Auth (2024)

Learn how to authenticate your users in a secure and frictionless micro-deposit flow

The Automated Micro-deposit flow

The Automated Micro-deposits authentication flow is supported for over 1,000 financial institutions in the US only, accounting for approximately <1% of depository accounts.Plaid will make a single micro-deposit and then automatically verify it within one to two business days.

You can try out the Automated Micro-deposits flow in Link Demo. See more details in our testing guide.

A user connects their financial institution using the following connection flow:

Starting on a page in your app, the user clicks an action that opens Plaid Link, with the correctAuth configuration.
Inside of Plaid Link, the user selects their institution, authenticates with their credentials,provides their account and routing number, and enters in their legal name.
Upon successful authentication, Link closes with apublic_token and a metadata account status of pending_automatic_verification.
Behind the scenes, Plaid sends a single micro-deposit to the user's account and will automaticallyverify the deposited amounts within one to two business days.
When verification succeeds or fails, Plaid sends an Auth webhook,which you can use to notify the user that their account is ready to move money. Once this step is done, your user's Auth data is verified and ready to fetch.

Configure & Create a link_token

Create a link_token with the following parameters:

products array containing auth or transfer -- unlike with Same-Day Micro-deposits, you can also include other products besides auth or transfer when creating a Link token for use with Automated Micro-deposits, but auth or transfer must be present.
country_codes set to ['US'] – Micro-deposit verification is currently only available in the United States.
A webhook URL to receive a POST HTTPS request sent from Plaid's servers to your applicationserver, after Automated Micro-deposits succeeds or fails verification of a user's micro-deposits.
auth object should specify "automated_microdeposits_enabled": true

Automated Micro-deposits Configuration

Select Language

1const request: LinkTokenCreateRequest = {
2 user: { client_user_id: new Date().getTime().toString() },
3 client_name: 'Plaid App',
4 products: [Products.Auth],
5 country_codes: [CountryCode.Us],
6 language: 'en',
7 auth: {
8 automated_microdeposits_enabled: true,
9 },
10};
11try {
12 const response = await plaidClient.linkTokenCreate(request);
13 const linkToken = response.data.link_token;
14} catch (error) {
15 // handle error
16}

Initialize Link with a link_token

After creating a link_token for the auth product, use it to initialize Plaid Link.

When the user inputs their username and password, and account and routing numbers for the financial institution,the onSuccess() callback function will return a public_token, with verification_status equal to 'pending_automatic_verification'.

App.js

1const linkHandler = Plaid.create({
2 // Fetch a link_token configured for 'auth' from your app server
3 token: (await $.post('/create_link_token')).link_token,
4 onSuccess: (public_token, metadata) => {
5 // Send the public_token and accounts to your app server
6 $.post('/exchange_public_token', {
7 publicToken: public_token,
8 accounts: metadata.accounts,
9 });
10
11 metadata = {
12 ...,
13 link_session_id: String,
14 institution: { name: 'Bank of the West', institution_id: 'ins_100017' },
15 accounts: [{
16 id: 'vzeNDwK7KQIm4yEog683uElbp9GRLEFXGK98D',
17 mask: '1234',
18 name: null,
19 type: 'depository',
20 subtype: 'checking' | 'savings',
21 verification_status: 'pending_automatic_verification'
22 }]
23 }
24 },
25 // ...
26});
27
28// Open Link on user-action
29linkHandler.open();

Display a "pending" status in your app

Because Automated verification usually takes between one to two days to complete, we recommend displaying a UIin your app that communicates to a user that verification will occur automatically and is currently pending.

You can use the verification_status key returned in the onSuccess metadata.accounts object oncePlaid Link closes successfully.

Metadata verification_status

1verification_status: 'pending_automatic_verification';

You can also fetch the verification_status for anItem's account via the Plaid API to obtain the latest account status.

Exchange the public token

In your own backend server, call the /item/public_token/exchangeendpoint with the Link public_token received in the onSuccess callback to obtain an access_token.Persist the returned access_token and item_id in your database in relation to the user.

Note that micro-deposits will only be delivered to the ACH network in the Production environment. To test your integration outside of Production, see Testing automated micro-deposits in Sandbox.

Select group for content switcher

Handle Auth webhooks

Before you can call /auth/get to fetch Auth data for a user's access_token, a micro-deposit firstneed to post successfully to the user's bank account. Because Plaid uses Same Day ACH to send asingle micro-deposit amount, this process usually takes between one to two days.

Once the deposit has arrived in the user's account, Plaid will automatically verify the deposittransaction and send an AUTOMATICALLY_VERIFIEDwebhook to confirm the account and routing numbers have been successfully verified.

Attempting to call /auth/get on an unverified access_token will resultin a PRODUCT_NOT_READY error.

Auth AUTOMATICALLY_VERIFIED webhook

1> POST https://your_app_url.com/webhook
2
3{
4 "webhook_type": "AUTH",
5 "webhook_code": "AUTOMATICALLY_VERIFIED",
6 "item_id": "zeWoWyv84xfkGg1w4ox5iQy5k6j75xu8QXMEm",
7 "account_id": "vzeNDwK7KQIm4yEog683uElbp9GRLEFXGK98D"
8}

Occasionally automatic verification may fail, likely due to erroneous user input, such as an incorrectaccount and routing number pair. If the Item is unable to be verified within seven days, Plaid will senda VERIFICATION_EXPIREDwebhook. When verification fails, the Item is permanently locked; we recommend prompting your user toretry connecting their institution via Link.

Auth VERIFICATION_EXPIRED webhook

1> POST https://your_app_url.com/webhook
2
3{
4 "webhook_type": "AUTH",
5 "webhook_code": "VERIFICATION_EXPIRED",
6 "item_id": "zeWoWyv84xfkGg1w4ox5iQy5k6j75xu8QXMEm",
7 "account_id": "vzeNDwK7KQIm4yEog683uElbp9GRLEFXGK98D"
8}

If Plaid encounters an ITEM_LOGIN_REQUIRED error during attempted validation, this may mean that Plaid lost access to the user's account after sending this micro-deposit but before being able to verify it. If this occurs, send the user through the update mode flow to re-verify their account.

The example code below shows how to handle AUTOMATICALLY_VERIFIED and VERIFICATION_EXPIRED webhooksand call /auth/get to retrieve account and routing data.

If you are using the Sandbox environment, you can usethe /sandbox/item/set_verification_statusendpoint to test your integration.

Select group for content switcher

Webhook example code

Select Language

Check the account verification status (optional)

In some cases you may want to implement logic to display the verification_status of an Itemthat is pending automated verification in your app. The /accounts/getAPI endpoint allows you to query this information.

Select group for content switcher

Accounts get request

Select Language

1// Fetch the accountID and accessToken from your database
2const accountID = 'vzeNDwK7KQIm4yEog683uElbp9GRLEFXGK98D';
3const accessToken = 'access-sandbox-5cd6e1b1-1b5b-459d-9284-366e2da89755';
4const request: AccountsGetRequest = {
5 access_token: accessToken,
6};
7const response = await client.accountsGet(request).catch((err) => {
8 // handle error
9});
10const account = response.accounts.find((a) => a.account_id === accountID);
11const verificationStatus = account.verification_status;

Account get response

1{
2 "accounts": [
3 {
4 "account_id": "vzeNDwK7KQIm4yEog683uElbp9GRLEFXGK98D",
5 "balances": { Object },
6 "mask": "0000",
7 "name": "Plaid Checking",
8 "official_name": "Plaid Gold Checking",
9 "type": "depository"
10 "subtype": "checking" | "savings",
11 "verification_status":
12 "pending_automatic_verification" |
13 "automatically_verified" |
14 "verification_expired",
15 },
16 ...
17 ],
18 "item": { Object },
19 "request_id": String
20}

Fetch Auth data

Finally, we can retrieve Auth data once automated verification has succeeded:

Select group for content switcher

Auth request

Select Language

1const accessToken = 'access-sandbox-5cd6e1b1-1b5b-459d-9284-366e2da89755';
2
3// Instantly fetch Auth numbers
4const request: AuthGetRequest = {
5 access_token: accessToken,
6};
7const response = await client.authGet(request).catch((err) => {
8 // handle error
9});
10const numbers = response.numbers;

Auth response

1{
2 "numbers": {
3 "ach": [
4 {
5 "account_id": "vzeNDwK7KQIm4yEog683uElbp9GRLEFXGK98D",
6 "account": "9900009606",
7 "routing": "011401533",
8 "wire_routing": "021000021"
9 }
10 ],
11 "eft": [],
12 "international": [],
13 "bacs": []
14 },
15 "accounts": [
16 {
17 "account_id": "vzeNDwK7KQIm4yEog683uElbp9GRLEFXGK98D",
18 "balances": { Object },
19 "mask": "0000",
20 "name": null,
21 "official_name": null,
22 "verification_status": "automatically_verified",
23 "subtype": "checking" | "savings",
24 "type": "depository"
25 }
26 ],
27 "item": { Object },
28 "request_id": "m8MDnv9okwxFNBV"
29}

Check out the /auth/get API reference documentation to see the fullAuth request and response schema.

Handling Link events

For a user who goes through the Automated Micro-deposit flow, the TRANSITION_VIEW (view_name = NUMBERS)event will occur after SUBMIT_CREDENTIALS, and in the onSuccess callback theverification_status will be pending_automatic_verification.

Sample Link events for Automated Micro-deposits flow

1OPEN (view_name = CONSENT)
2TRANSITION_VIEW view_name = SELECT_INSTITUTION)
3SEARCH_INSTITUTION
4SELECT_INSTITUTION
5TRANSITION_VIEW (view_name = CREDENTIAL)
6SUBMIT_CREDENTIALS
7TRANSITION_VIEW (view_name = LOADING)
8TRANSITION_VIEW (view_name = MFA, mfa_type = code)
9SUBMIT_MFA (mfa_type = code)
10TRANSITION_VIEW (view_name = LOADING)
11TRANSITION_VIEW (view_name = SELECT_ACCOUNT)
12TRANSITION_VIEW (view_name = NUMBERS)
13TRANSITION_VIEW (view_name = LOADING)
14TRANSITION_VIEW (view_name = CONNECTED)
15HANDOFF
16onSuccess (verification_status: pending_automatic_verification)

Same Day Micro-deposits

Integrate the manual micro-deposit flow

View guide

Testing in Sandbox

Learn how to test each Auth flow in the Sandbox

View guide

FAQs

What is a good security answer? ›

The answer to a good security question should be obvious. In addition, it should be easy to remember, but at the same time remain secret to others. The answer should be immediately remembered as soon as the user receives the security question.

Read On ›

What are good authentication questions? ›

Good security questions should have answers that are easy for the user to remember but difficult for someone else to guess. For example, questions about personal preferences or experiences can be effective, such as “What is your favorite movie?” or “What was the name of your first pet?”

Discover More Details ›

What are good verification questions? ›

A list of good security questions you could use

What was the name of the boy or the girl you first kissed? ...
Where were you when you had your first kiss? ...
In what city did you meet your spouse/significant other? ...
What is the middle name of your youngest child? ...
What was the name of your first stuffed animal?

More items...

Mar 14, 2023

How to write a security answer? ›

When setting up security questions and answers:

Consider the information you provide on social media (Facebook, Twitter, etc). ...
Choose security questions wisely. ...
Consider coming up with a standard set of lies. ...
Pretend you are someone else when answering the questions.

More items...

See Details ›

What is the security short answer? ›

Security means safety, as well as the measures taken to be safe or protected.

Find Out More ›

What are the three 3 main types of authentication? ›

There are three authentication factors that can be used: something you know, something you have, and something you are. Something you know would be a password, a PIN, or some other personal information.

Tell Me More ›

What is a valid security question? ›

What makes a good security question? The best security questions and answers are safe, memorable, consistent, specific and unpredictable. 1. Safe: Ensure that the answer to your security question is confidential and cannot be easily guessed by others.

Show Me More ›

What are two main security questions? ›

There are two main types of security questions:

User-defined questions let users choose a question from a set list that they would like to provide an answer to. ...
System-defined questions are based on information that the service provider already knows about the user (e.g., address or date of birth).

Mar 4, 2021

Explore More ›

What is security question hint? ›

A security question is form of shared secret used as an authenticator. It is commonly used by banks, cable companies and wireless providers as an extra security layer.

What is a confirming question example? ›

Confirming questions also enable the prospect to clarify or restate anything that may not have been clearly described. Most important, confirming questions validate shared understanding. Examples of confirming sales questions include: Let me play back what I have heard…

Show Me More ›

What is a security answer? ›

Security Question & Answer means an answer used to verify the identity of a User when the User resets the User's Compliant Password. Sample 1.

Read The Full Story ›

What is the most common authentication? ›

Password authentication

The most common form of authentication. In this case, you need to match one credential to access the system online. You can come up with passwords in the form of letters, numbers, or special characters.

See Details ›

What is the simplest authentication method? ›

HTTP Basic authentication is a simple authentication method for the client to provide a username and a password when making a request. This is the simplest possible way to enforce access control as it doesn't require cookies, sessions or anything else.

Get More Info Here ›

What is the strongest authentication? ›

Most Secure: Hardware Keys

Source. External hardware keys, like Yubikeys, are among the strongest authentication factors available. Also called FIDO keys, they generate a cryptographically secure MFA authentication code at the push of a button.

What is the security meaning answer? ›

: the quality or state of being secure: such as. a. : freedom from danger : safety. b. : freedom from fear or anxiety.

What does good security mean? ›

freedom from danger, risk, etc.; safety. 2. freedom from care, anxiety, or doubt; well-founded confidence. 3. something that secures or makes safe; protection; defense.

View Details ›

What are the 4 basic of security? ›

The four basic layers of physical security are design, control, detection, and identification. For each of these layers, there are different options that can be utilized for security. Physical security design refers to any structure that can be built or installed to deter, impede, or stop an attack from occurring.