Skip to main content
Pleo integrations are strongly encouraged to use industry-standard OAuth 2.0 client libraries rather than implementing OAuth 2.0 flows from scratch. OAuth 2.0 is a security-critical protocol. Using a mature, well-maintained library significantly reduces the risk of implementation errors, security vulnerabilities, and non-standard behaviour.

Why Use an OAuth 2.0 Library

Implementing OAuth 2.0 manually is complex and error-prone. Established libraries help ensure that your integration:
  • Adheres to OAuth 2.0 standards
  • Correctly handles redirects, tokens, and error conditions
  • Applies security best practices by default (for example, PKCE and CSRF protection)
  • Remains maintainable as standards evolve
Using a library allows you to focus on your product logic rather than protocol details.

What OAuth 2.0 Libraries Typically Handle

Most OAuth 2.0 client libraries provide built-in support for:
  • Generating authorisation requests (including state and PKCE parameters)
  • Redirecting users to the authorisation server
  • Handling authorisation responses and errors
  • Exchanging authorisation codes for access and refresh tokens
  • Refreshing access tokens
  • Tracking token expiry
  • Protecting against CSRF and replay attacks
Many libraries also allow customisation, such as:
  • Integrating with your web framework’s routing and redirect mechanisms
  • Plugging in your own persistence layer for tokens and transient values (for example state and code_verifier)
  • Customising success and error handling
  • Hooking into lifecycle events during the OAuth 2.0 flow
Exact features and extension points depend on the library you choose. Always consult the documentation of your selected library.
The following libraries are commonly used, well-supported, and suitable for production OAuth 2.0 integrations:

Java

  • spring-security-oauth2-client

Python

  • Authlib
  • Requests-OAuthlib

JavaScript

  • OAuth 2.0 strategies for passport.js
  • Standards-compliant OAuth 2.0 / OIDC client libraries appropriate to your framework

.NET

  • Microsoft.Identity.Web
These libraries are widely adopted and actively maintained. Equivalent standards-compliant libraries may be used in other ecosystems.

OAuth 2.0 Standards and Compliance

Pleo’s OAuth 2.0 implementation follows standard OAuth 2.0 specifications and best practices, including:
  • RFC 6749 – OAuth 2.0 Authorisation Framework
  • Proof Key for Code Exchange (PKCE)
  • Standard token and refresh flows
No proprietary extensions or custom protocol behaviour are required to integrate with Pleo. Integrations should avoid custom or non-standard OAuth 2.0 implementations, as these can introduce security risks and compatibility issues.

What You Still Need to Implement

Even when using an OAuth 2.0 library, integrations are responsible for:
  • Providing a user interface to initiate the connection (for example, a “Connect to Pleo” button)
  • Persisting access and refresh tokens securely
  • Handling token lifecycle events (expiry, refresh failures, revocation)
  • Implementing appropriate error handling and user messaging
  • Designing a token refresh strategy that fits your system architecture
These responsibilities are covered in more detail in the authentication workflow and token lifecycle guides.