Skip to main content
RapidDev - Software Development Agency
bubble-integrationsBubble API Connector

Yodlee

Connecting Bubble to Yodlee requires a two-tier token system: an admin cobSession token for account management and a per-user userSession token for financial data requests — both must be present on every API call. Backend Workflows on a paid Bubble plan handle token minting, user registration, and bank-account linking via Yodlee's FastLink widget. Production access requires a commercial agreement with Yodlee/Envestnet.

What you'll learn

  • How Yodlee's two-tier token model (cobSession + userSession) works and why both headers must be present on every financial data API call
  • How to build Backend Workflows in Bubble that mint and auto-refresh cobSession and userSession tokens every 25 minutes
  • How to register new Yodlee users from within a Bubble workflow using the cobSession token
  • How to open FastLink — Yodlee's hosted bank-linking widget — from a Bubble popup or external URL action
  • How to retrieve and store accounts and transactions in Bubble's database after FastLink completes, then display them in Repeating Groups
  • Why Backend Workflows are essential and why this integration is incompatible with Bubble's free plan
  • How to use Yodlee Sandbox test users (Dag Sites) to verify the full flow before applying for Production access
Book a free consultation
4.9Clutch rating
600+Happy partners
17+Countries served
190+Team members
Advanced21 min read4–6 hoursFinance & AccountingLast updated July 2026RapidDev Engineering Team
TL;DR

Connecting Bubble to Yodlee requires a two-tier token system: an admin cobSession token for account management and a per-user userSession token for financial data requests — both must be present on every API call. Backend Workflows on a paid Bubble plan handle token minting, user registration, and bank-account linking via Yodlee's FastLink widget. Production access requires a commercial agreement with Yodlee/Envestnet.

Quick facts about this guide
FactValue
ToolYodlee
CategoryFinance & Accounting
MethodBubble API Connector
DifficultyAdvanced
Time required4–6 hours
Last updatedJuly 2026

Yodlee on Bubble: The Two-Token Architecture Explained

Yodlee is architecturally more complex than any other financial API you will integrate with Bubble. Unlike Plaid — which issues a single item-level access token after the user completes Link — Yodlee uses two concurrent credential tiers that must both be active for every financial data request.

The first tier is the cobSession: an admin-level token you mint using your cobrand login and cobrand password (Yodlee's term for your developer API credentials). It identifies your platform to Yodlee and expires approximately every 30 minutes.

The second tier is the userSession: a per-user token minted using the cobSession as a credential, identifying a specific end user registered in your Yodlee account. It also expires every 30 minutes.

Every call to a Yodlee financial data endpoint — GET /accounts, GET /transactions, GET /holdings — must carry both tokens simultaneously as custom request headers. Supplying only the cobSession returns a permission error by design; it is Yodlee's security model, not a bug.

FastLink, Yodlee's hosted bank-linking widget, is mandatory for the account-linking step. You cannot build your own bank login screen. Instead, you mint a special FastLink access token using a Backend Workflow, then open a Yodlee-hosted URL in a Bubble popup or external window, passing the token as a URL parameter. After the user links their bank account, FastLink redirects or sends a postMessage back to your app, and you trigger a Backend Workflow to fetch and store the newly linked account data.

Production access is not self-serve. You must apply for and sign a commercial agreement with Yodlee/Envestnet before going live. Sandbox access is free at developer.yodlee.com and includes pre-configured test users and test institutions ('Dag Sites') so you can develop and test the full flow.

Because of the heavy Backend Workflow requirements, this integration is entirely incompatible with Bubble's free plan. You will need at minimum a paid Bubble plan before you can build anything beyond static UI.

Integration method

Bubble API Connector

Bubble API Connector for financial data reads, plus Backend Workflows for two-tier token management (cobSession + userSession) and FastLink bank-linking widget delivery.

Prerequisites

  • A Bubble account on a paid plan — Backend Workflows (API Workflows) are required for token management and are not available on Bubble's free plan
  • A Yodlee developer account registered at developer.yodlee.com — free Sandbox access is available; Production requires a commercial agreement with Yodlee/Envestnet
  • Your Yodlee Sandbox cobrand login (username) and cobrand password — provided by Yodlee after registration
  • Basic familiarity with Bubble's API Connector plugin and Backend Workflow (API Workflow) section
  • Understanding that FastLink is Yodlee's required bank-linking interface — you will open a Yodlee-hosted URL, not build your own bank login UI
  • A test plan for Sandbox development using Yodlee's pre-configured 'Dag Sites' test institutions

Step-by-step guide

1

Store Cobrand Credentials and Install API Connector

Before touching the API Connector, you need a safe place to store your Yodlee cobrand credentials. These are your platform-level API credentials — the cobrand login and cobrand password — that you received when you registered at developer.yodlee.com. In Bubble, go to your Data tab and create a new Data type called 'YodleeConfig' (or 'AppSettings' if you already have one). Add two fields: 'cobrand_login' (Text) and 'cobrand_password' (Text). Mark both fields as Private in your Privacy rules so they are never exposed to end users. Create one record in this table manually using Bubble's database editor and populate both fields with your Sandbox credentials. Alternatively, you can store the cobrand password as an API Connector shared header value with the Private checkbox enabled — this prevents it from appearing in Bubble's editor to anyone who isn't the app owner. Now install the API Connector. Go to Plugins tab → Add plugins → search for 'API Connector' (by Bubble) → Install. Once installed, click 'Add another API', name it 'Yodlee', and set the Base URL to your Sandbox endpoint: https://sandbox.api.yodlee.com/ysl Add two shared headers that will be populated dynamically at call time: - 'cobSession' — set value to a parameter placeholder like [cobSession], enable the Private checkbox - 'userSession' — set value to [userSession], enable the Private checkbox At this stage you are not hardcoding the token values (they change every 30 minutes). Instead, each API call will supply the current token values as parameters fetched from the Bubble database. Save your API configuration. You now have the foundation to add individual API calls in later steps.

yodlee-api-connector-config.json
1{
2 "base_url": "https://sandbox.api.yodlee.com/ysl",
3 "shared_headers": [
4 {
5 "key": "cobSession",
6 "value": "[cobSession]",
7 "private": true
8 },
9 {
10 "key": "userSession",
11 "value": "[userSession]",
12 "private": true
13 }
14 ]
15}

Pro tip: Set Accept: application/json as a third shared header — Yodlee returns JSON when this header is present. Some endpoints return XML otherwise, which Bubble cannot automatically parse.

Expected result: The API Connector shows 'Yodlee' in your API list with two Private shared headers. No calls are defined yet — those come in the next steps.

2

Build the 'Mint Admin Token' Backend Workflow

The cobSession token is the foundation of all Yodlee API access. It authenticates your platform (not individual users) and must be refreshed every ~30 minutes. You will build a Backend Workflow that mints a new cobSession and stores it in your Bubble database. First, add the cobSession minting API call to your Yodlee API Connector. Click your 'Yodlee' API → Add a call → name it 'Mint CobSession'. Set Method to POST and Path to /cobrand/login. Important: this call uses form-encoded body (not JSON). Set body type to 'Form' and add these fields: - cobrand.cobrandLogin: [cobrand_login] (make this a parameter) - cobrand.cobrandPassword: [cobrand_password] (make this a parameter) Do NOT include the shared cobSession or userSession headers in this specific call — they don't exist yet at the time this call runs. You may need to override the shared headers to empty strings for this call. Click 'Initialize call' and supply your actual Sandbox cobrand login and password as parameter values. A successful response returns a JSON with cobrandConversationCredentials.sessionToken — this is your cobSession value. Now go to Backend Workflows (in your Bubble editor, enable API Workflows under Settings → API → 'This app exposes a Workflow API'). Create a new Backend Workflow named 'Yodlee_MintCobSession'. Add a 'Call API' step using your new 'Mint CobSession' call, passing the cobrand credentials from your YodleeConfig data record. Add a second step: 'Make changes to a thing' — update your YodleeConfig record, set a 'cob_session_token' Text field to the API response's cobrandConversationCredentials.sessionToken, and set 'cob_session_created_at' to Current date/time. Schedule this Backend Workflow to run automatically every 25 minutes using Bubble's 'Schedule API workflow' with a recurring event — this ensures the cobSession never expires mid-user-session. Note: scheduled recurring Backend Workflows require a paid Bubble plan.

yodlee-mint-cobsession.json
1POST /cobrand/login
2Content-Type: application/x-www-form-urlencoded
3
4cobrand.cobrandLogin=your_cobrand_login
5&cobrand.cobrandPassword=your_cobrand_password
6
7// Successful response:
8{
9 "cobrandConversationCredentials": {
10 "sessionToken": "08_....LONG_TOKEN_STRING....",
11 "locale": "en_US"
12 },
13 "applicationId": "your-app-id"
14}

Pro tip: Store 'cob_session_created_at' in your database alongside the token. In any workflow that uses the cobSession, check if Current date/time is more than 25 minutes after cob_session_created_at — if so, trigger Yodlee_MintCobSession before proceeding.

Expected result: After running the Backend Workflow manually (via the Run button in Bubble's Backend Workflows editor), your YodleeConfig record shows a new cobSession token value and a recent timestamp.

3

Register Yodlee Users and Mint Per-User Session Tokens

Every end user in your Bubble app who uses Yodlee financial features must be registered as a user in Yodlee's system. This registration uses the cobSession token and creates a Yodlee username/password pair that you store in the user's Bubble record. The userSession is then minted from those credentials. Add two API calls to your Yodlee API Connector: Call 1 — 'Register User': POST /user/register. This call needs the cobSession header (already in your shared headers). Body (JSON type): { "user": { "loginName": "[yodlee_username]", "password": "[yodlee_password]", "email": "[email]", "preferences": { "locale": "en_US" } } } Generate a unique yodlee_username for each Bubble user — a safe pattern is 'user_' + Bubble's unique ID (e.g., '1234567890'). Generate a strong random password and store both in the User's data record. Call 2 — 'Mint User Session': POST /user/login. Body (JSON): { "user": { "loginName": "[yodlee_username]", "password": "[yodlee_password]" } } The cobSession header must be present and valid. Response returns userSession.sessionToken — your per-user token. Build two Backend Workflows: - 'Yodlee_RegisterUser': runs once per new user, calls Register User, stores the returned Yodlee user ID in the User record. - 'Yodlee_MintUserSession': takes current User as input, calls Mint User Session using stored credentials + current cobSession, stores returned userSession token and 'user_session_created_at' timestamp in the User's record. Trigger 'Yodlee_RegisterUser' from your Bubble signup workflow (after your normal user creation). Trigger 'Yodlee_MintUserSession' whenever a user navigates to a page that shows financial data, checking first if their existing userSession is older than 25 minutes.

yodlee-user-registration-and-session.json
1// Register User
2POST /user/register
3Headers: { cobSession: "<current-cobSession-from-db>" }
4Body:
5{
6 "user": {
7 "loginName": "user_1234567890",
8 "password": "SecurePass!2024",
9 "email": "user@example.com",
10 "preferences": { "locale": "en_US" }
11 }
12}
13
14// Mint User Session
15POST /user/login
16Headers: { cobSession: "<current-cobSession-from-db>" }
17Body:
18{
19 "user": {
20 "loginName": "user_1234567890",
21 "password": "SecurePass!2024"
22 }
23}
24// Response: { "user": { "session": { "userSession": "09_....TOKEN...." } } }

Pro tip: Add a 'yodlee_registered' Yes/No field to your Bubble User type. Set it to 'yes' after successful registration. Your Yodlee_RegisterUser workflow can check this field first and skip registration if the user is already registered — preventing duplicate Yodlee accounts for the same Bubble user.

Expected result: New users who sign up to your Bubble app are silently registered in Yodlee. When they navigate to a financial data page, a userSession token appears in their User record, valid for the next 25 minutes.

4

Open FastLink for Bank Account Linking

FastLink is Yodlee's hosted bank-linking widget — a Yodlee-owned webpage where users enter their banking credentials to authorize data access. You cannot build your own bank login UI; you must use FastLink. The good news is that FastLink handles all the credential security, multi-factor authentication, and institution-specific login flows for you. To open FastLink, you need a FastLink-specific access token. This is different from the userSession — you must request it separately. Add an API call to your Yodlee API Connector: - Name: 'Get FastLink Token' - Method: POST - Path: /user/accessTokens - Body (JSON): { "appIds": ["your-app-id"] } - Headers: both cobSession and userSession must be valid (use your stored values) The response returns a token value inside the user.accessTokens array. This is your FastLink token. Now build the Bubble workflow for the 'Connect Bank Account' button: 1. Trigger Backend Workflow 'Yodlee_MintUserSession' (if userSession is stale) 2. Call 'Get FastLink Token' API call 3. Construct the FastLink URL: https://fl4.sandbox.yodlee.com/authenticate/restserver/?token=[fastlink_token] — always verify the current FastLink URL format in your Yodlee Sandbox documentation, as it can change between Yodlee platform versions 4. Use Bubble's 'Open an external URL' action with this URL, set to 'open in a new tab' or 'open in a popup' (a popup keeps the user in your app context) When FastLink completes, the widget sends a postMessage to the parent window. To capture this in Bubble, you can add an HTML element with JavaScript that listens for postMessage events from the FastLink domain and triggers a Bubble backend call when bank linking completes. The Toolbox plugin (free, from Bubble's marketplace) allows you to run JavaScript from workflows — use it to set a page state variable when FastLink's completion event fires. Alternatively, add a 'Refresh My Data' button that the user clicks after completing FastLink — trigger the 'Fetch Accounts' workflow described in the next step.

yodlee-fastlink-token.json
1// Get FastLink Token
2POST /user/accessTokens
3Headers:
4 cobSession: <current-cobSession-from-db>
5 userSession: <current-userSession-from-db>
6Body: { "appIds": ["your-app-id"] }
7
8// Response:
9{
10 "user": {
11 "accessTokens": [
12 {
13 "appId": "your-app-id",
14 "url": "https://fl4.sandbox.yodlee.com/authenticate/restserver/",
15 "value": "FASTLINK_TOKEN_VALUE"
16 }
17 ]
18 }
19}
20
21// FastLink URL to open:
22https://fl4.sandbox.yodlee.com/authenticate/restserver/?token=FASTLINK_TOKEN_VALUE

Pro tip: In Sandbox, use Yodlee's 'Dag Sites' test institutions to verify the FastLink flow without entering real bank credentials. Log into your Yodlee developer portal to see the list of available Dag Site usernames and passwords for each test institution type.

Expected result: Clicking 'Connect Bank Account' opens the FastLink widget in a new tab or popup. Users can search for and select a test institution (Dag Site in Sandbox), enter test credentials, and complete the bank-linking flow. The widget shows a success confirmation.

5

Fetch Accounts and Transactions via API Connector

After FastLink completes, Yodlee has linked the user's bank account(s) to their Yodlee user profile. Now you fetch this data using the API Connector with both tokens present in the request headers. Add two API calls to your Yodlee API Connector: Call: 'Get Accounts' - Method: GET - Path: /accounts - Parameters: none required (returns all accounts for the authenticated userSession user) - Both cobSession and userSession shared headers must be populated - Set 'Use as Data' so Bubble can extract JSON fields directly - Initialize call: supply real cobSession and userSession values from a test account that already has linked institutions Call: 'Get Transactions' - Method: GET - Path: /transactions - Optional parameters: fromDate (YYYY-MM-DD format), toDate, accountId - Both cobSession and userSession headers required - Initialize call with same real token values Build a Backend Workflow 'Yodlee_FetchAndStoreData' that runs after FastLink completion: 1. Call 'Get Accounts' — loop over the returned account array and create/update 'YodleeAccount' records in Bubble's database (fields: account_id, account_name, account_type, balance, currency, provider_name, linked_user) 2. Call 'Get Transactions' with fromDate set to 90 days ago — loop over returned transactions and create 'YodleeTransaction' records (fields: transaction_id, account_id, merchant_name, amount, transaction_date, category, linked_user) Store data in Bubble's database rather than fetching live from Yodlee on every page load. This prevents excessive API calls (which consume rate limit and WU), provides faster page load times, and lets you build offline-capable reports. Build a Repeating Group on your financial dashboard page that searches for YodleeAccount records where 'linked_user = Current User'. Display balance, account type, and institution name. Add a second Repeating Group for recent transactions. RapidDev's team has built dozens of fintech Bubble apps with complex token architectures like this — if you need help designing the data schema or optimizing the polling strategy, book a free scoping call at rapidevelopers.com/contact.

yodlee-get-accounts-transactions.json
1// Get Accounts
2GET /accounts
3Headers:
4 cobSession: <current-cobSession-from-db>
5 userSession: <current-userSession-from-db>
6
7// Response shape (partial):
8{
9 "account": [
10 {
11 "id": 12345,
12 "accountName": "Chase Checking",
13 "accountType": "CHECKING",
14 "balance": { "amount": 2847.50, "currency": "USD" },
15 "providerName": "Chase",
16 "isAsset": true
17 }
18 ]
19}
20
21// Get Transactions
22GET /transactions?fromDate=2025-10-01&toDate=2026-01-09
23Headers:
24 cobSession: <current-cobSession-from-db>
25 userSession: <current-userSession-from-db>
26
27// Response shape (partial):
28{
29 "transaction": [
30 {
31 "id": 98765,
32 "accountId": 12345,
33 "description": { "original": "WHOLE FOODS #123" },
34 "amount": { "amount": 67.43, "currency": "USD" },
35 "transactionDate": "2026-01-07",
36 "category": "Groceries"
37 }
38 ]
39}

Pro tip: Add a 'last_synced_at' timestamp field to your YodleeAccount records. Show this timestamp in your UI so users know how recent their data is. Offer a 'Refresh' button that re-runs Yodlee_FetchAndStoreData on demand — rather than polling automatically, which burns WU and risks exhausting rate limits.

Expected result: Your Bubble database populates with YodleeAccount and YodleeTransaction records for the test user. The financial dashboard Repeating Groups display account balances and recent transactions fetched from Bubble's database (not live from Yodlee on every page load).

6

Set Up Token Refresh and Privacy Rules

Both the cobSession and userSession expire in approximately 30 minutes. Without automatic refresh, your app will start returning permission errors mid-session. You also need to apply Bubble Privacy Rules to prevent sensitive financial data from leaking to unauthorized users. Token Refresh Strategy: CobSession refresh — you already built Yodlee_MintCobSession in Step 2. Ensure your scheduled recurring Backend Workflow runs every 25 minutes. In Bubble's Backend Workflows section, find the 'Recurring events' option and set Yodlee_MintCobSession to run at a 25-minute interval. This keeps a valid cobSession in your YodleeConfig record at all times. UserSession refresh — add a check at the beginning of any workflow that touches Yodlee data: - Condition: Current User's user_session_created_at < (Current date/time - 25 minutes) - If true: run Yodlee_MintUserSession as a synchronous step before proceeding with the actual API calls Bubble workflows are sequential within a single workflow, so adding the refresh check as the first step ensures the token is valid before the API call step runs. Privacy Rules — go to Data tab → Privacy → click your 'YodleeAccount' type → Add a rule: 'When Current User is: Linked User' → check View for all fields. This ensures a user can only see their own linked accounts. Apply the same rule pattern to 'YodleeTransaction' and any other Yodlee-related data types. Also add a Privacy Rule to your User type: hide the 'yodlee_password' and 'yodlee_username' fields for all roles except the backend. In Privacy settings, add a rule: 'All Users: uncheck View for yodlee_password, yodlee_username'. These fields should only ever be accessed by Backend Workflows, never displayed in the UI or exposed via Bubble's Data API. Workload Unit (WU) awareness: Yodlee is a heavy-WU integration. Each Backend Workflow run (token mint, data fetch, user registration) consumes WU. If you have hundreds of users, the 25-minute recurring cobSession refresh alone adds up. Consider storing multiple cobSession/userSession pairs if you serve many concurrent users, and monitor your WU consumption in Bubble's Logs tab during load testing.

yodlee-token-refresh-privacy.json
1// Privacy Rules pattern for YodleeAccount type
2// In Data tab → Privacy → YodleeAccount:
3// Rule: "This YodleeAccount's linked_user = Current User"
4// Checked: View (all fields)
5// Purpose: Users only see their own linked account records
6
7// UserSession freshness check in any Bubble workflow:
8// Step 1: Only when: Current User's user_session_created_at < Current date/time - 25 minutes
9// Action: Schedule API Workflow > Yodlee_MintUserSession (run now)
10// Step 2: (After Step 1) — Proceed with Yodlee API call using fresh userSession
11
12// Recurring cobSession refresh:
13// Backend Workflows → Recurring events → Yodlee_MintCobSession → every 25 minutes

Pro tip: Add a Logs tab bookmark in Bubble for debugging. When a Yodlee API call fails, the Workflow Logs show the exact HTTP response — including Yodlee's error codes. Common errors: 'Y010' (invalid cobSession — cobSession expired), 'Y012' (invalid userSession — userSession expired or user not registered), '401' (wrong credentials). Always check Logs before assuming the API is broken.

Expected result: Your app handles token expiry gracefully — users never see permission errors mid-session because the cobSession refreshes on schedule and userSession refreshes on-demand before API calls. Privacy Rules ensure users can only see their own financial data.

Common use cases

Personal Finance Dashboard

Let users connect all their bank accounts and credit cards in one place, then display aggregated balances, categorized spending, and monthly trends in a Bubble Repeating Group. Pull transaction data via GET /transactions and store it in Bubble's database for fast, low-API-call display.

Bubble Prompt

Build a personal finance dashboard in Bubble that shows linked account balances and the last 30 days of transactions grouped by category, refreshing data daily via a scheduled Backend Workflow.

Copy this prompt to try it in Bubble

Income Verification for Lending

Retrieve 6–12 months of deposit transactions to verify applicant income as part of a loan application flow built in Bubble. After FastLink linking, parse GET /transactions for recurring large deposits matching payroll patterns, then display the verified monthly income figure to an underwriter.

Bubble Prompt

Build a Bubble loan application workflow where the applicant connects their bank account via Yodlee FastLink and the system automatically calculates average monthly income from the last 6 months of transaction history.

Copy this prompt to try it in Bubble

Wealth Management Client Portal

Build an investment portfolio dashboard for advisor clients. Use GET /holdings and GET /accounts to pull multi-institution investment data, display asset allocation by category in charts, and store historical snapshots in Bubble's database for performance tracking over time.

Bubble Prompt

Create a Bubble client portal for a financial advisor where each client can link their brokerage accounts via Yodlee and view aggregated portfolio value, asset allocation, and performance history across all institutions.

Copy this prompt to try it in Bubble

Troubleshooting

Financial data API call (GET /accounts, GET /transactions) returns 'Permission Denied' or 401 despite having a valid cobSession stored

Cause: Both cobSession AND userSession must be present as headers on financial data requests. Sending only cobSession — or sending an expired userSession — returns a permission error by design. This is Yodlee's two-tier security architecture.

Solution: Verify that your API Connector call is sending both 'cobSession' and 'userSession' as separate headers. Check that your userSession token was minted within the last 30 minutes and is fetched from the correct User record (not a hardcoded test value). Run Yodlee_MintUserSession to generate a fresh userSession, then retry the call.

FastLink widget opens but shows a blank page or 'Invalid token' error inside the widget

Cause: The FastLink URL format or the appIds value differs between Sandbox and Production environments, or the FastLink access token (from POST /user/accessTokens) is expired or was used in the wrong environment URL.

Solution: Verify the FastLink URL format in your Yodlee developer portal documentation — the base URL (e.g., https://fl4.sandbox.yodlee.com/authenticate/restserver/) can change between Yodlee platform versions. Ensure you are using Sandbox FastLink URLs with Sandbox tokens and Production URLs with Production tokens. FastLink tokens are short-lived — mint the token immediately before opening the URL, not during a previous page load.

API Connector 'Initialize call' fails with 'There was an issue setting up your call' or returns an empty response

Cause: Yodlee's Initialize Call requires real, live token values. The cobSession and userSession parameters cannot be dummy values — they must be active tokens from a Sandbox account that already has linked test institutions. Expired or placeholder values cause initialization to fail.

Solution: Before initializing your 'Get Accounts' or 'Get Transactions' calls, manually run your Yodlee_MintCobSession and Yodlee_MintUserSession Backend Workflows, then copy the resulting token values from your database. Enter those real token values as the parameter defaults during the API Connector Initialize Call. Once initialized successfully, Bubble captures the response shape and you can clear the defaults.

Backend Workflow for token minting or user registration returns 'Workflow API is not enabled' or the Backend Workflows section is missing from the editor

Cause: Backend Workflows (API Workflows) require a paid Bubble plan. This section is not available on Bubble's free plan.

Solution: Upgrade to a paid Bubble plan before attempting to build the Yodlee integration. Go to Bubble's Pricing page, select a paid tier (Starter or higher), and then enable API Workflows under Settings → API → 'This app exposes a Workflow API'. The Backend Workflows section will then appear in your editor.

User registration call (POST /user/register) returns 'User already exists' error for a new Bubble user

Cause: The yodlee_username generated for this user was already used to register a different Yodlee user — typically because the username generation pattern produced a collision, or the Backend Workflow ran twice (e.g., during a retry after a network error).

Solution: Add a 'yodlee_registered' Yes/No field to your Bubble User type. Check this field at the start of your registration Backend Workflow and skip registration if it is already 'yes'. For the username collision, ensure your username generation pattern is unique — using Bubble's unique ID (e.g., '1234567890abcdef') rather than a sequential number prevents collisions. If a user was partially registered, log into your Yodlee developer portal to check the user's status and delete the duplicate if needed.

Best practices

  • Store YodleeConfig (cobrand credentials, cobSession token, cob_session_created_at) in a single Bubble App Data record with strict Privacy Rules — this data should never be readable by end users, only by Backend Workflows.
  • Store the userSession token and user_session_created_at in each User record (not in a shared table) — this ensures each user's session is tracked independently and stale sessions don't affect other users.
  • Refresh tokens proactively at 25 minutes, not reactively at expiry — waiting until a call fails and then refreshing causes a poor user experience; refreshing before the 30-minute window closes guarantees smooth operation.
  • Store account and transaction data in Bubble's database and display it from there — avoid making live Yodlee API calls on page load; database reads are fast, API calls consume WU and are subject to rate limits.
  • Apply Bubble Privacy Rules to all Yodlee-related data types: YodleeAccount, YodleeTransaction, and the financial fields in the User record — ensure 'View' access is restricted to 'Current User = linked_user' to prevent cross-user data leakage.
  • Apply for Production access early — Yodlee's commercial agreement process can take weeks; begin the Yodlee/Envestnet sales and legal process before you finish building the Sandbox version so you are not delayed at launch.
  • Monitor WU consumption in Bubble's Logs tab regularly — the cobSession recurring refresh, user registration, and data fetch workflows all consume WU; if you have many users the WU cost compounds quickly and you may need to optimize polling frequency or upgrade your Bubble plan.
  • Use Yodlee's Sandbox 'Dag Sites' test institutions for all development and QA — never use real bank credentials in Sandbox, and never point Sandbox tokens at the Production API endpoint.

Alternatives

Frequently asked questions

Can I build the Yodlee integration on Bubble's free plan?

No. The Yodlee integration relies entirely on Backend Workflows (API Workflows) for token minting, user registration, FastLink token generation, and data fetching. Backend Workflows are not available on Bubble's free plan. You need at minimum a Bubble Starter (paid) plan before you can begin building this integration.

Why do I need both cobSession and userSession on every API call?

This is Yodlee's security architecture. The cobSession authenticates your platform (cobrand) to Yodlee, confirming you are a registered Yodlee partner. The userSession authenticates the specific end user whose data is being accessed, ensuring you can only retrieve data that user has authorized. Sending only one token means Yodlee cannot verify both the platform identity and the user identity simultaneously — so it denies the request. Both headers are required on every financial data endpoint by design.

Can I build my own bank login UI instead of using FastLink?

No. FastLink is mandatory for bank account linking. Yodlee's terms of service require you to use FastLink for the credential-capture step — you cannot build a custom bank login form and pass credentials to Yodlee's API directly. FastLink handles institution-specific authentication flows, MFA, and credential security. You open it as a Yodlee-hosted webpage and receive a completion callback.

How do I get Production access to Yodlee?

Production access requires a commercial agreement with Yodlee/Envestnet. You cannot flip a configuration switch from Sandbox to Production yourself — you must contact Yodlee's sales team, go through their partner onboarding process, and sign a commercial agreement. This process typically takes several weeks to complete. Start it early so it does not block your launch.

How often do I need to refresh the cobSession and userSession tokens?

Both tokens expire in approximately 30 minutes. Best practice is to refresh at 25 minutes — before expiry, not after. Set up a Bubble recurring Backend Workflow to refresh the cobSession every 25 minutes (this is one shared token for your entire platform). Refresh the userSession on-demand: check if it is older than 25 minutes at the start of any workflow that calls a Yodlee data endpoint, and refresh it then if needed.

What are 'Dag Sites' and how do I use them for testing?

Dag Sites are Yodlee's pre-configured test institutions in the Sandbox environment. They simulate real bank login flows (including MFA, account selection, and successful account linking) without requiring real bank credentials. Log into your Yodlee developer portal at developer.yodlee.com to find the list of available Dag Site institution names and their test usernames/passwords. Use these exclusively during development — never use real bank credentials in Sandbox.

RapidDev

Talk to an Expert

Our team has built 600+ apps. Get personalized help with your project.

Book a free consultation

Integrations are where projects stall

We wire Bubble integrations like this one every week — auth, webhooks, edge cases included. Fixed-price builds from $13K, delivered in 6–10 weeks.

Talk to an integration engineer

We put the rapid in RapidDev

Need a dedicated strategic tech and growth partner? Discover what RapidDev can do for your business! Book a call with our team to schedule a free, no-obligation consultation. We'll discuss your project and provide a custom quote at no cost.