Menu
I'm adding a Plaid client to my java desktop software. The problem is I don't see any way to have it talk directly to the Plaid server without needing to embed the secret within the app. Is there a way for my app to talk directly to Plaid without needing to know and send the secret string for every request?
A primary goal is to avoid ever having customer financial data on my server, even if it is only in transit.
My server could handle the link token creation, and maybe access token exchange, and then provide those tokens to the client app. My hope was that the client_id and access_token would be enough for the app to perform subsequent exchanges directly with Plaid's server, but alas the secret is required for every message.
An alternate solution would be if all request bodies could be public-key encrypted and then proxied through my server which verified the client and added the secret as an http header. I haven't found any reference to this ability in the current or upcoming/beta API.
This must have been done before, so any hints as to how to handle this scenario is appreciated!
574
The solution you're describing sounds like it would work -- it doesn't seem like specific capabilities to support this need to be built into the API to make it work, unless I'm missing something?
Depending on your use case, you might also consider what financial data you are avoiding having on your server and why and simply not requesting that data. For example, Auth endpoints can be used with Plaid partners via a processor token, which allows you to avoid ever touching actual account and routing number data.
71
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
