My external account is disconnected.

Vault.Bank does not assume responsibility for the expiration of tokens managed by external institutions. Each institution determines the duration and validity period of its tokens. Vault.Bank is not liable for this process and cannot influence the token policies implemented by external institutions for established connections.

Important context: There’s no single lifetime for tokens. Linking flows use multiple tokens with different lifetimes based on risk and regulations.


1) What “linking an external account” means in token terms

Linking a bank account for transfers requires two key capabilities:

  1. Permission to access account data (verify ownership, balances, routing info) via OAuth or consent tokens.
  2. Payment credential (tokenized bank account or stored record) accepted by payment rails, which may expire or be revoked.

Tokens keep apps from storing user credentials and allow access to be scoped, time-limited, auditable, and revocable.


2) Typical token chain in a “link + transfer” flow

A. Session/init token (very short-lived)

Providers issue a one-time “start linking” token to begin a secure bank-linking session.

  • Example (Plaid): link_token expires in ~4 hours for new links, ~30 minutes for updates, configurable in hosted flows.

Why so short? It’s a launch key; short expiry limits misuse if leaked.


B. Exchange token (short-lived, one-time)

After user consent, the UI returns a temporary token that the server exchanges for a longer-lived credential.

  • Plaid returns a public_token to exchange for an access_token.

Why short-lived? It crosses client-server boundaries; short life reduces interception risk and keeps real credentials server-side.


C. Data access token (medium/long-lived, revocable)

Used by apps to call APIs for account info or identity verification.

In OAuth, this is an access token scoped for limited permissions, avoiding sharing user passwords.

  • Typically short-lived (minutes to hours) to minimize risk.
  • Long lifetimes increase exposure if leaked.

Why used? Bearer tokens allow resource servers to validate access without passwords, with scoped permissions and revocation.


D. Refresh token / re-consent (longer-lived)

To avoid repeated logins, systems use refresh tokens to get new short-lived access tokens.

OAuth defines refresh tokens for this purpose; OWASP calls this the model of short-lived access tokens + refresh tokens.

Duration? Varies by issuer; many rotate refresh tokens for security.

Why? Keeps links active (e.g., recurring transfers) without re-authentication, while keeping access tokens short-lived.


E. Payment credential token (may expire)

For moving money, an additional “payment-ready” token is needed.

  • Example (Stripe Financial Connections): tokenized account numbers (TANs) that can expire or be revoked, requiring relinking.

Why expire? To reduce fraud risk from long-term use; institutions revoke due to policy, security, or account changes.


3) Common token lifetimes

Think of short-lived tokens for starting or using access, and longer-lived tokens for renewing access.

Very short-lived (minutes to hours)

  • Link/session tokens (e.g., Plaid link_token): 30 minutes to 4 hours, configurable.
  • One-time exchange tokens (e.g., public tokens): used immediately, not stored long-term.

Why? Reduce risk if intercepted, since exposed client-side.


Short-lived (minutes to hours, sometimes a day)

  • OAuth access tokens: kept short to limit damage if leaked.

Why? Minimize impact and enable meaningful revocation.


Longer-lived (days to months)

  • Refresh tokens: vary widely, often rotated for security.

Why? Better user experience without constant logins, while keeping access tokens short.


4) Why tokens are used for linking accounts and transferring funds

1) They avoid storing bank credentials

OAuth tokens let apps access limited data without user passwords, lowering breach and phishing risks.

2) They scope permissions

Tokens limit access to specific accounts, data types, or actions (read-only vs payments).

3) They allow revocation and recovery

Linked accounts can be disabled by events like password or MFA changes; relinking restores or renews access.

4) Short expirations reduce damage from leaks

Bearer tokens grant power to whoever holds them; short lifetimes limit exposure.

 

 

Reference No. 50618976320531
Still have questions? Contact Vault Bank Support