Deck Blog
Written By
Simon-Pierre Lebel
Chief Technical Officer, Deck
SHARE THIS
Knowledge Base

Inside Deck’s Authentication System: What Developers Need to Know

Whether you're triggering a read job from a payroll provider or pushing a payment to a utility portal, every action starts with trust: who the user is, and what they’re allowed to do.

In this article, we’ll take you behind the scenes of Deck’s authentication system, how it works, how it scales, and what developers need to know to integrate it cleanly into their product.

API Overview: How Authentication Works at Deck

At its core, Deck’s authentication system is designed to make user-permissioned access both secure and seamless.

Here’s how the flow works:

  1. Initiate authentication: Your app either embeds Deck Link (a lightweight widget) or uses a Linkless integration to kick off the auth flow.

  2. User logs into a third-party portal: Credentials are collected securely within Deck’s environment. Deck never stores passwords. The user consents to access.

  3. Deck verifies credentials and authenticates the session: Behind the scenes, Deck launches a secure, browser-native session with the provider (such as a utility portal, SaaS tool, or payroll system).

  4. A session is created and linked to your access token: From here, you can initiate read or write jobs via Deck’s API using this credentialed connection.

Developer Tip: All sessions are associated with a unique user_id and provider_id. These two fields form the basis of ongoing job execution and session management.

Best Practices for Managing Tokens, Sessions, and Metadata

While Deck handles most of the complexity under the hood, there are a few best practices for integrating authentication cleanly.

Session Management

  • Deck manages authentication sessions internally, including token expiration, credential rotation, and reauthentication triggers.

  • If a session becomes invalid (for example, due to a credential change or MFA requirement), Deck automatically surfaces this via a job status webhook.

  • You can prompt the user to reconnect with a single call to generate_link_token.

Provider Metadata

  • Every connection comes with metadata: provider name, logo, category, and status.

  • Use this data to display connected accounts in your UI (for example, “Linked Xero account” or “Connected to ConEdison”).

Pro Tip: For users connecting to multiple providers (utilities, payroll, insurance), organize your logic by source_id to isolate workflows.

Multi-Factor Authentication (MFA): Handled Natively

MFA is increasingly common across sensitive portals and a major headache for traditional integration methods.

Deck handles MFA within the Link flow, offering support for:

  • One-time passwords (SMS, email)

  • App-based verification (such as Google Authenticator)

  • Security questions and knowledge-based prompts

When MFA is required, the user completes the challenge directly inside the Deck Link experience. Deck handles timing, retries, and error resolution automatically.

SSO: A Real-World Example

Let’s say your platform serves large property managers who authenticate into Yardi Voyager using enterprise SSO.

Here’s how Deck handles this:

  1. The user initiates the login in Deck Link.

  2. Deck detects the presence of SSO (via redirect URL or SAML trigger).

  3. The agent walks through the SSO login flow, including popups, MFA, and redirects, mimicking a human user exactly.

  4. Once authenticated, the session is preserved and the connection is saved to your user’s account.

  5. Subsequent jobs such as FetchBalance or MakePayment can be triggered securely without re-authentication.

This approach requires no partnership, no reverse-engineering, and no manual scripting. Deck supports the full front-door login flow, even across complex SSO implementations.

Final Takeaways for Developers

Deck’s authentication system is built for scale, security, and simplicity. While the underlying infrastructure is complex, integrating it into your product is straightforward:

Secure authentication, simplified.
 Handling login securely is critical. Deck makes it easy with flexible Link and Linkless flows, always backed by full user consent. Whether you're building a seamless sign-in or managing multiple accounts, we’ve got you covered.

Reliable session management, built in.
 Managing sessions and tokens doesn’t have to be a headache. Deck provides long-lived access tokens and secure credential storage, so you can maintain access without compromising security.

MFA and SSO? Already handled.
 Multi-factor authentication and single sign-on are supported natively within our session infrastructure. No extra integration required, just turn it on and go.

One API, total control.
 Running read and write jobs is simple. Call a single API with your token and provider ID to automate access to data, fast, secure, and scalable.

Related articles
What Percentage of the Web's Data Do APIs Really Cover?
Insider
5 minutes

What Percentage of the Web's Data Do APIs Really Cover?

APIs (Application Programming Interfaces) have become the foundation of modern digital infrastructure. From powering mobile apps to enabling seamless business integrations, APIs are essential. But despite their critical role, a large portion of valuable data on the internet remains out of reach.
by
Deck Team
The Ultimate Guide to API Integrations
Knowledge Base
8 mins

The Ultimate Guide to API Integrations

Why the future of connectivity is not about adding more APIs, but rethinking how integrations get done
by
Deck Team
When Agents Are Users: A Practical Guide for Security Teams in the Era of Automation
Insider
5 min

When Agents Are Users: A Practical Guide for Security Teams in the Era of Automation

The days of clean lines between “real users” and “automated traffic” are behind us.
by
Deck Team