Help Center / Settings and administration /
API client management
API clients are the credentials that external tools and integrations use to authenticate with Plutio's REST API. Each client has its own access scope, so different integrations can be granted different levels of access to your workspace data.
Creating an API client
API clients are created from Settings → API manager. Each client is given a name for identification, and Plutio generates a client ID and client secret. The client secret is shown once at creation and should be stored securely, because if the secret is lost, a new client needs to be created.
Permissions and scoping
Each API client can be assigned specific permissions scoped to specific areas. An accounting integration might only need access to invoices and contacts, while a project management sync might need projects, tasks, and time entries. Scoping permissions per client follows the principle of least privilege, so each integration only accesses what it actually needs.
Token lifecycle
Access tokens are obtained by sending the client ID and client secret to the /oauth/token endpoint using the client_credentials grant type. Each token is valid for 72 hours. When a token expires, a new token is requested using the same credentials. Integrations that run continuously should handle token refresh automatically to avoid interruptions.
Managing multiple clients
Multiple API clients can exist simultaneously, each with different permissions and scopes. A CRM sync client, a billing integration client, and a reporting client can all operate independently. Revoking one client's access doesn't affect the others, so integrations can be added or removed individually without disrupting the rest.
