Why Auth is the foundation of pay-by-bank
Plaid Auth returns account and routing numbers after a user links via Plaid Link—often in under seven seconds for instant flows, per Plaid’s bank verification guide. For lending apply portals and merchant payouts, Auth is the difference between same-day ACH and abandonment on manual micro-deposit flows.
Plaid markets coverage across 12,000+ institutions in the US, Canada, and Europe (Auth product page). For Instant Auth specifically, coverage documentation states roughly 95% of eligible US and Canadian accounts verify instantly via credentials; the remaining ~5% route through database auth, automated micro-deposits, or same-day micro-deposits depending on risk tier and institution metadata.
Auth methods and when each fires
| Method | Timeframe | Best for |
|---|---|---|
| Instant Auth | Instant | Default high-conversion onboarding |
| Instant Match (US) | Instant | User supplies routing/account + credentials |
| Database Auth | Instant | Low/medium risk when instant unavailable |
| Automated micro-deposits | 1–2 days | Institutions without instant path (~1,900 US FIs) |
Query institution capabilities with /institutions/get and include_auth_metadata: true—results land in auth_metadata.supported_methods. Do not hard-code institution lists in your SPA; refresh metadata during Link token creation.
Production BFF pattern
Never exchange public_token in the browser. On your Node BFF:
import { Configuration, PlaidApi, PlaidEnvironments, Products, CountryCode } from "plaid";
const client = new PlaidApi(new Configuration({
basePath: PlaidEnvironments[process.env.PLAID_ENV],
baseOptions: { headers: { "PLAID-CLIENT-ID": process.env.PLAID_CLIENT_ID, "PLAID-SECRET": process.env.PLAID_SECRET } },
}));
export async function mintLinkToken(applicantId: string) {
const { data } = await client.linkTokenCreate({
user: { client_user_id: applicantId },
client_name: "Apply Portal",
products: [Products.Auth],
country_codes: [CountryCode.Us],
language: "en",
webhook: process.env.PLAID_WEBHOOK_URL,
});
return data.link_token;
}
export async function exchangeAndAuth(publicToken: string) {
const { data: ex } = await client.itemPublicTokenExchange({ public_token: publicToken });
const { data: auth } = await client.authGet({ access_token: ex.access_token });
return { accessToken: ex.access_token, itemId: ex.item_id, accounts: auth.accounts, numbers: auth.numbers };
}
Encrypt access_token at rest (KMS/Vault). Log item_id and account_id, never raw account numbers in plaintext logs.
Underwriting integration notes
On Revenued FinTech delivery, Auth pairs with Identity and Transactions: Auth confirms ACH rails, Identity validates owner names, Transactions feed cashflow models. After Auth success, issue an Auth0 merchant session with least-privilege scopes—portal unlock should wait on webhook-confirmed Item health, not client-side Link onSuccess alone.
Fallback UX for the ~5%
When Link surfaces micro-deposit verification, your UI needs a pending verification state with email/SMS nudges and idempotent webhook handlers for AUTH/ITEM events. Automated micro-deposits extend coverage to institutions representing less than 1% of depository accounts where Instant Auth fails—still worth instrumenting as a funnel segment in Datadog.
Processor handoff
Auth integrates with ACH processors (Adyen, Dwolla, Modern Treasury). Normalize account type (checking vs savings) before processor tokenization; mismatches cause NSF and return codes downstream.
Observability KPIs (illustrative)
Track: Link open rate, instant Auth success %, micro-deposit pending drop-off, token exchange P95 latency. Targets from production FinTech programs: >85% instant success among eligible institutions, <400ms BFF exchange P95, 0 duplicate Items per client_user_id per day.
Pitfalls
- Enabling Transactions when Auth alone suffices (consent friction)
- Skipping webhook verification on
ITEM_LOGIN_REQUIRED - Storing access tokens in frontend localStorage
- One global webhook secret across sandbox and production
Support and escalation paths
When Instant Auth fails, surface institution-specific messaging—not generic errors. Log institution_id, error_code, and Link request_id for Plaid support tickets. For micro-deposit pending states, send day-1 and day-2 reminder emails; many abandonments are notification gaps, not user intent.
Related guides on this site
Deep dives: Plaid webhooks idempotency, Identity Match + kyc_check, IDV production guide. Nitin Rachabathuni implements these flows worldwide—contact for freelance, C2H, or audit engagements.
Metrics snapshot
Illustrative Plaid Auth funnel KPIs from production FinTech apply portals—validate against your institution mix.
Architecture flow
Approach comparison
| Approach | Signal | Risk | Best for |
|---|---|---|---|
| Instant Auth | Highest conversion; default flow | Institution-dependent | Pay-by-bank onboarding |
| Automated micro-deposits | Broader FI reach | 1–2 day pending UX | Instant unavailable |
| Manual micro-deposits | Legacy fallback | Highest drop-off | Avoid if possible |
Code sketches
/* Auth get after public token exchange */
const { data: ex } = await client.itemPublicTokenExchange({ public_token });
const { data: auth } = await client.authGet({ access_token: ex.access_token });
const ach = auth.numbers.ach[0];
// ach.account, ach.routing, ach.wire_routing
Official references
Related on this site
Article slug: plaid-auth-instant-verification-production-guide · Engineering notes by Nitin Rachabathuni — MVP in 2 days specialist.
Plaid Identity Match and kyc_check: production identity verification guide
FinTech
Plaid update mode and relink when Item login is required
FinTech
Plaid Auth and Identity for underwriting — production guide
FinTech
Plaid webhooks — verification, idempotency, and FinTech handlers
FinTech
Plaid Hosted Link and EU open banking — implementation guide
FinTech
Plaid Link for underwriting apply portals — production guide
FinTech
