Stitch SSO

4.1. Prerequisites

To proceed with SSO integration, you'll need a Stitch SSO client. You can generate your own client credentials here for local development and testing. This client comes with the important limitation that it can only be used to link test bank accounts.

To create a production client that has full access to the Stitch platform there a few prerequisites that we'll need before we can create a client for you.

These are in no particular order:

Redirect URIs

A set of redirect URLs are required to redirect back to your application from the SSO flow. These must be served over HTTPS for non-localhost URLs, and are recommended to be on pages distinct from your main ones to prevent login loops.

The required URLs are:

  • Redirect URL: The URL(s) to redirect to when the SSO flow has been completed successfully.
  • Logout URL: The URL(s) to redirect to when the user is logged out.
  • Reauthorization URL: The URL(s) to redirect to when a user has completed reauthorization of their credentials for a bank, after they have expired.

Localhost may be used for testing purposes. If you're using an OAuth/OpenID library, the library may provide standard redirect URIs.

If you're building a mobile application that uses deeplinks, please ensure that you use a deeplinking format that enforces that you prove ownership of a domain that you control. This prevents linkjacking attacks.

You can view the associated docs on verified mobile deeplinks for Android and iOS here and here respectively.

Client Details

The following client details are used to customise the Stitch SSO user experience:

  • The name of the client that'll appear in the SSO user interface
  • A URL that provides users with more information about your service