API Reference

Authentication 🔑

All you need to know for accessing the API

📘

Getting your credentials

In case you don't have them, please contact us.

Overview

The Plutto API supports two authentication methods:

  • API Token: Best for server-to-server integrations and simple use cases
  • OAuth 2.0: Best for applications requiring delegated access or enhanced security

All API requests must be made over HTTPS. Calls made over plain HTTP will fail.

API Token

The Plutto API uses Bearer tokens to authenticate requests.

Making Authenticated Requests

Pass your API token in the Authorization header with the Bearer prefix:

curl --location --request POST 'https://kyb.getplutto.com/api/v2/entity_validations' \
--header 'Authorization: Bearer sk_ef9f347e8e2ea65ebf074d2fd18187fd87ff52fc28954e8d' \
--header 'Content-Type: application/json'

Security Best Practices

⚠️ Keep your API tokens secure:

  • Never commit tokens to version control or share them publicly
  • Treat API tokens like passwords
  • Rotate tokens periodically and immediately if compromised
  • Use environment variables to store tokens in your applications

OAuth 2.0

The Plutto API supports OAuth 2.0 client credentials flow for enhanced security and access control.

Step 1: Obtain an Access Token

Exchange your OAuth credentials for an access token:

curl --location --request POST 'https://kyb.getplutto.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=YOUR_CLIENT_ID' \
--data-urlencode 'client_secret=YOUR_CLIENT_SECRET' \
--data-urlencode 'scope=REQUIRED_SCOPES'

Parameters:

  • grant_type: Must be client_credentials
  • client_id: Your OAuth client ID
  • client_secret: Your OAuth client secret
  • scope: Required permission scopes (contact support for available scopes)

Response:

{  
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",  
  "token_type": "Bearer",  
  "expires_in": 7200,  
  "scope": "read write",
  "created_at": 1766087365
}

Step 2: Use the Access Token

Include the access token in the Authorization header for subsequent API requests:

curl --location --request POST 'https://kyb.getplutto.com/api/v2/entity_validations' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...' \
--header 'Content-Type: application/json'

Token Expiration

Access tokens expire after the time specified in expires_in (typically 7200 seconds / 2 hour). Request a new token when the current one expires.

Security Best Practices

⚠️ Keep your OAuth credentials secure:

  • Never commit client secrets to version control or expose them publicly
  • Store credentials securely using environment variables or secret management services
  • Implement token refresh logic in your application to handle expiration
  • Monitor and rotate credentials regularly