Plaid Access Token

Detects Plaid API credentials: Item access tokens (access-sandbox-/access-production- followed by an RFC 4122 UUID) and, when labelled with Plaid context, the 30-character hex API secret. A leaked access token exposes a user's linked bank account data; a leaked secret compromises the whole Plaid integration.

Type
regex
Engine
universal
Confidence
high
Confidence justification
High confidence for the access-token branch: the [type]-[environment]-[uuid] structure is documented by Plaid's own docs (quickstart glossary) and independently pinned by TruffleHog's production detector and gitleaks. Disclosure: TruffleHog additionally wraps even this distinctive access-token regex in a blanket "plaid" PrefixRegex gate; this pattern diverges by offering a value-only 65 tier because the literal access-sandbox-/access-production- + RFC 4122 UUID structure is self-distinctive, and TruffleHog's wrapper there is its standard detector convention rather than a response to a documented false-positive problem (unlike Square's EAAA detector, which carries an explicit FP comment). The secret branch is deliberately context-gated: a bare 30-character hex string is indistinguishable from other identifiers, so both production scanners gate it on Plaid context; this pattern embeds the label plus an assignment separator (= or :, mirroring gitleaks' assignment-operator requirement) at the regex level, because a label-only gap gate still matched free-standing hex in prose (review regression case).
Jurisdictions
global
Regulations
Criminal Code Act 1995 (Cth)
Frameworks
CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories
credentials, security, financial
Scope
narrow
Risk rating
9
Platform compatibility
Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_])access-(?:sandbox|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}(?![A-Za-z0-9_-])

Corroborative evidence keywords

plaid, plaid.com, PLAID_SECRET, PLAID_CLIENT_ID, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)

Proximity: 300 characters

Should match

Should not match

Known false positives

References