Testing Pleo API using Postman

You can use Postman, a popular HTTP client, to test your OAuth configuration.

Depending on the method of authorization used by your app, you can configure Postman to use OAuth or API keys.


Postman provides excellent support for request authorization using OAuth 2.0.


When registering an OAuth client, include Postman's redirect endpoint URIs in the list of redirect URIs for your client.

Postman VariantRedirect URI


On “Authorization” tab, in the “Auth Type”, select “OAuth 2.0” option.

Then, in “Configure New Token” section, provide following configuration options.

Grant typeChoose “Authorization Code (With PKCE)”.
Callback URLOne of Postman's redirect endpoint URIs, depending on the used variant.
Access Token URL{AUTHORIZATION_SERVER_URL}/oauth/token
Client ID and Client SecretEnter credentials of your client.
Code Challenge MethodChoose “SHA-256”.
Code VerifierLeave blank, or provide a valid PKCE code verifier.
ScopeEnter space-delimited list of API scopes that is required for this request. A value of test:test can be used to test OAuth flow.
Client AuthenticationChoose “Send as Basic Auth Header”.


Postman variables

We recommend using Postman environment variables to store the base URL of the authorization server and client credentials. This will allow you to quickly switch between staging and production versions of your client.

To run an OAuth flow using Postman as a client, press “Get New Access Token” button. Postman will then open Pleo OAuth authorization UI. After granting authorization, you will be redirected back to Postman, which will automatically run an access token request and obtain an access token.

Postman can also automatically obtain new access tokens to replace expired ones, using refresh tokens.

API keys

Postman can easily be configured to access Pleo APIs using API keys.


  1. Switch to "Authorization tab".
  2. Select "Basic Auth" in the "Type" dropdown menu.
  3. Provide your API key as the "Username". Leave "Password" field blank.


Postman variables

We recommend storing your API keys as Postman environment variables.