#concepts-and-terminology) section.
</Accordion>

## Related Reading

* [OAuth 2.0 Libraries and Standards](/docs/current/integration-design/auth/oauth/implementing-oauth/integration-design-auth-oauth-libraries-and-standards)
* [Token Lifecycle](/docs/current/integration-design/auth/oauth/token-lifecycle/integration-design-auth-oauth-token-overview)
* [OAuth 2.0 Setup Workflow Guide](/docs/current/guides/oauth-workflow-guide)