Plaid API Keys
Service Name: Plaid
Service Description: Plaid is a financial services company that provides a secure way for users to connect their financial accounts to apps and services. It enables applications to connect with users' bank accounts to access financial data for various use cases including account funding, payment processing, lending, financial management, and more.
Service Address: https://plaid.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured in the Plaid Dashboard under team settings.
Secret Access Scope: Grants programmatic access to Plaid's API services, allowing applications to connect to financial institutions, retrieve account and transaction data, process payments, and perform other financial operations.
Secret Revokement URL: https://dashboard.plaid.com/team/keys
Secret Example: access-development-12345678-abcd-efgh-ijkl-1234567890ab
Suspicious Activity Investigation Instructions:
- Review Plaid Dashboard logs for unusual API calls or access patterns
- Check for unexpected increases in API usage or requests from unfamiliar IP addresses
- Monitor for unauthorized connections to new financial institutions
- Review any webhooks or callbacks to unfamiliar endpoints
- Check for data access to accounts that shouldn't be accessed
Mitigation Instructions:
- Log in to the Plaid Dashboard at https://dashboard.plaid.com/
- Navigate to Team Settings > API Keys
- Locate the compromised key and click "Rotate" to invalidate it
- Generate a new API key to replace the compromised one
- Update your application code with the new API key
- Consider implementing additional security measures such as IP restrictions
- Review and update access permissions for team members who have access to
API keys