Verify a redirect-token (ls_token) from the post-Connect callback
Public, unauthenticated endpoint. After a Finicity Connect widget
completes, the integrator’s redirect_url is hit with an
ls_token query parameter — a short-lived HS256 JWT minted by
v3. The integrator’s frontend POSTs that token to this endpoint
to retrieve the canonical connection_id, the original
redirect_url it was bound to, and the client_id.
CORS-enabled so a browser-side integrator page can call this
directly. No API key is required because the token itself is the
capability; its HMAC signature is verified against
V3_REDIRECT_TOKEN_SECRET. Tampered, expired, or missing tokens
return 400.
Body
The opaque ls_token query-string value the Connect widget
appended to your redirect_url. Internally an HS256 JWT
(header {alg:HS256,typ:JWT}; payload includes v=1,
iss=ls-v3, iat, exp, connection_id, redirect_url,
client_id) but integrators should treat it as opaque.
Response
Token was valid; the bound connection metadata is returned.
The originally-bound redirect_url, as registered in the client allowlist.
"https://myapp.example.com/cb"
Connection id the widget session was bound to. Placeholder during pending; canonical after connection.active.
"con_FINICITY_41294"
The Client id the connection belongs to.
"cli_smoke"
