I am trying to understand the lifetime of a plaid access_token (returned by /connect and used to /connect/get) as well as the plaid _user and _item fields of an account. The _user field is undocumented, and the _item field according to the documentation is
"An id unique to the accounts of a particular access token." (https://www.plaid.com/docs/#connect)
My guess from the setup is that:
An _item is used to universally identify a set of accounts with the same login (e.g. wells fargo debit and credit accounts linked together) regardless of the client accessing the accounts' data. An _item's lifetime never ends.
An access_token is generated by plaid for a (client_id, _item) pair and grants the client_id access to accounts associated with _item. If the user owning the accounts changes his login information, or if plaid revokes access to the client_id, the access_token becomes useless and a new one needs to be generated in the same way.
A _user universally identifies a person who may own multiple sets of accounts each identified by an _item. I am unsure as to what guarantees plaid gives with regards to the accuracy of this field (in other words, does plaid guarantee that two _user's are equal if and only if the respective persons they refer to are the same?)
How correct is my understanding? Thank you very much!
Plaid access_tokens are valid indefinitely or until a user is removed from Plaid using a DELETE request. If the underlying user's login information is changed, the existing access_token will actually remain valid however require a PATCH request to update the user's login information accordingly.
You are correct that the _item is the highest level identifier for multiple accounts that are all attached to the same set of credentials at a given financial institution. As such, the _item unique to a single access_token.
_user is a deprecated field that is no longer returned by the API.