I'm tring to ach transfer from prime trust with plaid. I'm able to generate access token and public token and processocer token from plaid but when I try to call
https://sandbox.primetrust.com/v2/funds-transfer-methods
i'm getting
public does not have access to funds_transfer_methods
postman screenshot
Is your Plaid account enabled for the integration? You don't mention doing that step, but Prime Trust needs to be set to on on the integrations page.
Related
I want to get the latest balances of accounts every time the user opens the page in our system. in order to do that, I need a public_token to request for access token and load accounts balance, but I couldn't find how to generate a public token without Link initialization. is there a way?
No, this is not possible except in the Sandbox test environment. Note that once you have an access token, you can save and re-use it for future calls.
Title says it all. Is it possible to send payments with a Plaid API developer account?
I am using developer account access tokens in Google Sheets and don't have a great way of hiding them. I'm hoping the developer accounts are read only so that if someone hacked me, they wouldn't be able to transfer money out of my accounts if they got a hold of an access_token.
Access tokens should always be stored securely. If an attacker has your access token, as well as your client_id and secret, they can make Plaid API calls on your behalf to get data for a specific Item.
The specific data that can be obtained from an access token depends on what products you are enabled for in Production. If you are enabled for Auth, this would include account number and routing number. This information can be used to request an ACH fund transfer via, e.g., your a website (note that this information is also printed on all checks in your checkbook). Finally, if an ACH transfer was made in this way, you would have grounds to have it reversed for fraud.
So while it might be possible for an attacker to use your access_token in conjunction with other hidden information (your client_id in secret) to get information that they could use to request a funds transfer out of your account, there are a number of hurdles for this attack vector. An attacker would also need your secret (or Plaid login info), and even then they would still only get the information that is present on every check you write, and there is a mechanism in the ACH system to reverse fraudulent transfers.
We are working on a serverless document manager using AWS.
Is it possible to integrate DocuSign embed-UI (link below) with JWT token by just using Lambda & other serverless components via Node.js?
https://developers.docusign.com/docs/esign-rest-api/how-to/embed-ui/
Or is there any Angular JS solution that we can integrate completely on the frontend?
I think your question is:
Single page app front end (React / Angular / etc) with a serverless backend (AWS Lambda)
How to authenticate with DocuSign so the signing ceremony can be shown on the front end?
The signers on the front end do not have DocuSign accounts--as signers they don't need such accounts.
Answer
Because of issues 2 and 3, JWT grant is the way to go. The overall application will impersonate a system user such as doc_manager#example.com. That system user will be used to obtain the embedded signing ceremony URL from the DocuSign API.
Can JWT grant be managed by Lambda functions?
I haven't tried, but I think it should work ok:
When a Lambda func needs a DocuSign access token it would look in stable storage for an access token that hasn't expired (a database or other storage that is maintained across Lambda invocations). Access tokens from JWT grant last an hour.
If an access token is available, it is used. END
If an access token is not available or expired, the Lambda would initiate the JWT grant flow. That takes a couple of seconds.
The resulting access token is stored in the stable storage and is used by the function to call the DocuSign API. END
Notes:
If the app will be using multiple DocuSign user accounts, then the app will maintain multiple access tokens, one per impersonated user/account.
Don't create a new access token unless the old one is near (within 10 minutes) its expiration or has expired. There are limits on the number of outstanding access tokens, plus the JWT grant flow is slow.
Since the access tokens represent user access, safeguard them appropriately!
The front end
When the URL for the DocuSign signing ceremony is received from the back end, either redirect the browser to the URL, or open a new tab to the URL. Don't use an iFrame.
In our service, we offer Google Sign-In alongside email/password sign in, and need to know when a user loses access to their Google account so we can disable an integration.
Without forcing the user to re-authenticate with Google Sign-In, how can we detect when they lose access to their connected Google account?
The approach that I am thinking through my search is
obtain access_token and refresh_token through OAuth 2.0 authentication when user signs in on our service with Google Sign-In, save them in our database
periodically, make request to https://www.googleapis.com/oauth2/v3/userinfo using saved access_token (we will get an error if user's google account is closed)
if access_token is expired, retrieve another one using refresh_token, then re-try step 2
Is this the right approach or is there a better way to achieve what we want?
Google OAuth 2.0 Tokens expire in 3,600 seconds. They are valid until they are revoked or expired.
When you request the access token, make note of the expiration time in your database and consider the token valid until expiration.
The other option is to continue validating the access token on every request which takes more time than it is usually worth.
Google does not have a callback mechanism to notify you of expiration or revoking of a token.
I'm trining to create live stream on youtube using google API. Now it working only when I use oauth authorisation. When I use API key authorisation I get authorisation error (login required)
When I use oauth authorisation - it require to enter confirmation code each time I create new translation. Is it possible to use "liveStreams->insert" method of API with authorisation that does not require entering of confirmation code?
From what you are writing it appears to me that you haven't understood the concept of OAuth and when to use OAuth vs an API key.
Try to think about it this way: You, as a person, have a Google account. This Google account is not the same as your YouTube account (or, as it is more commonly refered to, your YouTube channel). But your Google account is associated with your YouTube channel (of which you can have multiple). Because you are logged in to your Google account and your channel and Google account are linked, the YouTube website knows who you are and gives you access to your channel.
Now you head over to the Google Cloud Console. Here you create a project, which is very similar to a YouTube account in the sense that it, too, is an independent account which in this case represents your app, but is linked to your Google account so the Cloud Console website knows to give you access to the project as long as you are logged-in to your Google account.
HOWEVER, your YouTube account is not linked to your Cloud Console project. When you make an API request with an API key, the API does not see you as in "your Google account", but rather your apps's Cloud Console Project. That's why with an API key, you can only access publicly available data (everything you could "see" when you browse YouTube while not being logged-in).
So, in order for an application to read private channel information or modify channel information, the API needs verification that whoever makes that request is actually allowed to do that. This is where OAuth comes into play.
When you say you have to provide the confirmation code for each request, I think you don't save the access token and refresh token. I highly recommend you read Using OAuth 2.0 to Access Google APIs and Obtaining authorization credentials over on Google Developers to help get you started.