Skip to main content
Integrations using OAuth 2.0 must register a client with Pleo. Client registration establishes your application’s identity and provides the credentials required to securely authenticate users and request access tokens. Once registered, your application can redirect users to Pleo to grant consent and obtain tokens for accessing Pleo APIs.

Why client registration is required

Client registration enables Pleo to:
  • Identify your application during authorisation flows
  • Display your application’s name and branding to users
  • Enforce security controls such as redirect URI validation
  • Restrict access using requested API scopes
  • Issue tokens securely to authorised applications
Without client registration, your application cannot participate in the OAuth 2.0 authorisation flow.

Information required during registration

Pleo requires three categories of information.

1. Human-readable information

This information is displayed to users when they authorise your application.
Do not use Pleo branding in your client information.
  • Client Name
    Your application’s name as shown to users.
  • Client URI
    Homepage or landing page of your application.
  • Logo
    Square, high-resolution logo representing your application.
  • Terms of Service URI
    Legal agreement governing use of your application.
  • Privacy Policy URI
    Explains how user data is handled.
  • Contact Email(s)
    Contact details for responsible developers or support.

2. Pleo-specific integration information

These URIs allow Pleo and users to interact with your integration.
  • Initiation URI
    Page where users begin connecting your application with Pleo.
  • Settings URI
    Page where users can manage or update their integration settings.

3. Technical information

This information is required for the OAuth 2.0 protocol.
  • Redirect URI(s)
    OAuth 2.0 callback endpoints where Pleo redirects users after authorisation.     Requirements:
    • Must use HTTPS in production
    • HTTP allowed only for localhost during development
    • Must match exactly (aliases or wildcards are not supported)
  • Requested scopes
    Permissions your application requests to access Pleo APIs. See API Scopes.
  • PKCE support
    Required for public clients (SPAs, mobile apps).     Requirements:
    • Must use S256
    • plain is not supported
  • Subject type preference (optional)
    Defines the default resource context used by your integration.

Credentials issued after registration

After successful registration, Pleo provides:

Client ID

Public identifier of your application. Used to:
  • Identify your application during authorisation
  • Associate tokens with your client
This value is safe to expose in client-side applications.

Client Secret

Confidential credential used to authenticate your application when requesting tokens. Security requirements:
  • Must be stored securely on a server
  • Must never be exposed in browser or mobile code
  • Must never be committed to source control
Public clients using PKCE may not require a client secret.

Redirect URI security requirements

Redirect URIs are strictly validated to prevent token interception. Requirements:
  • Must be registered exactly
  • Must be publicly accessible (except localhost for development)
  • Must use the state parameter to prevent CSRF attacks
  • Must not use wildcards
Example: 
https://example.com/oauth/callback

Testing your OAuth 2.0 client

Before production use:
  • Verify redirect URIs are registered correctly
  • Complete the full authorisation flow
  • Confirm access tokens can be retrieved successfully
  • Test token refresh behaviour
Tools such as Postman can be used for testing.

Outcome

After registration:
  • Your application is recognised by Pleo
  • Your application can request user authorisation
  • Your application can obtain access tokens securely
  • Your integration is ready for OAuth 2.0 implementation