Plaid Link is a new way to integrate with the Plaid API. It is a drop-in module that offers a secure, elegant authentication flow for each institution that Plaid supports. The module handles input validation, error handling, and multi-factor authentication flows.
Plaid Link supports most modern desktop and mobile browsers - detailed information can be found in the browser support section.
Check out the demo to see it in action! You can test out sandbox
credentials (username: plaid_test, password: plaid_good) or your own
bank account credentials. Source code for the demo app can be found
here.
Read on for a complete getting started guide or jump straight to either the API reference or explore some sample apps.
- Table of contents
- Glossary
- Getting started
- Updating existing user accounts
- Reference
- Security
- Browser support
- Expansion
- Support
Most Plaid API calls involve three pieces of information: a client_id,
secret, and an access_token. All three of these are considered private
information - they are not meant to be shared or hard coded directly into an
app or site. This poses a problem for Plaid Link, as a user will be
onboarding directly in the browser.
To address this, Plaid client accounts now have an additional identifier:
a public_key.
- the
public_keysimply associates users that onboard through Plaid Link with yourclient_idandsecret - the
public_keycannot be used to make authenticated Plaid API calls (i.e. retrieving account and routing numbers for a user)
Once a user has successfully onboarded via Plaid Link, the module will
provide a public_token. This is in contrast to typical Plaid API requests,
which return an access_token.
The public_token:
- is safe to expose in an app or browser
- cannot be used to retrieve account and routing numbers (for auth) or transactions (for connect) directly
- can be exchanged for a Plaid
access_tokenvia the/exchange_tokenendpoint.
The getting started guide below covers illustrates how to
use your public_key to get up and running with Plaid Link. The guide also
covers how to exchange a public_token for a access_token.
There are two different integrations:
- Simple: The simple integration provides a
customizable "Link your Bank Account" button and handles submitting a Plaid
public_tokento a server endpoint that you specify. - Custom: The custom integration lets you
trigger the Plaid Link module via client-side Javascript. You specify your own
callback function to be called with the
public_tokenonce a user has authenticated.
Your public_key is available from the Plaid dashboard:
Your public_key is a less privileged version of your client_id and
secret. It simply associates accounts you create using Plaid Link with
your client_id. All Plaid API requests must be made using your private
client_id and secret.
Include the following markup (the <form> and <script> tags) in your site
or web application:
<!-- A hidden input named public_token will be appended to this form
once the user has completed the Link flow. Link will then submit the
form, sending the public_token to your server. -->
<form id="some-id" method="GET" action="?"></form>
<script
src="https://cdn.plaid.com/link/stable/link-initialize.js"
data-client-name="Client Name"
data-form-id="some-id"
data-key="test_key"
data-product="auth"
data-env="tartan">
</script>See the parameter reference for complete documentation on possible configurations.
The injected "Link your Bank Account" button has the ID plaid-link-button
and can be styled with CSS:
#plaid-link-button {
border: 10px solid pink;
}The custom integration allows you to decide, with a few lines of client-side Javascript, when the module is triggered. You can trigger the "Institution Select" view or trigger a particular institution's credentials form. See below:
<script src="https://cdn.plaid.com/link/stable/link-initialize.js"></script>
<script>
var linkHandler = Plaid.create({
env: 'tartan',
clientName: 'Client Name',
key: 'test_key',
product: 'auth',
onLoad: function() {
// The Link module finished loading.
},
onSuccess: function(public_token) {
// Send your public_token to your app server here.
},
onExit: function() {
// The user exited the Link flow.
},
});
// Trigger the BofA login view
document.getElementById('bofaButton').onclick = function() {
linkHandler.open('bofa');
};
// Trigger the standard institution select view
document.getElementById('linkButton').onclick = function() {
linkHandler.open();
};
</script>See the parameter reference for complete documentation on possible configurations.
Plaid.create accepts one argument, a configuration Object, and returns an Object with
one function, open, and one property, institutions. open accepts either no arguments or an optional institution type.
If no argument is provided, the "Institution Select" view is opened. If a valid institution type
is provided, the login form for that particular institution is opened.
The exposed institutions property is an Array of Objects in the form:
[{name: 'Bank of America', type: 'bofa', auth: true, connect: true}, ...]The institutions property will be populated with all supported institutions for a given product. That is, the list of institutions
will be different for auth and connect. Use the institutions property to dynamically generate a list of supported
institutions for your Link integration - by doing so, your app will support new institutions and products automatically.
The Link module handles the entire onboarding flow securely and quickly but does
not actually retrieve account or transaction data for a user. Instead, the Link
module returns a public_token that is safe to expose in the browser.
This public_token must be exchanged for a Plaid access_token using the
/exchange_token API endpoint. To do so, you must
add a server side handler. A sample node.js server-side handler is provided
below - full application samples can be found in the
/examples
directory of this repository.
With the simple integration, the public_token
will be appended to the form specified by data-form-id as a hidden input.
This form will be automatically submitted once a user has completed onboarding.
With the custom integration, the callback
you specified in Plaid.create will be called with one argument, the
public_token. It is your responsibility to send it to your app server.
In the example above, the form some-id had action="/authenticate". So
we'll add a /authenticate route to our server side code that expects a
POST request with a field named public_token in the request body. We'll
then use that public_token along with our private client_id and secret
to retrieve a Plaid access_token (via the
/exchange_token endpoint). This access_token
should be saved in a database and used to retrieve account and transaction
data.
Below is a sample server-side handler using Express and the plaid-node library:
var express = require('express');
var plaid = require('plaid');
var app = express();
var plaidClient =
new plaid.Client(process.env.PLAID_CLIENT_ID, process.env.PLAID_SECRET, plaid.environments.tartan);
app.post('/authenticate', function(req, res) {
var public_token = req.body.public_token;
// Exchange a public_token for a Plaid access_token
plaidClient.exchangeToken(public_token, function(err, res) {
if (err != null) {
// Handle error!
} else {
// This is your Plaid access token - store it somewhere persistent
// The access_token can be used to make Plaid API calls to retrieve
// accounts and transactions
var access_token = res.access_token;
plaidClient.getAuthUser(access_token, function(err, res) {
if (err != null) {
// Handle error!
} else {
// An array of accounts for this user, containing account names,
// balances, and account and routing numbers.
var accounts = res.accounts;
// Return account data
res.json({
accounts: accounts,
});
}
});
}
});
});The Link module has a sandbox mode that works with the Plaid API sandbox.
To enable the sandbox, set data-key or key to test_key (for simple and
custom integrations, respectively). This lets you see the flow for each
individual institution Plaid supports, including the multi-factor
authentication process when applicable.
For simple integrations:
<form id="some-id" method="POST" action="/authenticate"></form>
<script
src="https://cdn.plaid.com/link/stable/link-initialize.js"
data-client-name="Client Name"
data-form-id="some-id"
data-key="test_key"
data-product="auth"
data-env="tartan">
</script>For custom integrations:
<button id="plaidLinkButton">Open Plaid Link</button>
<script src="https://cdn.plaid.com/link/stable/link-initialize.js"></script>
<script>
var sandboxHandler = Plaid.create({
env: 'tartan',
clientName: 'Client Name',
key: 'test_key',
product: 'auth',
onSuccess: function(public_token) {
console.log(public_token);
},
});
document.getElementById('plaidLinkButton').onclick = function() {
// Trigger the "Institution Select" view
sandboxHandler.open();
};
</script>If you are having trouble using the module in sandbox mode, check the developer console in your browser for error messages.
When a user changes their username, password, or MFA credentials with a financial institution or is locked out of their account, they must update their credentials with Plaid as well.
Link's update mode makes this process secure and painless and is available in both the simple and custom integrations.
To use update mode, initialize Link with the public_token for the user
you wish to update.
For the simple integration add the data-token attribute as follows:
<!-- A hidden input named public_token will be appended to this form
once the user has completed the Link flow. Link will then submit the
form, sending the new public_token to your server. -->
<form id="some-id" method="GET" action="?"></form>
<script
src="https://cdn.plaid.com/link/stable/link-initialize.js"
data-client-name="Client Name"
data-form-id="some-id"
data-key="test_key"
data-product="auth"
data-env="tartan"
data-token="test,chase,connected">
</script>The custom initalizer takes a similarly-named token added to the parameter hash:
<script src="https://cdn.plaid.com/link/stable/link-initialize.js"></script>
<script>
var linkHandler = Plaid.create({
env: 'tartan',
clientName: 'Client Name',
key: 'test_key',
product: 'auth',
token: 'test,chase,connected',
onLoad: function() {
// The Link module finished loading.
},
onSuccess: function(public_token) {
// Send the newly updated public_token to your app server here.
},
onExit: function() {
// The user exited the Link flow.
},
});
// Trigger the authentication view
document.getElementById('linkButton').onclick = function() {
linkHandler.open();
};
</script>Link will jump directly to the login view for the appropriate institution when in update mode.
Note that for custom integrations calling Link with an institution will not work as usual:
linkHandler.open('chase');
Instead it will function identically to:
linkHandler.open();
This is because the user's public token is associated with a particular institution and it does not make sense to open another institution's authentication.
For update mode a suitable sandbox public token can be generated by inserting
the desired institution type into the string
test,{institution_type},connected.
For example:
test,chase,connected
test,usaa,connected
test,wells,connected
The /exchange_token endpoint is available in both the tartan
(https://tartan.plaid.com) and production (https://api.plaid.com) environments.
| Method | Endpoint | Required Parameters |
|---|---|---|
| POST | /exchange_token |
client_id, secret, public_token |
The /exchange_token endpoint has already been integrated into the
plaid-node,
plaid-go, plaid-ruby,
and plaid-python client libraries. Support for plaid-java is coming soon.
If you are working with a library that does not yet support the
/exchange_token endpoint you can simply make a standard HTTP request:
$ curl -X POST https://tartan.plaid.com/exchange_token \
> -d client_id="$plaid_client_id" \
> -d secret="$plaid_secret" \
> -d public_token="$public_token_from_plaid_link_module"For a valid request, the API will return a JSON response similar to:
{
"access_token": "foobar_plaid_access_token"
}For possible error codes, see the full listing of Plaid error codes.
| Parameter | Required? | Description |
|---|---|---|
data-client-name |
required | Displayed once a user has successfully linked their account. |
data-form-id |
required | The DOM ID associated with form that the Link module will append the public_key to as a hidden input and submit when a user completes the onboarding flow. |
data-product |
required | The Plaid product you wish to use, either "auth" or "connect". |
data-key |
required | The public_key associated with your account; available form the dashboard. |
data-env |
required | The Plaid API environment on which to create user accounts.,For development and testing, use "tartan". For production use, use "production". Note: all "production" requests are billed. |
data-webhook |
optional | Specify a webhook to associate with a user. |
data-token |
optional | Specify an existing user's public token to launch Link in update mode. This will cause Link to open directly to the authentication step for that user's institutiton. |
| Parameter | Required? | Description |
|---|---|---|
clientName |
required | Displayed once a user has successfully linked their account. |
product |
required | The Plaid product you wish to use, either "auth" or "connect". |
key |
required | The public_key associated with your account; available form the dashboard. |
env |
required | The Plaid API environment on which to create user accounts.,For development and testing, use "tartan". For production use, use "production". Note: all "production" requests are billed. |
onSuccess |
required | A function that is called when a user has successfully onboarded their account. The function should expect one argument, the public_key. |
onExit |
optional | A function that is called when a user has specifically exited the Link flow. |
onLoad |
optional | A function that is called when the Link module has finished loading. Calls to plaidLinkHandler.open() prior to the onLoad callback will be delayed until the module is fully loaded. |
webhook |
optional | Specify a webhook to associate with a user. |
token |
optional | Specify an existing user's public token to launch Link in update mode. This will cause Link to open directly to the authentication step for that user's institutiton. |
All data sent to Plaid is encrypted using a secure HTTPS connection with our servers. While you can use the module on a non-HTTPS site (all data sent to Plaid operates in an entirely different context and connection), we strongly recommend using HTTPS at all times.
More information about Plaid's security policies and practices can be found on our website.
| Browser | Supported? |
|---|---|
 |
Fully supported |
 |
Fully supported |
 |
Fully supported |
 10 |
Fully supported |
| 9 |
Fully supported Note: You must host the Link module on a HTTPS site for compatability due to IE9 security restrictions. |
| 8 |
Not supported |
Modern mobile browsers are supported, including most iPhone and Android devices. If you encounter any inconsistencies, open an issue.
Plaid Link is currently a web-only integration. Plaid Link will offer native iOS and Android bindings in the coming months.
For most matters, open an issue.
If you would rather keep the request private, please contact [email protected].
client_id or secret in any issue or
support request. :)