OAuth 2.0 Workflow
OAuth 2.0 uses a redirect-based authorisation flow that allows users to grant your application access to their Pleo data without sharing credentials. At a high level, OAuth 2.0 works as follow:-
Resource Owner + Client
A customer clicks the “Connect with Pleo” button in your application. -
Authorisation Server
The request is redirected to Pleo’s Authorisation Server, where the user grants permission for your application to access their Pleo data. -
Client
Once the user authorises, Pleo redirects them back to your application with a code. Your application exchanges this code for an access token. -
Resource Server + Client
After the exchange, your application can call Pleo APIs by including the access token in API requests. Your application can then display the data to users or process it for downstream workflows, such as exports, synchronisation, or reporting.
What you need at the implementation level
This section outlines the key areas you need to understand to implement OAuth 2.0 securely:1. Getting Set Up
- Client Registration: Register your client application with Pleo. Provide required details such as redirect URIs and requested API scopes.
- Client Configuration: Ensure your client is configured to communicate correctly with Pleo’s Authorisation Server.
2. Implementing OAuth
- Libraries and Standards: Use a standards-compliant OAuth 2.0 library to avoid common pitfalls.
- PKCE and Secured Patterns: Follow established security patterns to protect user credentials and tokens during the authorization flow.
3. Token Lifecycle
- Understand how access tokens and refresh tokens are issued, stored, refreshed, and revoked securely.
What Comes Next?
- OAuth 2.0 Setup Workflow Guide When ready, follow the step-by-step implementation guide
Related Reading
- OAuth 2.0 Access to Staging Workflow Guide
Understand how Pleo Partners gain access to Pleo’s Staging environment and prepare their integration to authenticate using OAuth 2.0.