Layer
API reference for Layer endpoints
For how-to guidance, see the Layer documentation.
| Endpoints | |
|---|---|
/session/token/create | Creates a Link token for a Layer session |
/user_account/session/get | Returns user permissioned account data |
| Webhooks | |
|---|---|
LAYER_AUTHENTICATION_PASSED | A user has been authenticated |
Endpoints
/session/token/create
Create a Session Token
/session/token/create is used to create a Link token for Layer. The returned Link token is used as an parameter when initializing the Link SDK. For more details, see the Link flow overview.
Request fields
client_idstring
Your Plaid API
client_id. The client_id is required and may be provided either in the PLAID-CLIENT-ID header or as part of a request body.secretstring
Your Plaid API
secret. The secret is required and may be provided either in the PLAID-SECRET header or as part of a request body.template_idrequiredstring
The id of a template defined in Plaid Dashboard
userobject
SessionTokenCreateRequestUser defines per-session user-specific data for
/session/token/create. Required if the root-level user_id field isn't included.client_user_idrequiredstring
A unique ID representing the end user. Typically this will be a user ID number from your application. Personally identifiable information, such as an email address or phone number, should not be used in the
client_user_id. It is currently used as a means of searching logs for the given user in the Plaid Dashboard.user_idstring
The Plaid
user_id of the User associated with this webhook, warning, or error.redirect_uristring
A URI indicating the destination where a user should be forwarded after completing the Link flow; used to support OAuth authentication flows when launching Link in the browser or another app. The
redirect_uri should not contain any query parameters. When used in Production, must be an https URI. To specify any subdomain, use * as a wildcard character, e.g. https://*.example.com/oauth.html. Note that any redirect URI must also be added to the Allowed redirect URIs list in the developer dashboard. If initializing on Android, android_package_name must be specified instead and redirect_uri should be left blank.android_package_namestring
The name of your app's Android package. Required if using the session token to initialize Layer on Android. Any package name specified here must also be added to the Allowed Android package names setting on the developer dashboard. When creating a session token for initializing Layer on other platforms,
android_package_name must be left blank and redirect_uri should be used instead.webhookstring
The destination URL to which any webhooks should be sent. If you use the same webhook listener for all Sandbox or all Production activity, set this value in the Layer template editor in the Dashboard instead. Only provide a value in this field if you need to use multiple webhook URLs per environment (an uncommon use case). If provided, a value in this field will take priority over webhook values set in the Layer template editor.
1const request: SessionTokenCreateRequest = {2 user: {3 client_user_id: 'user-abc'4 },5 template_id: 'template_4uinBNe4B2x9'6};7try {8 const response = await client.sessionTokenCreate(request);9 const linkToken = response.data.link.link_token;10} catch (error) {11 // handle error12}Response fields
request_idstring
A unique identifier for the request, which can be used for troubleshooting. This identifier, like all Plaid identifiers, is case sensitive.
linkobject
Response data for
/session/token/create intended for use with the Link SDK.link_tokenstring
A Link token, which can be supplied to Link in order to initialize it and receive a
public_token.expirationstring
The expiration date for the
link_token, in ISO 8601 format. A link_token created to generate a public_token that will be exchanged for a new access_token expires after 4 hours. A link_token created for an existing Item (such as when updating an existing access_token by launching Link in update mode) expires after 30 minutes.Format:
date-time 1{2 "link": {3 "link_token": "link-sandbox-af1a0311-da53-4636-b754-dd15cc058176",4 "expiration": "2020-03-27T12:56:34Z"5 },6 "request_id": "XQVgFigpGHXkb0b"7}/user_account/session/get
Retrieve User Account
This endpoint returns user permissioned account data, including identity and Item access tokens, for use with Plaid Layer. Note that end users are permitted to edit the prefilled identity data in the Link flow before sharing it with you; you should treat any identity data returned by this endpoint as user-submitted, unverified data. For a verification layer, you can add Identity Verification to your flow, or check the submitted identity data against bank account data from linked accounts using Identity Match.
Request fields
client_idstring
Your Plaid API
client_id. The client_id is required and may be provided either in the PLAID-CLIENT-ID header or as part of a request body.secretstring
Your Plaid API
secret. The secret is required and may be provided either in the PLAID-SECRET header or as part of a request body.public_tokenrequiredstring
The public token generated by the end user Layer session.
1const request: UserAccountSessionGetRequest = {2 public_token: 'profile-sandbox-b0e2c4ee-a763-4df5-bfe9-46a46bce992d',3};4try {5 const response = await client.userAccountSessionGet(request);6} catch (error) {7 // handle error8}Response fields
identitynullableobject
The identity data permissioned by the end user during the authorization flow.
addressnullableobject
The user's address.
citynullablestring
The full city name
regionnullablestring
The region or state.
Example:
"NC"streetnullablestring
The full street address
Example:
"564 Main Street, APT 15"street2nullablestring
The second line street address
postal_codenullablestring
The postal code. In API versions 2018-05-22 and earlier, this field is called
zip.countrynullablestring
The ISO 3166-1 alpha-2 country code
phone_numberstring
The user's phone number in E.164 format
emailnullablestring
The user's email address.
Note: email is currently not returned for users, and will be added later in 2025.
Note: email is currently not returned for users, and will be added later in 2025.
date_of_birthnullablestring
The user's date of birth.
ssnnullablestring
The user's social security number.
ssn_last_4nullablestring
The last 4 digits of the user's social security number.
items[object]
item_idstring
The Plaid Item ID. The
item_id is always unique; linking the same account at the same institution twice will result in two Items with different item_id values. Like all Plaid identifiers, the item_id is case-sensitive.access_tokenstring
The access token associated with the Item data is being requested for.
request_idstring
A unique identifier for the request, which can be used for troubleshooting. This identifier, like all Plaid identifiers, is case sensitive.
1{2 "identity": {3 "name": {4 "first_name": "Leslie",5 "last_name": "Knope"6 },7 "address": {8 "street": "123 Main St.",9 "street2": "",10 "city": "Pawnee",11 "region": "IN",12 "postal_code": "41006",13 "country": "US"14 },15 "email": "leslie@knope.com",16 "phone_number": "+14157452130",17 "date_of_birth": "1975-01-18",18 "ssn": "987654321",19 "ssn_last_4": "4321"20 },21 "items": [22 {23 "item_id": "Ed6bjNrDLJfGvZWwnkQlfxwoNz54B5C97ejBr",24 "access_token": "access-sandbox-435beced-94e8-4df3-a181-1dde1cfa19f0"25 }26 ],27 "request_id": "m8MDnv9okwxFNBV"28}Webhooks
LAYER_AUTHENTICATION_PASSED
Indicates that Plaid's authentication process has completed for a user and that Plaid has verified that the user owns their phone number. If you receive this webhook, you should skip your own OTP phone number verification flow for the user, even if the user does not complete the entire Link flow. If the user doesn't complete the full Link flow (as verified by your being able to successfully call /user_account/session/get using the public_token from the onSuccess callback) it is recommended that you implement webhook verification or another technique to avoid webhook spoofing attacks.
Properties
webhook_typestring
LAYERwebhook_codestring
LAYER_AUTHENTICATION_PASSEDenvironmentstring
The Plaid environment the webhook was sent from
Possible values:
sandbox, productionlink_session_idstring
An identifier for the Link session these events occurred in
link_tokenstring
The Link token used to create the Link session these events are from
1{2 "webhook_type": "LAYER",3 "webhook_code": "LAYER_AUTHENTICATION_PASSED",4 "environment": "production",5 "link_session_id": "1daca4d5-9a0d-4e85-a2e9-1e905ecaa32e",6 "link_token": "link-sandbox-79e723b0-0e04-4248-8a33-15ceb6828a45"7}