Bank connections are read-only and credential-isolated

Context

Pikt needs account and liability data to track cards, balances, and utilization, but must minimize the trust users extend to it.

Decision

Bank linking goes through Plaid. Login credentials are entered into Plaid's interface and never reach Pikt's servers. Pikt holds only a server-side access token used for read-only account and liability data; it does not move money or initiate transfers. Item re-auth (LOGIN_REQUIRED) is handled via Plaid update-mode without re-collecting credentials.

Consequences

• Pikt never sees or stores bank passwords.
• A compromised access token grants read-only data, not payment capability.
• Stale/disconnected items surface a guided reconnect rather than failing silently.