Why OAuth 2.0 client registration is required
Client registration enables Pleo to:- Identify your OAuth 2.0 client during authorisation flows
- Display your application’s name and branding to users
- Enforce security controls such as redirect URI validation
- Restrict access using requested API scopes
- Issue tokens securely to authorised OAuth 2.0 clients
Information required during registration
Pleo requires three categories of information.1. Human-readable information
This information is displayed to users when they authorise your application.- Client Name: Your application’s name as shown to users.
- Client URI: Homepage or landing page of your application.
- Logo: Square (1:1), high-resolution logo representing your application.
- Terms of Service URI: Legal agreement governing use of your application.
- Privacy Policy URI: Explains how user data is handled.
- Contact Email(s): Contact details for responsible developers or support.
2. Pleo-specific integration information
These URIs allow Pleo and users to interact with your application.- Initiation URI: Page where users begin connecting your application with Pleo.
- Settings URI: Page in your application where users manage or update configuration settings for the integration (for example, accounting periods, mappings, or synchronisation preferences).
3. Technical information
This information is required for the OAuth 2.0 protocol.-
Redirect URI(s)
OAuth 2.0 callback endpoints where Pleo redirects users after authorisation. Requirements:- Must use HTTPS in production
- HTTP allowed only for localhost during development
- Must match exactly (aliases or wildcards are not supported)
-
Requested scopes
Permissions your OAuth 2.0 client requests to access Pleo APIs. See API Scopes. -
PKCE support
Required for public clients (SPAs, mobile apps). Requirements:- Must use
S256 plainis not supported
- Must use
-
Subject type preference (optional)
Defines the default resource context used by your OAuth 2.0 client.
Credentials issued after registration
After successful registration, Pleo provides:Client ID
Public identifier of your OAuth 2.0 client. Used to:- Identify your OAuth 2.0 client during authorisation
- Associate tokens with your client
Client Secret
Confidential credential used to authenticate your OAuth 2.0 client when requesting tokens. Security requirements:- Must be stored securely on a server
- Must never be exposed in browser or mobile code
- Must never be committed to source control
Redirect URI security requirements
Redirect URIs are strictly validated to prevent token interception. Requirements:- Must be registered exactly
- Must be publicly accessible (except localhost for development)
- Must use the
stateparameter to prevent CSRF attacks - Must not use wildcards
Testing your OAuth 2.0 client
Before production use:- Verify redirect URIs are registered correctly
- Complete the full authorisation flow
- Confirm access tokens can be retrieved successfully
- Test token refresh behaviour
Outcome
After registration:- Your application is recognised by Pleo
- Your application can request user authorisation
- Your OAuth 2.0 client can obtain access tokens securely
- Your integration is ready for OAuth 2.0 implementation
FAQs
What is the difference between an integration, application, and OAuth 2.0 client?
What is the difference between an integration, application, and OAuth 2.0 client?
These terms describe different parts of how OAuth 2.0 works in the Pleo platform.The difference between an integration, application, and OAuth 2.0 client is explained in the OAuth 2.0 Concepts and Terminology section.