User endpoints
API reference for User tokens
This page covers API endpoints related to user tokens, which are used by Plaid Check and Income, as well as by the Multi-Item Link flow.
| Endpoints | |
|---|---|
/user/create | Create a user ID and token |
/user/update | Update user data or enable an existing user token for Plaid Check |
/user/remove | Remove the user and their associated Items |
/user/items/get | Return Items associated with a user |
| See also | |
|---|---|
/sandbox/user/reset_login | Force user into an error state for testing |
/user/create
Create user
This endpoint should be called for each of your end users before they begin a Plaid Check or Income flow, or a Multi-Item Link flow. This provides you a single token to access all data associated with the user. You should only create one per end user.
The consumer_report_user_identity object must be present in order to create a Plaid Check Consumer Report for a user. If it is not provided during the /user/create call, it can be added later by calling /user/update. Plaid Check Consumer Reports can only be created for US-based users; the user's address country must be US.
If you call the endpoint multiple times with the same client_user_id, the first creation call will succeed and the rest will fail with an error message indicating that the user has been created for the given client_user_id.
Ensure that you store the user_token along with your user's identifier in your database, as it is not possible to retrieve a previously created user_token.
Request fields
client_idstring
Your Plaid API
client_id. The client_id is required and may be provided either in the PLAID-CLIENT-ID header or as part of a request body.secretstring
Your Plaid API
secret. The secret is required and may be provided either in the PLAID-SECRET header or as part of a request body.client_user_idrequiredstring
A unique ID representing the end user. Maximum of 128 characters. Typically this will be a user ID number from your application. Personally identifiable information, such as an email address or phone number, should not be used in the
client_user_id.Max length:
128 Min length:
1 consumer_report_userobject
To create a Plaid Check Consumer Report for a user, this field must be present on the user token. If this field is not provided during user token creation, you can add it to the user later by calling
/user/update. Once the field has been added to the user, you will be able to call /link/token/create with a non-empty consumer_report_permissible_purpose (which will automatically create a Plaid Check Consumer Report), or call /cra/check_report/create for that user.first_namerequiredstring
The user's first name
last_namerequiredstring
The user's last name
phone_numbersrequired[string]
The user's phone number, in E.164 format: +{countrycode}{number}. For example: "+14157452130". Phone numbers provided in other formats will be parsed on a best-effort basis. Phone number input is validated against valid number ranges; number strings that do not match a real-world phone numbering scheme may cause the request to fail, even in the Sandbox test environment.
emailsrequired[string]
The user's emails
ssn_fullstring
The user's full social security number. This field should only be provided by lenders intending to share the resulting consumer report with a Government-Sponsored Enterprise (GSE), such as Fannie Mae or Freddie Mac.
Format: "ddd-dd-dddd"
Format: "ddd-dd-dddd"
ssn_last_4string
The last 4 digits of the user's social security number.
Max length:
4 Min length:
4 date_of_birthrequiredstring
To be provided in the format "yyyy-mm-dd".
This field is required for all Plaid Check customers.
Format:
date primary_addressrequiredobject
Data about the components comprising an address.
cityrequiredstring
The full city name
regionrequiredstring
The region or state. In API versions 2018-05-22 and earlier, this field is called
state.
Example: "NC"streetrequiredstring
The full street address
Example:
"564 Main Street, APT 15"postal_coderequiredstring
The postal code. In API versions 2018-05-22 and earlier, this field is called
zip.countryrequiredstring
The ISO 3166-1 alpha-2 country code
/user/create
const request = {
client_user_id: 'c0e2c4ee-b763-4af5-cfe9-46a46bce883d',
consumer_report_user_identity: {
first_name: "Carmen",
last_name: "Berzatto",
phone_numbers: ["+13125551212"],
emails: ["carmy@example.com", "bear@example.com"],
ssn_last_4: "1234",
date_of_birth: "1987-01-31",
primary_address: {
city: "Chicago",
region: "IL",
street: "3200 W Armitage Ave",
postal_code: "60657",
country: "US"
}
}
};
try {
const response = await client.userCreate(request);
} catch (error) {
// handle error
}
Response fields
user_tokenstring
The user token associated with the User data is being requested for.
user_idstring
The Plaid
user_id of the User associated with this webhook, warning, or error.request_idstring
A unique identifier for the request, which can be used for troubleshooting. This identifier, like all Plaid identifiers, is case sensitive.
Response Object
{
"user_token": "user-sandbox-b0e2c4ee-a763-4df5-bfe9-46a46bce993d",
"user_id": "wz666MBjYWTp2PDzzggYhM6oWWmBb",
"request_id": "Aim3b"
}/user/update
Update user information
This endpoint is used to update user information associated with an existing user_token. It can also be used to enable an existing user_token for use with Consumer Reports by Plaid Check, by adding a consumer_report_user_identity object to the user. Plaid Check Consumer Reports can only be created for US-based users; the user's address country must be US.
Request fields
client_idstring
Your Plaid API
client_id. The client_id is required and may be provided either in the PLAID-CLIENT-ID header or as part of a request body.secretstring
Your Plaid API
secret. The secret is required and may be provided either in the PLAID-SECRET header or as part of a request body.user_tokenstring
The user token associated with the User data is being requested for.
consumer_report_userobject
To create a Plaid Check Consumer Report for a user, this field must be present on the user token. If this field is not provided during user token creation, you can add it to the user later by calling
/user/update. Once the field has been added to the user, you will be able to call /link/token/create with a non-empty consumer_report_permissible_purpose (which will automatically create a Plaid Check Consumer Report), or call /cra/check_report/create for that user.first_namerequiredstring
The user's first name
last_namerequiredstring
The user's last name
phone_numbersrequired[string]
The user's phone number, in E.164 format: +{countrycode}{number}. For example: "+14157452130". Phone numbers provided in other formats will be parsed on a best-effort basis. Phone number input is validated against valid number ranges; number strings that do not match a real-world phone numbering scheme may cause the request to fail, even in the Sandbox test environment.
emailsrequired[string]
The user's emails
ssn_fullstring
The user's full social security number. This field should only be provided by lenders intending to share the resulting consumer report with a Government-Sponsored Enterprise (GSE), such as Fannie Mae or Freddie Mac.
Format: "ddd-dd-dddd"
Format: "ddd-dd-dddd"
ssn_last_4string
The last 4 digits of the user's social security number.
Max length:
4 Min length:
4 date_of_birthrequiredstring
To be provided in the format "yyyy-mm-dd".
This field is required for all Plaid Check customers.
Format:
date primary_addressrequiredobject
Data about the components comprising an address.
cityrequiredstring
The full city name
regionrequiredstring
The region or state. In API versions 2018-05-22 and earlier, this field is called
state.
Example: "NC"streetrequiredstring
The full street address
Example:
"564 Main Street, APT 15"postal_coderequiredstring
The postal code. In API versions 2018-05-22 and earlier, this field is called
zip.countryrequiredstring
The ISO 3166-1 alpha-2 country code
user_idstring
A unique
user_id generated by Plaid for the client-provided client_user_id. This field is currently in beta./user/update
const request = {
user_token: 'user-environment-12345678-abcd-4bcd-abcd-1234567890ab',
consumer_report_user_identity: {
first_name: "Carmen",
last_name: "Berzatto",
phone_numbers: ["+13125551212"],
emails: ["carmy@example.com", "bear@example.com"],
ssn_last_4: "1234",
date_of_birth: "1987-01-31",
primary_address: {
city: "Chicago",
region: "IL",
street: "3200 W Armitage Ave",
postal_code: "60657",
country: "US"
}
}
};
try {
const response = await client.userUpdate(request);
} catch (error) {
// handle error
}
Response fields
request_idstring
A unique identifier for the request, which can be used for troubleshooting. This identifier, like all Plaid identifiers, is case sensitive.
Response Object
{
"request_id": "Aim3b"
}/user/remove
Remove user
/user/remove deletes a user token and and associated information, including any Items associated with the token.
Any subsequent calls to retrieve information using the same user token will result in an error stating the user does not exist.
If a user is created for a given client_user_id using /user/create and that user is then deleted with /user/remove, the client_user_id cannot be reused for another /user/create request.
Request fields
client_idstring
Your Plaid API
client_id. The client_id is required and may be provided either in the PLAID-CLIENT-ID header or as part of a request body.secretstring
Your Plaid API
secret. The secret is required and may be provided either in the PLAID-SECRET header or as part of a request body.user_tokenstring
The user token associated with the User data is being requested for.
user_idstring
A unique
user_id generated by Plaid for the client-provided client_user_id. This field is currently in beta./user/remove
const request = {
user_token: 'user-environment-12345678-abcd-4bcd-abcd-1234567890ab'
};
try {
const response = await client.userRemove(request);
} catch (error) {
// handle error
}
Response fields
request_idstring
A unique identifier for the request, which can be used for troubleshooting. This identifier, like all Plaid identifiers, is case sensitive.
Response Object
{
"request_id": "Aim3b"
}/user/items/get
Get Items associated with a User
Returns Items associated with a User along with their corresponding statuses.
Request fields
client_idstring
Your Plaid API
client_id. The client_id is required and may be provided either in the PLAID-CLIENT-ID header or as part of a request body.secretstring
Your Plaid API
secret. The secret is required and may be provided either in the PLAID-SECRET header or as part of a request body.user_tokenrequiredstring
The user token associated with the User data is being requested for.
/user/items/get
const request = {
user_token: 'user-environment-12345678-abcd-4bcd-abcd-1234567890ab'
};
try {
const response = await client.userItemsGetRequest(request);
} catch (error) {
// handle error
}
Response fields
items[object]
item_idstring
The Plaid Item ID. The
item_id is always unique; linking the same account at the same institution twice will result in two Items with different item_id values. Like all Plaid identifiers, the item_id is case-sensitive.institution_idnullablestring
The Plaid Institution ID associated with the Item. Field is
null for Items created without an institution connection, such as Items created via Same Day Micro-deposits.institution_namenullablestring
The name of the institution associated with the Item. Field is
null for Items created without an institution connection, such as Items created via Same Day Micro-deposits.webhooknullablestring
The URL registered to receive webhooks for the Item.
auth_methodnullablestring
The method used to populate Auth data for the Item. This field is only populated for Items that have had Auth numbers data set on at least one of its accounts, and will be
null otherwise. For info about the various flows, see our Auth coverage documentation.INSTANT_AUTH: The Item's Auth data was provided directly by the user's institution connection.INSTANT_MATCH: The Item's Auth data was provided via the Instant Match fallback flow.AUTOMATED_MICRODEPOSITS: The Item's Auth data was provided via the Automated Micro-deposits flow.SAME_DAY_MICRODEPOSITS: The Item's Auth data was provided via the Same Day Micro-deposits flow.INSTANT_MICRODEPOSITS: The Item's Auth data was provided via the Instant Micro-deposits flow.DATABASE_MATCH: The Item's Auth data was provided via the Database Match flow.DATABASE_INSIGHTS: The Item's Auth data was provided via the Database Insights flow.TRANSFER_MIGRATED: The Item's Auth data was provided via /transfer/migrate_account.INVESTMENTS_FALLBACK: The Item's Auth data for Investments Move was provided via a fallback flow.Possible values:
INSTANT_AUTH, INSTANT_MATCH, AUTOMATED_MICRODEPOSITS, SAME_DAY_MICRODEPOSITS, INSTANT_MICRODEPOSITS, DATABASE_MATCH, DATABASE_INSIGHTS, TRANSFER_MIGRATED, INVESTMENTS_FALLBACK, nullerrornullableobject
Errors are identified by
error_code and categorized by error_type. Use these in preference to HTTP status codes to identify and handle specific errors. HTTP status codes are set and provide the broadest categorization of errors: 4xx codes are for developer- or user-related errors, and 5xx codes are for Plaid-related errors, and the status will be 2xx in non-error cases. An Item with a non-null error object will only be part of an API response when calling /item/get to view Item status. Otherwise, error fields will be null if no error has occurred; if an error has occurred, an error code will be returned instead.error_typestring
A broad categorization of the error. Safe for programmatic use.
Possible values:
INVALID_REQUEST, INVALID_RESULT, INVALID_INPUT, INSTITUTION_ERROR, RATE_LIMIT_EXCEEDED, API_ERROR, ITEM_ERROR, ASSET_REPORT_ERROR, RECAPTCHA_ERROR, OAUTH_ERROR, PAYMENT_ERROR, BANK_TRANSFER_ERROR, INCOME_VERIFICATION_ERROR, MICRODEPOSITS_ERROR, SANDBOX_ERROR, PARTNER_ERROR, SIGNAL_ERROR, TRANSACTIONS_ERROR, TRANSACTION_ERROR, TRANSFER_ERROR, CHECK_REPORT_ERROR, CONSUMER_REPORT_ERROR, USER_ERRORerror_codestring
The particular error code. Safe for programmatic use.
error_code_reasonnullablestring
The specific reason for the error code. Currently, reasons are only supported OAuth-based item errors;
Possible values:
null will be returned otherwise. Safe for programmatic use.Possible values:
OAUTH_INVALID_TOKEN: The user’s OAuth connection to this institution has been invalidated.OAUTH_CONSENT_EXPIRED: The user's access consent for this OAuth connection to this institution has expired.OAUTH_USER_REVOKED: The user’s OAuth connection to this institution is invalid because the user revoked their connection.error_messagestring
A developer-friendly representation of the error code. This may change over time and is not safe for programmatic use.
display_messagenullablestring
A user-friendly representation of the error code.
This may change over time and is not safe for programmatic use.
null if the error is not related to user action.This may change over time and is not safe for programmatic use.
request_idstring
A unique ID identifying the request, to be used for troubleshooting purposes. This field will be omitted in errors provided by webhooks.
causesarray
In this product, a request can pertain to more than one Item. If an error is returned for such a request,
causes will return an array of errors containing a breakdown of these errors on the individual Item level, if any can be identified.causes will be provided for the error_type ASSET_REPORT_ERROR or CHECK_REPORT_ERROR. causes will also not be populated inside an error nested within a warning object.statusnullableinteger
The HTTP status code associated with the error. This will only be returned in the response body when the error information is provided via a webhook.
documentation_urlstring
The URL of a Plaid documentation page with more information about the error
suggested_actionnullablestring
Suggested steps for resolving the error
available_products[string]
A list of products available for the Item that have not yet been accessed. The contents of this array will be mutually exclusive with
billed_products.Possible values:
assets, auth, balance, balance_plus, beacon, identity, identity_match, investments, investments_auth, liabilities, payment_initiation, identity_verification, transactions, credit_details, income, income_verification, standing_orders, transfer, employment, recurring_transactions, transactions_refresh, signal, statements, processor_payments, processor_identity, profile, cra_base_report, cra_income_insights, cra_partner_insights, cra_network_insights, cra_cashflow_insights, cra_monitoring, cra_lend_score, layer, pay_by_bank, protect_linked_bankbilled_products[string]
A list of products that have been billed for the Item. The contents of this array will be mutually exclusive with
available_products. Note - billed_products is populated in all environments but only requests in Production are billed. Also note that products that are billed on a pay-per-call basis rather than a pay-per-Item basis, such as balance, will not appear here.Possible values:
assets, auth, balance, balance_plus, beacon, identity, identity_match, investments, investments_auth, liabilities, payment_initiation, identity_verification, transactions, credit_details, income, income_verification, standing_orders, transfer, employment, recurring_transactions, transactions_refresh, signal, statements, processor_payments, processor_identity, profile, cra_base_report, cra_income_insights, cra_partner_insights, cra_network_insights, cra_cashflow_insights, cra_monitoring, cra_lend_score, layer, pay_by_bank, protect_linked_bankproducts[string]
A list of products added to the Item. In almost all cases, this will be the same as the
billed_products field. For some products, it is possible for the product to be added to an Item but not yet billed (e.g. Assets, before /asset_report/create has been called, or Auth or Identity when added as Optional Products but before their endpoints have been called), in which case the product may appear in products but not in billed_products.Possible values:
assets, auth, balance, balance_plus, beacon, identity, identity_match, investments, investments_auth, liabilities, payment_initiation, identity_verification, transactions, credit_details, income, income_verification, standing_orders, transfer, employment, recurring_transactions, transactions_refresh, signal, statements, processor_payments, processor_identity, profile, cra_base_report, cra_income_insights, cra_partner_insights, cra_network_insights, cra_cashflow_insights, cra_monitoring, cra_lend_score, layer, pay_by_bank, protect_linked_bankconsented_products[string]
A list of products that the user has consented to for the Item via Data Transparency Messaging. This will consist of all products where both of the following are true: the user has consented to the required data scopes for that product and you have Production access for that product.
Possible values:
assets, auth, balance, balance_plus, beacon, identity, identity_match, investments, investments_auth, liabilities, transactions, income, income_verification, transfer, employment, recurring_transactions, signal, statements, processor_payments, processor_identity, cra_base_report, cra_income_insights, cra_lend_score, cra_partner_insights, cra_cashflow_insights, cra_monitoring, layerconsent_expirationnullablestring
The date and time at which the Item's access consent will expire, in ISO 8601 format. If the Item does not have consent expiration scheduled, this field will be
null. Currently, only institutions in Europe and a small number of institutions in the US have expiring consent. For a list of US institutions that currently expire consent, see the OAuth Guide.Format:
date-time update_typestring
Indicates whether an Item requires user interaction to be updated, which can be the case for Items with some forms of two-factor authentication.
background - Item can be updated in the backgrounduser_present_required - Item requires user interaction to be updatedPossible values:
background, user_present_requiredrequest_idstring
A unique identifier for the request, which can be used for troubleshooting. This identifier, like all Plaid identifiers, is case sensitive.
Response Object
{
"items": [
{
"available_products": [
"balance",
"auth"
],
"billed_products": [
"identity",
"transactions"
],
"error": null,
"institution_id": "ins_109508",
"institution_name": "First Platypus Bank",
"item_id": "Ed6bjNrDLJfGvZWwnkQlfxwoNz54B5C97ejBr",
"update_type": "background",
"webhook": "https://plaid.com/example/hook",
"consent_expiration_time": null
},
{
"available_products": [
"balance",
"identity",
"payment_initiation",
"transactions"
],
"billed_products": [
"assets",
"auth"
],
"error": null,
"institution_id": "ins_109508",
"institution_name": "First Platypus Bank",
"item_id": "DWVAAPWq4RHGlEaNyGKRTAnPLaEmo8Cvq7na6",
"update_type": "background",
"webhook": "https://plaid.com/example/hook",
"consent_expiration_time": null
}
],
"request_id": "m8MDnv9okwxFNBV"
}