My API is able to link a client's bank account, but is unable to 'unlink' it. The documentation specifies that 3 body params are needed: "client_id", "secret", & "access_token." However, from what I have read an access_token can be linked to MANY accounts. Is there a way to retrieve the access_token associated with a client's client_id & account_ID, and subsequently remove that account while not removing others (if they exist)?
tl;dr: No.
There is currently no way for you as a developer to delete, say, the user's checking account from an Item/access token while keeping access to e.g. the user's savings account at the same bank behind the same login.
That said, I'd be interested in hearing more about your use case -- it's possible that the "Select Account" feature might solve the problem you are looking for, and we're also rolling out some improvements to Select Account soon that might make it work even better for you.
Related
Title says it all. Is it possible to send payments with a Plaid API developer account?
I am using developer account access tokens in Google Sheets and don't have a great way of hiding them. I'm hoping the developer accounts are read only so that if someone hacked me, they wouldn't be able to transfer money out of my accounts if they got a hold of an access_token.
Access tokens should always be stored securely. If an attacker has your access token, as well as your client_id and secret, they can make Plaid API calls on your behalf to get data for a specific Item.
The specific data that can be obtained from an access token depends on what products you are enabled for in Production. If you are enabled for Auth, this would include account number and routing number. This information can be used to request an ACH fund transfer via, e.g., your a website (note that this information is also printed on all checks in your checkbook). Finally, if an ACH transfer was made in this way, you would have grounds to have it reversed for fraud.
So while it might be possible for an attacker to use your access_token in conjunction with other hidden information (your client_id in secret) to get information that they could use to request a funds transfer out of your account, there are a number of hurdles for this attack vector. An attacker would also need your secret (or Plaid login info), and even then they would still only get the information that is present on every check you write, and there is a mechanism in the ACH system to reverse fraudulent transfers.
As per Google Assistant documentation for Smart Home, the agentUserId used in action.devices.QUERY is defined to 'Reflects the unique (and immutable) user ID on the agent's platform. The string is opaque to Google, so if there's an immutable form vs a mutable form on the agent side, use the immutable form (e.g. an account number rather than email)'
However there can be cases where the same device (with same agent user id) is attached to multiple Google Assistant accounts and in such cases a DISCONNECT request may result is ceasing report state for all accounts. The solution will be to add some unique ID corresponding to the Google Assistant account, however such information is not available in any request.
Has anyone seen similar issue and is my understanding incorrect?
The agentUserId is meant to be the user account on the smart home platform. SHP user '1234' may have a vacuum and two lights, but could be linked to multiple Google accounts.
During the account linking process, you would be expected to give a refresh and access tokens to allow for Google to have authorized control over these devices. If you assign unique access tokens for each Google account that signs in, you'd be able to determine which Google account the request is coming from.
At that point, once the user disconnects, you can use the access token in the request header to associate that with a specific Google account and only disable reporting for that account while not affecting other accounts.
So, yes the solution is to have a unique ID connecting to the account. While this is not passed in the agent ID, there is already a mechanism to make this association through the authorization system.
Alternatively, you could append a key in the agentUserId, ie. '1234-user#gmail.com'. However, this may have unintended impacts in the Home Graph. In a multi-user home, you may end up seeing the devices duplicated because Google doesn't have the right information to deduplicate.
Im setting up a Finance app and need to know if the plaid API brings back all transactions for all connected accounts or just the one I am looking at with the access token?
I have tried to loop through to connect the accounts but all of them return the same data
Plaid access tokens work institution wise, unless you enabled the option of account selection in linking process. If you had done so, for example, if the user selected Bank A , and then selected saving account while also having a checking account, you will get only saving account information. Otherwise, you should be able to load all accounts information from the same bank. Some limitations apply as for example credit accounts from a specific bank may not be available to Plaid , then you will have no access to such accounts in both cases.
We are trying to integrate our platform with Pipedrive. As far as we have researched, in a pipedrive account, there is one admin and he can add multiple users. And the users later can login in their respective accounts.
What we are trying to make sure is that once a Pipedrive account is integrated with our platform, the same account should not be integrated twice. So, I need a unique identifier, that lets me know whether the account has already been integrated.
My initial approach was to check the api key. But it was not successful, since every users in an account have different API Keys.
After a bit of research, I found out that there is an identifier called company_id which is common for all the users in an account. But I could not find anything regarding it in documentation. So, I am not 100% confident to go ahead and implement it in our code.
Does anyone have an idea about this?
Pipedrive support rep here.
The most sure-fire way to ensure this is to make a GET request against http://api.pipedrive.com/v1/users?api_token=your_token_here.
You are correct in assuming the company_id in the additional_data object in the response is static and won't change across any users on the account.
Note that a Pipedrive account may have more than one admin, and that non-admins (regular users) might have visibility (and editing) restrictions in place, which may cause some of your GET, PUT and DELETE requests to fail.
In case you're not doing this already, I'd thus advise filtering the data array from the abovementioned endpoint for user.is_you to equal true and check whether the is_admin property is set to 1 during "registration" to ensure the user setting up the integration is an admin.
Hope this helps!
I'm not quite sure what you're asking for. Are you looking for a unique identifier for each user?
Each user has an id, you can get all users by calling
https://api.pipedrive.com/v1/users?api_token=____
This will return a JSON Object with data on your users, including their names and associated IDs. Admins are just users with different privilege levels. All admins are users, but not all users are admins. All users are part of a company, the company is identified by the first part of the Pipedrive account url ie.
https://FooCompany.pipedrive.com
Are you trying to see if a certain company has been integrated already?
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.