Three parties take part in every discovery request, and each one has a different concern to resolve before financial information changes hands.
In lieu of a formal Subpoena Duces Tecum, the attorney sends a secure, one-time invite link asking the client to share their financial account statements and transaction history. The attorney's real concern isn't the request itself - it's completeness. It's easy to overlook an account the client rarely mentions, or to end up with a gap of a month or two in the statements. A discovery record is only as good as what it includes.
When the client receives that request, they need a straightforward way to respond - grant access to the requesting attorney, and just as easily revoke it later. Nothing about the grant is permanent or one-directional.
The financial institution wants to honor its client's wishes, but it can't take a request at face value. Before any data moves, the institution confirms that the party asking for it is the one the client actually authorized - not merely someone who claims to be.
Put together, these three concerns are what the access-token system resolves: the attorney gets a request built for completeness, the client keeps a revocable grant, and the institution never releases records without verifying the client's authorization first.
Plaid is the financial data network that makes this possible - it connects banks, brokerages, and fintech apps under a shared set of agreements and APIs. See who uses Plaid on Plaid's own site.