A tokenized account number is a secure way to handle sensitive banking information. Instead of using the actual account number, a unique token is generated and used in its place. This token represents the account number without exposing the actual account details, adding an extra layer of security.
In the context of Plaid, when using OAuth with Chase Bank and PNC, these institutions will issue "tokenized" routing and account numbers. These are not the user's actual account and routing numbers. These tokenized numbers should work identically to normal account and routing numbers. The digits returned in the mask field will continue to reflect the actual account number, rather than the tokenized account number.
For this reason, when displaying account numbers to the user to help them identify their account in your UI, always use the mask
field returned in the Auth response rather than truncating the account number.
Note that if a user revokes their permissions to your app, the tokenized numbers will continue to work for ACH deposits, but not withdrawals.
Currently, Chase and PNC are the only institutions that issue TANs — however, in the future other institutions may migrate to use them as well.
For more information, you can refer to the Plaid Auth API Reference.