Products Docs Pricing About us
Log in

Articles in this section

Consumers revoking access through my.plaid.com and consumer support

In order to enable consumers to more easily manage who has access to their financial data, Plaid provides a solution on my.plaid.com where access to their data can be changed or removed. A consumer can revoke access in one of two ways: 

  1. The consumer logs in to my.plaid.com and removes one or multiple applications’ access to their banking data.
  2. The consumer requests Plaid’s deletion of their data and/or revokes consent for access, removing access from all Plaid-connected applications with which the consumer had previously authenticated.

In the case of #1 above, Plaid will immediately remove data access from the application(s) in question and depermission theItem. In the case of #2 above, Plaid will delete data about that consumer from Plaid-controlled environments, except in certain circumstances, such as to retain data for auditing purposes or to comply with a legal obligation. In both these cases, Plaid will stop billing for any recurring products associated with the Items where access has been revoked.

Webhook behavior

Plaid makes sure you’re aware when a consumer takes either of the above two actions by sending an Item webhook with the webhook code, USER_PERMISSION_REVOKED:

{
  "webhook_type": "ITEM",
  "webhook_code": "USER_PERMISSION_REVOKED",
  "item_id": "wz666MBjYWTp2PDzzggYhM6oWWmBb",
  "error": {
      "error_code": "USER_PERMISSION_REVOKED",
      "error_message": "the holder of this account has revoked their permission for your application to access it",
      "error_type": "ITEM_ERROR",
      "status": 400
  }
}

API behavior

Future API requests for anItem that was depermissioned or deleted will return an Item error with error code, ITEM_NOT_FOUND:

{
   "error_type": "ITEM_ERROR",
   "http_code": 400,
   "error_code": Enum (
       "ITEM_NOT_FOUND"
   )
   "error_message": String
   "display_message": nullable String,
   "request_id": String
}

Because data depermissioning or deletion will result in Plaid’s removal of the access_token from our systems, we recommend that you launch a new instance of Plaid Link and create new Items for returning consumers who had previously depermissioned access.

Was this article helpful?