Plaid logo
Core Exchange
ALL DOCS

Building your integration

  • Authentication
  • User experience
  • Security best practices
  • Mock server
Core Exchange
Close search modal
Ask Bill!
Ask Bill!
Hi! I'm Bill! You can ask me all about Core Exchange. Try asking questions like:
    Note: Bill isn't perfect. He's just a robot platypus that reads our docs for fun. You should treat his answers with the same healthy skepticism you might treat any other answer on the internet. This chat may be logged for quality and training purposes. Please don't send Bill any PII -- he's scared of intimacy. All chats with Bill are subject to Plaid's Privacy Policy.
    Plaid.comGet Started
    Open nav

    App2App

    Enable seamless mobile authentication for users who have your app installed

    Is App2App right for you?

    Implement App2App if:

    • You have a mobile banking app (iOS or Android)
    • Users frequently link accounts from their phones
    • You want to reduce authentication friction
    • You can support deep linking and in-app OAuth flows

    Impact: App2App improves mobile conversion rates up to 15% through biometric login and seamless user flow.

    App2App example flow showing biometric authentication

    How App2App works

    App2App makes mobile authentication faster and smoother. If your users already have your mobile app installed, they can authenticate there instead of using a mobile browser.

    The App2App flow:

    1. User selects your institution in Plaid Link
    2. Plaid detects App2App support and checks for your app on the device
    3. If installed, Plaid redirects to your deep link URL
    4. Your mobile app opens and parses the OAuth parameters from the deep link
    5. User authenticates in your app (using biometrics, credentials, or existing session)
    6. Your app generates an authorization code and redirects back to Plaid
    7. Plaid completes the linking and returns the user to the originating app

    Set up deep link URLs

    Configure HTTPS URLs that launch your app when users click them (if they have it installed). Fall back to the mobile web page if the app's not there (or if they're on desktop).

    Platform-specific guides:

    • iOS: Universal links
    • Android: App Links

    Use only HTTPS URLs, not custom schemes (such as bankapp://). HTTPS ensures compatibility with both app and browser fallback.

    Build the in-app authentication flow

    Your mobile app needs to handle OAuth authorization natively.

    Implementation approaches

    Native authentication (recommended): Users authenticate fully inside your app. After authentication, generate the authorization code and redirect back to Plaid.

    Embedded web view (alternative): Start authentication in-app, then complete it via embedded web view. Some UX trade-offs, but simpler implementation.

    Parse OAuth parameters from the deep link

    When Plaid launches your app, the deep link includes standard OAuth parameters. Your app must parse these:

    Example deep link
    https://yourbank.com/mobile_app?
      response_type=code
      &client_id=plaid-client-id
      &redirect_uri=https%3A%2F%2Fcdn.plaid.com%2Flink%2Fv2%2Fstable%2Foauth.html
      &state=oauth-state-id
      &scope=openid%20offline_access

    Required parameters:

    ParameterDescription
    response_typeAlways code
    client_idThe client ID you issued to Plaid
    redirect_uriWhere to send the authorization code (Plaid's OAuth handler)
    stateOpaque state value to include in your redirect
    scopeRequested scopes (e.g., openid offline_access)
    code_challenge / code_challenge_methodOptional, if you're using PKCE

    Redirect back to Plaid

    After successful authentication, redirect the user to Plaid with the authorization code:

    Example redirect
    https://cdn.plaid.com/link/v2/stable/oauth.html?code=AUTH_CODE&state=STATE_ID

    Include the state parameter exactly as received. Plaid will validate it and complete the OAuth flow.

    Provide URLs to Plaid

    Provide two URLs to your Plaid contact:

    • App2App deep link URL - For native mobile flow (e.g., https://yourbank.com/mobile_app)
    • Web authorization endpoint - From your .well-known/openid-configuration (fallback for browser)

    This allows Plaid to control the user path and isolate any issues that may arise (for example, if a specific app incorrectly implements the App2App flow).

    Handle fallback to the browser

    If the user doesn't have your app installed, the OS opens the deep link in a browser instead. Detect these browser-based deep link requests on your server and redirect them to your standard OAuth authorization endpoint (as specified in the .well-known/openid-configuration endpoint).

    The OS controls fallback routing. Plaid doesn't decide whether to use the app or the browser. Make sure your deep link URL is publicly accessible so browser fallback works.

    Implementation checklist

    • Deep link URLs configured (iOS Universal Links and/or Android App Links)
    • In-app OAuth authentication flow built
    • Authorization code generation working in-app
    • Redirect back to Plaid working correctly
    • Fallback to web flow tested
    • Both redirect URLs provided to Plaid
    • Testing complete on iOS and Android