public_token.
Your app never sees their statement or login.
1
Your backend creates a request
2
Open the flow in the browser
Script-tag drop-in (any site). The script is first-party — for extra safety
you can pin it with React drop-in (
integrity / crossorigin.npm install @swippee/connect-react):3
Exchange + read the granted data (server)
The consumer manages and revokes every connection from their Vault; a revoke
kills the access token immediately.
Audit your consents
For compliance — proving which customer consents you obtained and how the data was used — read your consent + access trail. Both endpoints are read-only, scoped to your organization, and return consent metadata only: no consumer PII, no tokens. (Reading the granted data is the separateGET /v1/grants/:id/data
above, which additionally requires the access token.)
consumer_id is an opaque identifier — never the consumer’s email, phone, or
name. The access log records each time your app read the granted data.