Authentication and Authorization API Reference

The Plaid Authentication API provides a mechanism for integration partners to authenticate user attempts to connect accounts to Plaid apps. Successful authentication will return token-identifier pairs, which Plaid will subsequently use to refer to the user’s accounts. The API provides methods for the partner to refresh access tokens, as well as to revoke tokens unilaterally, and to communicate that revocation to Plaid.

Plaid will present two levels of authentication before requesting resources on behalf of the partner institution customers.

Plaid will present its credentials to the partner institution to confirm that its requests are authentic and originate from Plaid. These parameters are present, and must be verified, on every request:

Additionally, Plaid will only issue requests from pre-arranged IP addresses. The implementer must deny network traffic not originating from these addresses.

If a Plaid Exchange API implementation serves multiple institutions, it will be necessary for the integration to discriminate which institution a Plaid-originating request is targeting. The implementing partner is expected to make user identifiers globally unique across all institutions. A straightforward way to implement this is by prefixing user identifiers with the institution identifier.

Two API methods will communicate a pre-shared institution_id parameter, because they involve initial authentication, before unique user identifiers can be exchanged:

• Authentication API method
• Item Import API method

A unique institution_id should be assigned to each of the institutions that the integration serves, and those values should be shared with Plaid. Plaid will include the institution_id parameter on the above methods so that the integration can distinguish the institution that should be the target of a request.

Plaid will present user credentials in exchange for an access token, which will be presented on subsequent resource requests. The partner institution must validate that the provided access token corresponds to the requested user.

All requests which require per-user authentication will have the following parameters present in the request headers:

Plaid represents authorization at three levels of granularities: per-user, per-application, and per-account. Partner institutions can query and modify a user's authorization state at all granularities using the Authorization API.

An instance of per-user, per-application authorization is called an Item, which can optionally be scoped to individual accounts. For efficiency, Plaid schedules data accesses at the broadest granularity (per-user) and then provisions narrower granularities to Plaid clients. This access model ensures that each application can be given a single, consistent view of a user’s accounts.

Data access and retention

If a partner implementation produces data that Plaid is not authorized to receive or store, Plaid will discard those elements and they will not be stored. This alleviates the burden from an institution to filter its responses by consulting and applying granular access controls. However, the Authorization API enables institutions to develop such filtering capabilities.

The Authorization API provides partner institutions the ability to address authorized ClientApplications and, optionally, accounts on those applications. A ClientApplication contains enough information to create user experiences that provide the names of connected applications, link to the application developer, and describe which data elements are accessible to that application. Optionally, the access can be scoped to individual accounts. The authorization for an entire application, or individual accounts, can be revoked using the API.

Token revocation

If any request, to any endpoint, receives a response with a 401 Unauthorized HTTP status, Plaid will delete the token and mark the associated Item as lacking valid credentials. This will trigger a webhook notifying clients of the state transition, and advise them to prompt the end user to reauthenticate with Plaid. If a request is rejected with 403 Forbidden instead, then Plaid will advise the customer that the Item is locked and the user needs to return to the institution first. Use 405 Not Allowed to indicate that the institution has suspended third-party access to the account, for any reason.

The partner can use 401 Unauthorized to expire tokens when the user has changed their password or closed their account, and 403 Forbidden to indicate that access to the account is suspended. Both conditions will require a user to reauthenticate to the institution.

See the Authenticate User Credentials section for more information.

Token refresh

The partner may respond to any properly authenticated request in the Aggregation Flow with HTTP status code 205 Reset Content using an AuthorizationResponse response body to communicate the new token. Plaid will delete the old token and replace it with the token communicated in the response, then repeat the request.

Once the partner has issued the new token, all requests made with the previous token must receive a 401 Unauthorized response. Partner security policy concerning management of access tokens is outside the scope of this document, but the partner should consider retaining the list of recently deauthorized tokens, as attempts to reuse deauthorized tokens would be indicative of a breach.

The authentication flow has one essential method, Authentication User Credentials, to which credentials are presented. If authentication is successful, the API returns a token and a principal identifier for the user. These are used in all subsequent requests to address and access the user’s authenticated resources.

1{
2  "username": "jane@doe.com",
3  "password": "keepyourpasswordsecret",
4  "institution_id": "ins_1"
5}

1{
2  "user_id": "YRQ8PPaohJ",
3  "auth_token": "1fce3854-0134-44ac-a1e1-d84ed09fec10"
4}

202 Accepted

This response indicates that Plaid must challenge the user according to one of two escalated authentication strategies: knowledge-based authentication (KBA) or one-time passcode. Describing these strategies is beyond the scope of this document, and the partner institution is presumed to understand how to choose the appropriate strategy for its user base.

A 202 Accepted response does not indicate that the presented credentials are correct.

Request orchestration

The next request in the KBA and TOTP authentication flows will be to Validate MFA API method, and in the OTP it will be to Trigger OTP API method. (See the Authorization API Overview to understand the complete sequence.)

In exceptional situations, the flow may fail and be aborted. In that case, the end user may receive an error message and choose to restart the authentication attempt. The partner implementation must not expect the next request to be to this endpoint, because if the user has restarted the authentication flow, the next request would go to the Authentication API method and the implementation should expect a response to this endpoint.

MfaEscalationChallengeType

MfaEscalationChallenge

1{
2  "id": "string",
3  "type": "otp"
4}

MfaEscalationChallengeResponse

1{
2  "user_id": "v5z37MvUF7",
3  "challenge": {
4    "id": "jOSsqir1tc",
5    "type": "kba",
6    "questions": [
7      {
8        "id": "Z9D0iK",
9        "text": "What city were you born in?"
10      },
11      {
12        "id": "ch7SbY",
13        "text": "Where did you go to high school?"
14      },
15      {
16        "id": "36b4Xo",
17        "text": "What is your mother's maiden name?"
18      }
19    ]
20  }
21}

MfaKbaQuestion

1{
2  "id": "string",
3  "text": "string"
4}

MfaTotpEscalationChallenge

1{
2  "type": "otp",
3  "prompt": "Open the XYZ app to receive your code.",
4  "id": "string"
5}

MfaOtpEscalationChallenge

1{
2  "id": "string",
3  "type": "otp",
4  "send_methods": [
5    {
6      "id": "Z9D0iK",
7      "mask": "(***) ***-8653",
8      "type": "sms"
9    },
10    {
11      "id": "36b4Xo",
12      "mask": "j****@p****.com",
13      "type": "email"
14    }
15  ]
16}

MfaOtpSendMethod

1{
2  "id": "string",
3  "mask": "(***) ***-8653",
4  "type": "sms"
5}

OtpSendMethodType

401 Unauthorized

The authentication credentials were rejected.

403 Forbidden

The user’s account is locked, typically due to excessive incorrect authentication attempts. This response will trigger messaging to the user indicating that the account has been temporarily locked, and will advise the user to contact the institution.

405 Not Allowed

This response should be used to indicate that the user’s account is not permitted to participate in aggregation, typically because the user must accept a license or terms of use. This will trigger messaging to the user indicating that the account is not yet authorized for online use, and will direct the user to visit the partner institution’s online portal for further guidance.

Plaid recommends that whatever pending terms or agreements that block this use case be presented to the user immediately upon login.

1{
2  "challenge_id": "jOSsqir1tc",
3  "send_method_id": "Z9D0iK"
4}

200 OK

This response indicates that the send method was acceptable and the partner institution will transmit the passcode to the user. No response body is required.

400 Bad Request

This response indicates that the send method was not acceptable.

Receive and authenticate the user’s response to the escalation challenge. This endpoint receives both KBA responses and (T)OTP passcodes in the form of ValidateChallengeRequest instances.

1{
2  "challenge_id": "jOSsqir1tc"
3}

1{
2  "passcode": "123456",
3  "challenge_id": "jOSsqir1tc"
4}

1{
2  "answers": [
3    {
4      "question_id": "Z9D0iK",
5      "text": "San Francisco"
6    }
7  ],
8  "challenge_id": "jOSsqir1tc"
9}

1{
2  "question_id": "Z9D0iK",
3  "text": "San Francisco"
4}

Plaid Exchange supports user authentication via redirection, utilizing a token exchange protocol compatible with OAuth.

1. The institution registers with Plaid an authentication URL. Plaid will redirect users to this URL to authenticate after they select an institution in Link.
2. Plaid will generate a URL with the following query parameters. institution_id is included to facilitate platforms that support more than one institution. application_id is to identify the Plaid client who is creating a connection.
   • state=<PLAID_GENERATED>
   • response_type=code
   • redirect_uri=<PLAID_GENERATED>
   • client_id=PLAID
   • institution_id=ins_<YOUR_INSTITUTION_ID>
   • application_id=<PLAID_APPLICATION_ID>
   • plaid_trusted_auth_token=<PLAID_GENERATED> (only present for Trusted Auth integrations)
3. The user is subsequently redirected, and completes authentication on the institution's domain. Prior to proceeding with authentication, the institution MUST verify that the redirect_uri query parameter has previously been registered to Plaid. See RFC 6749 Section 3.1.2.2.
   • On success, the institution redirects back to Plaid (via the redirect_uri) with the state and code query parameters. The code query parameter contains the authorization code granted by the institution.
   • On failure, the institution redirects back to Plaid (via the redirect_uri) with a state, error, and optional error_description query parameters.
   • In addition to the standard OAuth error codes, Plaid recommends the following error codes to deliver more granular errors to the consumer:
     • user_denied_access - used when the user has explicitly denied access.
     • user_exited - used when the user has clicked a button to exit the flow without accepting or denying.
   • See RFC 6749 Section 4.1.2
4. Subsequently, Plaid will exchange the supplied authorization code for a persistent access token using this endpoint. On success, this endpoint must return an auth_token as described in Token Management.
   • Plaid will authenticate itself via the X-PLAID-CLIENT-ID and X-PLAID-SECRET headers, as described in Plaid Authentication
   • This endpoint MUST verify Plaid's credentials.
   • The endpoint MAY verify that the request comes from one of Plaid's IP addresses, previously communicated to the financial institution.
   • The endpoint MUST ensure that the supplied authorization code was issued to Plaid.
   • The endpoint MUST ensure that the authorization code is valid.
   • The institution MAY implement a TTL on the authorization code, consistent with OAuth best practices.
   • The institution MUST verify that the redirect_uri is the same one sent in the initial authentication request.

1{
2  "state": "vEPcsYYKyf9iDfZnJZWjtZSJUiLr3JxE",
3  "response_type": "code",
4  "redirect_uri": "https://cdn.plaid.com/link/v2/stable/oauth.html",
5  "client_id": "PLAID",
6  "institution_id": "ins_1",
7  "application_id": "6gXfjEcgqcjTVnUgbTwDF3DTeiQ"
8}

1{
2  "user_id": "YRQ8PPaohJ",
3  "auth_token": "1fce3854-0134-44ac-a1e1-d84ed09fec10"
4}

401 Unauthorized

The response was not accepted. Plaid will assume that the flow should be aborted and will prompt the user to retry.

1{
2  "client_id": "m08CZWsDA8vMDSg2n1IHRJcfzOe",
3  "secret": "0wdBo8AzXz82e7tBZfRlDA8XJwE",
4  "access_token": "access-production-248e9592-ca5f-463a-b4b5-e8d10b6e9e98"
5}

1{
2  "applications": [
3    {
4      "requested_scopes": {
5        "optional_product_access": {
6          "auth": true,
7          "identity": true,
8          "statements": true,
9          "transactions": true
10        },
11        "account_filters": {
12          "loan": [
13            "loan",
14            "loan"
15          ],
16          "investment": [
17            "investment",
18            "investment"
19          ],
20          "depository": [
21            "depository",
22            "depository"
23          ],
24          "credit": [
25            "credit",
26            "credit"
27          ]
28        },
29        "required_product_access": {
30          "auth": true,
31          "identity": true,
32          "statements": true,
33          "transactions": true
34        }
35      },
36      "reason_for_access": "Help users track their account balances",
37      "name": "FtchApp",
38      "created_at": "2000-01-23T04:56:07.000+00:00",
39      "product_data_types": [
40        "ACCOUNT_BALANCE",
41        "ACCOUNT_USER_INFO"
42      ],
43      "logo": "https://example.com/FtchAppLogo.png",
44      "scopes": {
45        "product_access": {
46          "auth": true,
47          "identity": true,
48          "statements": true,
49          "transactions": true
50        },
51        "new_accounts": true,
52        "accounts": [
53          {
54            "unique_id": "unique_id",
55            "authorized": true
56          },
57          {
58            "unique_id": "unique_id",
59            "authorized": true
60          }
61        ]
62      },
63      "application_id": "qPMq5j5FpvUCGk9YZ9qmNX3GZDt",
64      "application_url": "https://example.com"
65    },
66    {
67      "requested_scopes": {
68        "optional_product_access": {
69          "auth": true,
70          "identity": true,
71          "statements": true,
72          "transactions": true
73        },
74        "account_filters": {
75          "loan": [
76            "loan",
77            "loan"
78          ],
79          "investment": [
80            "investment",
81            "investment"
82          ],
83          "depository": [
84            "depository",
85            "depository"
86          ],
87          "credit": [
88            "credit",
89            "credit"
90          ]
91        },
92        "required_product_access": {
93          "auth": true,
94          "identity": true,
95          "statements": true,
96          "transactions": true
97        }
98      },
99      "reason_for_access": "Help users to track their account balances",
100      "name": "FtchApp",
101      "created_at": "2000-01-23T04:56:07.000+00:00",
102      "product_data_types": [
103        "ACCOUNT_BALANCE",
104        "ACCOUNT_USER_INFO"
105      ],
106      "logo": "https://example.com/FtchAppLogo.png",
107      "scopes": {
108        "product_access": {
109          "auth": true,
110          "identity": true,
111          "statements": true,
112          "transactions": true
113        },
114        "new_accounts": true,
115        "accounts": [
116          {
117            "unique_id": "unique_id",
118            "authorized": true
119          },
120          {
121            "unique_id": "unique_id",
122            "authorized": true
123          }
124        ]
125      },
126      "application_id": "qPMq5j5FpvUCGk9YZ9qmNX3GZDt",
127      "application_url": "https://example.com"
128    }
129  ]
130}

400 Bad Request

Data is malformed; the corresponding Item could not be found; or the secret, client_id, or access_token could not be validated.

404 Not Found

No applications could be found for the corresponding Item.

1{
2  "client_id": "m08CZWsDA8vMDSg2n1IHRJcfzOe",
3  "secret": "0wdBo8AzXz82e7tBZfRlDA8XJwE",
4  "user_auth": {
5    "user_id": "6gXfjEcgqcjTVnUgbTwDF3DTeiQ",
6    "auth_token": "E213KdjipES98P95BUCtodphG9D"
7  },
8  "account_ids": [
9    "string"
10  ],
11  "products": [
12    "transactions"
13  ]
14}

1{
2  "access_token": "access-production-c2541188-d26f-4953-985a-b11adcc878b7"
3}

1{
2  "client_id": "m08CZWsDA8vMDSg2n1IHRJcfzOe",
3  "secret": "0wdBo8AzXz82e7tBZfRlDA8XJwE",
4  "user": {
5    "client_user_id": "myuser-1234"
6  },
7  "access_token": "access-production-248e9592-ca5f-463a-b4b5-e8d10b6e9e98",
8  "products": [
9    "auth"
10  ],
11  "cross_app_item_add": {
12    "target_application_token": "application-production-ad1b1305-f43d-41b7-a99f-84003b11b3ab",
13    "foreign_id": "myapp-335e8b1ba75843cab42a81f9f7819396"
14  }
15}

1{
2  "expiration": "2000-01-23T04:56:07.000+00:00",
3  "token": "link-production-b479d0d5-7618-4969-b9ab-458165f8a4f2"
4}

Plaid sends a webhook to the target partner once an Item has been created via the cross-application Item creation flow in Link

1{
2  "client_id": "m08CZWsDA8vMDSg2n1IHRJcfzOe",
3  "secret": "0wdBo8AzXz82e7tBZfRlDA8XJwE",
4  "access_token": "access-production-248e9592-ca5f-463a-b4b5-e8d10b6e9e98",
5  "application_id": "TZ9Bh7PQX6S3ZRRPtq7lv5QFkap"
6}

200 OK

The request is valid and the application was unlinked.

400 Bad Request

Data is malformed or the secret, client_id, or access_token could not be validated. Application is not unlinked.

404 Not Found

Provided application could not be found via its application_id; application is not unlinked.

1{
2  "request_id": "Asfa1gfAdcxIz"
3}

1{
2  "client_id": "m08CZWsDA8vMDSg2n1IHRJcfzOe",
3  "secret": "0wdBo8AzXz82e7tBZfRlDA8XJwE",
4  "application_id": "qPMq5j5FpvUCGk9YZ9qmNX3GZDt"
5}

1{
2  "reason_for_access": "Help users track their account balances",
3  "name": "FtchApp",
4  "created_at": "2000-01-23T04:56:07.000+00:00",
5  "logo": "https://example.com/FtchAppLogo.png",
6  "application_id": "qPMq5j5FpvUCGk9YZ9qmNX3GZDt",
7  "application_url": "https://example.com"
8}