Production readiness

Performance targets, testing strategies, and go-live readiness

Production readiness

Your OAuth server should meet these performance targets to ensure a smooth user experience and reliable API access. Monitor and track these metrics continuously. Plaid also monitors integration health to help identify and resolve performance issues. Meeting these targets significantly impacts conversion rates and user satisfaction.

Target metrics

MetricTargetNotes
Endpoint latency< 3.5 secondsResponse time for authorization, token, userinfo, and JWKS endpoints. P95 should be under 2 seconds.
Throughput (TPS)300+ requests/secondSustained throughput across all OAuth endpoints combined.
Uptime99.5% minimum (99.9% preferred)Track and calculate uptime monthly. Exclude scheduled maintenance windows by notifying Plaid in advance.
Success rate (conversion)> 70%Percentage of OAuth flows that complete successfully from authorization to token exchange.
Data completeness100% fill rateAll required fields populated in responses (no null values for required fields).
Error rate< 1%HTTP 500 errors and other server failures. Up to 1% errors expected for user-related issues (cancelled flows, invalid credentials).

Why these numbers matter

Latency: Slow responses increase user drop-off rates. Sub-3.5 second responses keep users engaged.

Throughput: Connection volumes can spike during peak times. Insufficient throughput creates bottlenecks that cascade to downstream apps.

Uptime: Downtime blocks new connections and refresh flows. In payment use cases, even 30 minutes of downtime can lead to ACH failures and customer complaints.

Conversion rate: Low conversion indicates UX problems (confusing screens, slow responses) or technical issues (timeout errors, redirect failures).

Monitoring recommendations

Track these metrics continuously:

  • P50, P95, P99 latency for each OAuth endpoint
  • HTTP status code distribution (200, 400, 401, 500, 503)
  • OAuth flow completion rate (authorization -> token exchange success)
  • Token refresh success rate
  • JWKS endpoint availability and latency

Set up alerts for:

  • Latency P95 exceeding 3.5 seconds
  • Error rate exceeding 2%
  • Uptime dropping below 99.5%
  • Throughput capacity issues

Capacity planning

Plan for growth:

  • Volume projections for traffic increases over time
  • Peak load during traffic spikes
  • Refresh traffic from background calls (can generate significant additional load)
  • JWKS caching (Plaid caches for 24 hours, reducing load on that endpoint)

Test your infrastructure under load before going live. Use load-testing tools to simulate hundreds of concurrent OAuth flows and verify that performance holds up.

Testing your OAuth implementation

Test in Plaid's Sandbox environment before going to Production. Catching issues early saves headaches later.

Test scenarios to cover

Run through these flows to make sure your OAuth server handles both success and failure gracefully:

Happy path

  • Complete authorization flow from start to finish
  • Token exchange succeeds
  • Refresh token flow works
  • JWKS validation passes

User cancels authentication

  • User cancels during authentication
  • Correct error code returned (access_denied)
  • Proper redirect back to Plaid with state parameter

Invalid credentials

  • Wrong client ID or client secret
  • Correct 401 or 400 response with invalid_client error

Expired authorization codes

  • Authorization code used twice
  • Authorization code expired (> 10 minutes old)
  • Returns invalid_grant error

Token expiration flow

  • Access token expires after expires_in seconds
  • Refresh flow triggers automatically
  • New tokens issued successfully

JWKS validation

  • ID token signature verified successfully
  • kid matches published JWKS
  • Invalid signatures rejected

Error handling

  • All error codes from the error handling section return correctly
  • Error responses include appropriate HTTP status codes
  • Optional error_description provides useful debugging info

Common issues to check

Before going live, verify:

HTTPS enforcement

  • All OAuth endpoints use HTTPS
  • No HTTP fallback available
  • Valid TLS certificates (not self-signed in Production)

Redirect URI matching

  • Exact match required (including trailing slashes)
  • Case-sensitive comparison
  • No wildcard or regex matching

Token expiration

  • expires_in matches actual token lifetime
  • Tokens actually expire when claimed
  • Refresh tokens have a reasonable expiration (13+ months recommended)

CORS headers

  • Set if using browser-based flows
  • Access-Control-Allow-Origin configured correctly
  • Preflight requests handled

Well-known endpoint

  • Returns valid JSON
  • All required fields present
  • Endpoint accessible without authentication

Sandbox testing tips

  • Use Plaid's Sandbox environment to test without affecting Production data
  • Test with multiple apps and user scenarios to verify that the universal token model works across different user flows
  • Simulate network issues and timeouts to ensure graceful degradation
  • Test token revocation to confirm disconnection flows work

Pre-launch checklist

Complete before going live:

Configuration

  • OAuth server in Production environment
  • Discovery endpoint accessible
  • JWKS endpoint published and accessible
  • Production credentials issued to Plaid
  • mTLS certificates configured

Testing

  • All test scenarios pass in Sandbox
  • Load testing complete (300+ TPS)
  • Error handling verified
  • Token expiration tested
  • Refresh flow tested

Monitoring

  • Latency monitoring enabled
  • Error rate alerts configured
  • Uptime monitoring in place
  • Log aggregation working
  • On-call rotation established

Documentation

  • Runbooks created for common issues
  • Escalation paths documented
  • Support contact information shared with Plaid
  • Maintenance window procedures defined