Access Tokens
Access tokens allow your application to call Pleo APIs on behalf of an authorised user, within the limits of the granted scopes.- Issued by Pleo’s Authorisation Server
- Sent with each request to Pleo resource servers
- Short-lived and expire after a limited period
The access token lifetime is provided in the
expires_in field of the token response.Refresh Tokens
Refresh tokens allow your integration to obtain new access tokens without requiring the user to reauthenticate.- Longer-lived than access tokens
- Lifetime is not fixed and must not be assumed
- Valid for at least 60 days, but may expire or be revoked earlier
If an expired refresh token is used, all active refresh tokens for that authorisation are invalidated to prevent replay attacks.
Token Opacity and Safety
Access tokens and refresh tokens are opaque strings issued by Pleo.Do not parse, decode, or infer meaning from token values. Their format is not guaranteed and may change without notice.
Token Replacement Rules
When refreshing tokens:- A new access token and new refresh token are issued
- All previous access and refresh tokens must be discarded immediately
- Reusing old tokens may result in authentication failures or revoked sessions
Common Token Scenarios
Access Token Expired
- Use the refresh token to obtain a new access token
- Do not prompt the user unless refresh fails
Refresh Token Expired or Revoked
- Restart the OAuth 2.0 authorisation flow
- Prompt the user to reauthenticate and grant consent again
Related Reading
-
Centralised Token Refresh
Design a single, reliable mechanism for refreshing tokens across your system. -
Race Condition Prevention
Prevent duplicate refresh requests when multiple processes detect expiry simultaneously. -
Secure Token Storage
Store access and refresh tokens safely in backend and frontend environments. -
Handling Refresh Token Expiry or Revocation
Recover gracefully when refresh tokens are no longer valid.