Plaid Access Token
Detects Plaid API credentials: Item access tokens (access-sandbox-/access-production- followed by an RFC 4122 UUID) and, when labelled with Plaid context, the 30-character hex API secret. A leaked access token exposes a user's linked bank account data; a leaked secret compromises the whole Plaid integration.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence for the access-token branch: the [type]-[environment]-[uuid] structure is documented by Plaid's own docs (quickstart glossary) and independently pinned by TruffleHog's production detector and gitleaks. Disclosure: TruffleHog additionally wraps even this distinctive access-token regex in a blanket "plaid" PrefixRegex gate; this pattern diverges by offering a value-only 65 tier because the literal access-sandbox-/access-production- + RFC 4122 UUID structure is self-distinctive, and TruffleHog's wrapper there is its standard detector convention rather than a response to a documented false-positive problem (unlike Square's EAAA detector, which carries an explicit FP comment). The secret branch is deliberately context-gated: a bare 30-character hex string is indistinguishable from other identifiers, so both production scanners gate it on Plaid context; this pattern embeds the label plus an assignment separator (= or :, mirroring gitleaks' assignment-operator requirement) at the regex level, because a label-only gap gate still matched free-standing hex in prose (review regression case).
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security, financial
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_])access-(?:sandbox|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}(?![A-Za-z0-9_-])
Corroborative evidence keywords
plaid, plaid.com, PLAID_SECRET, PLAID_CLIENT_ID, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)
Proximity: 300 characters
Should match
access-production-0123abcd-0123-abcd-0123-0123456789ab— Plaid production Item access token (access-production- + UUID)PLAID_ACCESS_TOKEN=access-sandbox-abcdef01-2345-6789-abcd-ef0123456789— Labelled Plaid sandbox access token in an env assignmentPLAID_SECRET=0123456789abcdef0123456789abcd— Plaid API secret in the canonical PLAID_SECRET env var (label + 30-char hex body)plaid secret: fedcba9876543210fedcba98765432— Plaid label with colon separator followed by a 30-char hex secret
Should not match
plaid_client_secret_field is 0123456789abcdef0123456789abcd— Free-standing 30-hex in prose after an identifier containing "plaid" but no assignment separator (boundary regression case from review)access-development-0123abcd-0123-abcd-0123-0123456789ab— Development environment token (Plaid decommissioned the Development environment on 2024-06-20)access-production-0123abcd-0123-abcd-0123— Truncated UUID (missing the final 12-hex segment)PLAID_CLIENT_ID=0123456789abcdef01234567— Plaid client_id (24-hex public-style identifier, not a secret, deliberately out of scope)rotate the plaid secret before deployment— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- A 30-character hex hash or identifier that happens to appear in a labelled assignment near the word "plaid" (a common English word for the fabric pattern). Mitigation: The secret branch requires label adjacency plus an assignment separator (already enforced by the regex) and corroborative keywords; the brand-name keyword term is case-sensitive (Plaid) to reduce collisions with the common noun.
- Documentation or examples showing placeholder access-sandbox- strings. Mitigation: Require corroborative Plaid keywords and check for placeholder markers (example, xxxx).
- Plaid public tokens, link tokens, and asset-report tokens (public-/link-/asset-report- prefixes) are short-lived, client-side-by-design tokens and are deliberately out of scope; decommissioned access-development- tokens are dead credentials and also excluded. Mitigation: Documented as a scope decision; only durable server-side secrets (access tokens, API secret) are matched.
References
- Plaid docs glossary (token format [type]-[environment]-[uuid], RFC 4122 UUID)
- Plaid Sandbox docs (Development environment decommissioned 2024-06-20)
- TruffleHog production Plaid detector (access-(sandbox|production)-uuid; label-gated 30-hex secret, 24-hex client id)
- gitleaks rules: plaid-api-token, plaid-secret-key, plaid-client-id