Skip to main content
Xoxoday Plum integrates with enterprise mobile applications through a secure API layer supporting OAuth 2.0, webview and iFrame embedding, mobile-optimised PWA storefronts, and optional SAML-based single sign-on.
Xoxoday Plum connects with enterprise mobile applications through a standards-based integration layer built on REST and GraphQL APIs protected by OAuth 2.0. Whether your organisation runs a custom employee app, an HR super-app, or a workforce platform, Xoxoday Plum delivers the full rewards and redemption experience inside the environments your employees already use every day.

Embedding the rewards catalogue inside your app

The most common integration pattern is embedding the Xoxoday Plum rewards catalogue directly within an existing mobile app using a webview or iFrame component. Employees can browse, select, and redeem rewards without leaving the host application. The embedded experience inherits your app’s navigation shell, making the transition seamless from the user’s perspective. For teams that prefer a lighter integration footprint, Xoxoday Plum also provides a mobile-optimised progressive web app (PWA) storefront. Your app can deep-link or redirect users to this PWA, which is fully responsive on both iOS and Android, with no native SDK dependency required.

Authentication and single sign-on

Xoxoday Plum supports SAML-based single sign-on so employees authenticated in your mobile app are automatically signed into their Plum account without a second login prompt. This is especially valuable when Xoxoday Plum runs alongside HR platforms such as Darwinbox or SAP SuccessFactors, where identity is already managed centrally. Organisations using Microsoft Entra ID or Okta as their identity provider connect through the same SAML flow with no additional configuration on the employee side.

Security and compliance

All API endpoints are secured by OAuth 2.0, and the integration architecture aligns with Xoxoday Plum’s ISO 27001 and SOC 2 Type II certifications. Data exchanged between your mobile app and Xoxoday Plum travels over encrypted channels, and access tokens are scoped to the minimum permissions required for catalogue browsing and reward redemption.

A practical example

Consider an organisation running a custom employee engagement app built on React Native. The team adds a “Rewards” tab to the bottom navigation bar and uses a webview component to render the Xoxoday Plum catalogue. When an employee taps the tab, Xoxoday Plum receives the OAuth token issued by the company’s identity provider, validates it, and surfaces personalised reward options within the familiar app shell. Redemption confirmations and point-balance updates are pushed back to the host app in real time via webhook. This same pattern works for organisations embedding Plum alongside Workday or delivering rewards through a dedicated internal super-app. Learn more: Xoxoday Plum Help Centre — General

SSO and SAML authentication setup

Configure single sign-on so employees access Xoxoday Plum rewards without a separate login.

API integration overview

Explore the REST and GraphQL endpoints available for connecting Xoxoday Plum to your internal systems.