An access_token
is a token used to make API requests related to a specific Item. Access tokens do not expire, although they may require updating. For example, updating is needed when a user changes their password or when working with European institutions that comply with PSD2's 90-day consent window. For more information, see when to use update mode.
If compromised, an access_token
can be revoked via /item/access_token/invalidate
; this endpoint returns a new access_token
and immediately invalidates the previous access_token
. If no longer needed, it can be revoked via /item/remove
.
If, for any reason, an Item ever does need re-authentication, any API call will return the ITEM_LOGIN_REQUIRED
error. To track items that go into this error state, you will want to implement webhooks.