On your server, receive the public_token from your client after the user completes the Plaid Link flow
POST to /item/public_token/exchange with client_id, secret, and public_token in the request body
Receive access_token and item_id in the response; the access_token is the long-lived credential for this institution connection
Store the access_token and item_id securely in your database associated with the user; never return the access_token to your frontend
Use the item_id to associate Plaid webhooks with the correct user when webhook events arrive
Test the access_token immediately with a lightweight call such as /accounts/get to confirm the item is healthy
Known gotchas
The public_token is single-use and expires shortly after Link completion; exchange it immediately on receipt
access_tokens do not expire but can be invalidated if the user removes the item, the institution de-authorizes it, or you call /item/remove; handle ITEM_LOGIN_REQUIRED errors by re-running Link in update mode
Store access_tokens with the same security level as passwords; exposure allows read access to the linked user's financial institution data
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp