The aggregation flow will form the overwhelming majority of Plaid’s requests to a partner. Plaid uses periodic, incremental requests to stay synchronized with the institution’s view of an account. The partner can also prompt Plaid to delete or cycle a token whenever it chooses.
Incremental Aggregation Request
For a given user, Plaid achieves aggregation by requesting, periodically or in response to notifications:
- A current view of accounts under the control of the user.
- Identities related to those accounts.
- Recent transaction history.
Partners are able to unilaterally revoke an access token without first notifying Plaid, although notification is still desirable in the interest of a positive user experience. If any request made by Plaid receives an HTTP status
401 Unauthorized, the token will be marked as revoked.
The partner should revoke access tokens when users change their passwords, and should log access attempts bearing revoked tokens.
Partners are able to expire tokens and communicate replacement tokens to Plaid. Token refresh enables partners to separate the duration of an authorization from the lifetime of a single access token, ensuring that it can expire access tokens without disrupting user experience by requiring them to reauthorize to Plaid.
205 Reset Contentand provides an AuthorizationResponse as the body, where auth_token is the replacement token. The expired token should be preserved, and requests bearing it should be logged, as these may indicate security breach