> ## Documentation Index > Fetch the complete documentation index at: https://developers.pleo.io/llms.txt > Use this file to discover all available pages before exploring further. # OAuth 2.0 Overview Integrations with Pleo should use **OAuth 2.0** for authorisation wherever possible. Alternative methods may be supported, such as [Integrated API Keys](/docs/current/getting-started/developer-partnership-programme#authentication-requirements). ## OAuth 2.0 Workflow OAuth 2.0 uses a redirect-based authorisation flow that allows users to grant your integration access to their Pleo data without sharing credentials. At a high level, OAuth 2.0 works as follows: ```mermaid theme={null} sequenceDiagram participant User as Resource Owner participant App as Client participant Auth as Authorisation Server participant API as Resource Server User->>App: Click "Connect with Pleo" App->>Auth: Redirect user + request scopes Auth->>User: Ask for consent / login User->>Auth: Grant permission Auth->>App: Redirect back with auth code App->>Auth: Exchange auth code for access token (PKCE if public client) Auth->>App: Return access token (+ refresh token) App->>API: Call Pleo APIs with access token API->>App: Return requested data ``` 1. **Resource Owner + Client**\ A customer clicks the "Connect with Pleo" button in your application. 2. **Authorisation Server**\ The request is redirected to Pleo’s Authorisation Server, where the user grants permission for your integration to access their Pleo data. 3. **Client**\ Once the user authorises, Pleo redirects them back to your application with a code. Your integration exchanges this code for an access token. 4. **Resource Server + Client**\ After the exchange, your integration can call Pleo APIs by including the access token in API requests. Your integration can then display the data to users or process it for downstream workflows, such as exports, synchronisation, or reporting. ## What you need at the implementation level This section outlines the key areas you need to understand to implement OAuth 2.0 securely: ### 1. Getting Set Up * [**Client Registration**](/docs/current/integration-design/auth/oauth/getting-set-up/oauth-client-registration): Register your OAuth 2.0 client with Pleo. Provide required details such as redirect URIs and requested API [scopes](/docs/current/authentication/api-scopes). * [**Client Configuration**](/docs/current/integration-design/auth/oauth/getting-set-up/oauth-client-configuration): Ensure your OAuth 2.0 client is configured to communicate correctly with Pleo’s Authorisation Server. ### 2. Implementing OAuth * [**Libraries and Standards**](/docs/current/integration-design/auth/oauth/implementing-oauth/integration-design-auth-oauth-libraries-and-standards): Use a standards-compliant OAuth 2.0 library to avoid common pitfalls. * [**PKCE and Secured Patterns**](/docs/current/integration-design/auth/oauth/implementing-oauth/integration-design-auth-oauth-pkce-and-secured-patterns): Follow established security patterns to protect user credentials and tokens during the authorization flow. ### 3. Token Lifecycle * Understand how [**access tokens** and **refresh tokens**](/docs/current/integration-design/auth/oauth/token-lifecycle/integration-design-auth-oauth-token-overview) are issued, stored, refreshed, and revoked securely. ## What Comes Next? * OAuth 2.0 Setup Workflow Guide When ready, follow the [**step-by-step implementation**](/docs/current/guides/oauth-workflow-guide) guide ## FAQs These terms describe different parts of how OAuth 2.0 works in the Pleo platform. The difference between an **integration**, **application**, and **OAuth 2.0 client** is explained in the [OAuth 2.0 Concepts and Terminology](/docs/current/authentication/oauth/oauth-overview#concepts-and-terminology) section. ## Related Reading * **[OAuth 2.0 Access to Staging Workflow Guide](/docs/current/guides/environment-access/staging-oauth-workflow)**\ Understand how Pleo Partners gain access to Pleo’s Staging environment and prepare their integration to authenticate using OAuth 2.0.