Plaid logo
Core Exchange
ALL DOCS

Post-launch

  • Post-launch operations
  • Dashboard monitoring
  • Consent management
  • Permissions & App Directory
  • Troubleshooting
Core Exchange
Close search modal
Ask Bill!
Ask Bill!
Hi! I'm Bill! You can ask me all about Core Exchange. Try asking questions like:
    Note: Bill isn't perfect. He's just a robot platypus that reads our docs for fun. You should treat his answers with the same healthy skepticism you might treat any other answer on the internet. This chat may be logged for quality and training purposes. Please don't send Bill any PII -- he's scared of intimacy. All chats with Bill are subject to Plaid's Privacy Policy.
    Plaid.comGet Started
    Open nav

    Troubleshooting

    Debug OAuth issues faster with proper logging and error handling

    Where to start

    • Validator end-to-end failures — Pre-launch test failing in the Dashboard Validator
    • Common OAuth errors — Connection failing during OAuth
    • Common integration issues — API calls returning errors
    • JWKS validation issues — Token validation failing
    • Logging — Debug a specific flow or unsure where to look
    • FDX Explorer — Reference OAuth flow with interactive demo

    Validator end-to-end failures

    The Validator runs in the Data Partner Dashboard and exercises your discovery, OAuth, and data endpoints before production launch. End-to-end runs can fail before any OAuth traffic reaches your authorize or token endpoints — usually at the discovery step.

    Error getting OIDC configuration

    Issue: The Validator end-to-end test fails immediately with Error getting OIDC configuration. Please also make sure you have allowlisted Plaid IPs.

    Cause: This message covers two unrelated failure modes that need different fixes:

    1. The discovery URL (/.well-known/openid-configuration) is not reachable from the public internet — most often a 404, a firewall or WAF block, or a TLS/DNS error.
    2. The discovery URL returns 200 but the response body is missing required fields (see Well-known configuration).

    IP allowlisting configuration issues are rarely the cause at this step. Plaid fetches /.well-known/openid-configuration and jwks_uri from infrastructure outside the IP ranges in the IP allowlist documentation, so these endpoints must remain reachable from the public internet.

    How to debug, in order:

    1. From a network outside your firewall and any internal IP allowlist, run:

      curl -v 'https://YOUR_DOMAIN/.well-known/openid-configuration'

      Expect HTTP 200 with Content-Type: application/json. If you get 404, 403, a TLS error, or a connection timeout, the URL is not publicly reachable — fix DNS, firewall/WAF rules, or the route itself, then re-run the Validator. Confirm your firewall does not restrict this path to the Plaid IP ranges.

    2. If step 1 returns 200, verify the JSON body includes authorization_endpoint, token_endpoint, response_types_supported (with code), scopes_supported (with offline_access, plus openid for OIDC), and userinfo_endpoint and jwks_uri for OIDC. Missing or misnamed fields will fail the Validator with the same generic message.

    3. If steps 1 and 2 both pass, the discovery layer is healthy — the underlying failure is on token_endpoint, userinfo_endpoint, or a data endpoint, not discovery. The IP allowlist applies to those endpoints; confirm it is configured correctly there.

    Quick fixes

    OAuth errors you should return

    These are standard OAuth error codes your server should return to Plaid:

    Error codeWhen to returnFix
    access_deniedUser cancelled authorizationNormal user behavior - log but don't alert
    invalid_grantAuthorization code expired or was reusedReduce latency, expire codes in 10 min, enforce single-use
    temporarily_unavailableYour server is overloaded or in maintenanceCheck capacity, implement rate limiting, add monitoring

    JWKS and token validation issues

    If Plaid encounters problems validating your ID tokens, connections will fail and your conversion rates will drop. These issues typically show up as authentication failures in your logs or low conversion metrics in the Data Partner Dashboard. Your Solutions Engineer may reach out to help troubleshoot.

    Common JWKS problems and fixes

    ProblemHow you would noticeWhat to check
    ID token signature validation failingConnection failures, user complaintsVerify kid in token header matches a key in your published JWKS
    Key rotation issuesSudden spike in auth failures after key rotationConfirm new keys published to JWKS before removing old ones (24-hour overlap)
    JWKS endpoint unreachableAll connections failing, Plaid can't validate any tokensCheck endpoint uptime, DNS resolution, firewall rules, and HTTPS configuration

    Logging

    Good logging significantly reduces debugging time. Log the following identifiers for every session:

    IdentifierPurpose
    stateCorrelates redirect and token exchange.
    userIdYour internal authenticated user ID.
    timestampISO-8601 timestamp of each request/response.
    X-Request-IDPlaid request identifier sent in request headers. Correlate with the Dashboard's Integration Health view.
    oauth_session_id (optional)Your unique session tracker.

    Plaid sends the X-Request-ID header when calling your token_endpoint and resource server endpoints:

    Example request header
    X-Request-ID: req_4h8j2k9m3n7p5q1r

    Include these identifiers in support tickets to speed up resolution.

    JWKS validation issues

    These issues only apply to OIDC implementations that issue ID tokens. Plain OAuth 2.0 implementations don't use JWKS.

    ErrorDescriptionResolution
    invalid_signatureID token signature cannot be verified.Ensure JWKS is reachable and current.
    kid_not_foundToken kid does not match any published key.Verify correct key rotation and header values.
    jwks_uri_unreachableJWKS endpoint not available.Confirm HTTPS accessibility and DNS resolution.

    Common OAuth errors

    ErrorMeaningResolution
    invalid_requestMissing/invalid parameter.Validate query parameters; ensure redirect_uri and scope are present.
    unauthorized_clientBad client credentials.Confirm client_id/secret.
    invalid_grantCode expired or reused.Make codes one-time use; expire within < 10 min.
    redirect_uri_mismatchURI does not match the registered value.Must exactly match Plaid's redirect URI.
    temporarily_unavailableDP downtime or maintenance.Retry; notify Plaid of planned maintenance.

    Monitoring and alerting

    Plaid sends email notifications when integration issues are detected, with a link to the issue in your dashboard. Use the Issue Center to see all active issues at a glance, and drill into individual issue detail pages to debug using error trends, sample errors, and request-level logs.

    In addition to responding to alerts, proactively monitor:

    • HTTP status codes and latency for authorize, token, userinfo, and jwks_uri endpoints
    • Error rates: Alert if > 2%
    • OAuth and JWKS errors: Log with timestamp and state

    When you need help

    Opening a support ticket? Include:

    • state value
    • Timestamp and user ID
    • Error message and HTTP status
    • Request/response headers (mask the secrets!)
    • X-Request-ID from the request headers
    • Recent log entries surrounding the error

    The more context you provide, the faster the resolution.

    Common integration issues

    Beyond standard OAuth errors, watch for these implementation problems:

    Validation failures

    Issue: API response validation fails because a field contains null instead of the expected data type (string, number, array, etc.).

    Cause: Returning null for a field when the schema expects a typed value.

    Resolution:

    • Required fields: Return a value in the expected type. If data is unavailable, use an empty string ("") for strings or an empty array ([]) for arrays.
    • Optional fields: Omit the field entirely from the response rather than setting it to null.
    Data examples
    // Don't do this
    {
      "email": null,
      "phoneNumbers": null
    }
    
    // Do this instead
    {
      "email": "",
      "phoneNumbers": []
    }
    
    // Or this (omit optional fields)
    {
      "email": ""
    }

    Iteration limit exceeded

    Issue: Plaid limits how many times it will call a paginated endpoint before throwing an error.

    Cause: The nextOffset field (or equivalent pagination parameter) is set to null or an empty string on the final page instead of being omitted.

    Resolution: On the last page of results, omit the nextOffset field completely. Don't set it to null, empty string, or 0.

    Example:

    Pagination example
    // Don't do this (last page)
    {
      "data": [...],
      "nextOffset": null
    }
    
    // Do this instead (last page)
    {
      "data": [...]
    }

    No logs visible in Data Partner Dashboard

    Issue: Data Providers trying to debug OAuth issues don't see logs in the Data Partner Dashboard.

    Cause: Plaid only provides logs after the user successfully passes initial authentication steps. If the OAuth flow fails during authorization or before the token exchange completes, logs will not be available.

    Resolution: Contact Plaid support to review internal logs and identify where the flow broke. Common pre-log issues include: invalid client_id, HTTPS errors, or redirect URI mismatch.

    invalid_grant during refresh

    Issue: Refresh token flow fails with invalid_grant error during background updates.

    Cause: Refresh token expired before Plaid attempted to use it. This error can occur when the refresh token lifetime is set too short or when the DP revokes tokens after a period of inactivity.

    Resolution:

    • Set refresh token expiration to 13+ months
    • Don't use inactivity timeouts on refresh tokens
    • If revocation is necessary, coordinate with Plaid to avoid breaking active connections

    User identifier rejected (consistency key)

    Issue: Connection fails because the user identifier (consistency key) returned in the id_token sub field or /customers/current is fewer than seven characters.

    Cause: Consistency key too short to meet minimum requirements.

    Resolution: Use a longer identifier or a prefix with the institution code, with a minimum length of seven characters.

    User ID examples
    // Too short
    {"sub": "12345"}
    
    // Acceptable length
    {"sub": "user_12345"}