We always encourage our third-party applications to first describe the problem they are encountering and how this has affected the end user experience. Once we have been given that information we then try to reproduce the issue with a subset of test credentials that we use.
Where this may have been unsuccessful, and in order to provide the end user with access to the third-party application service, third-party applications can securely submit their JWT token for that single end-user to us for further investigation. This is done using our debug endpoint and you can find more information about it here.
When we are provided with the
debug_id token we then use this to reproduce the third-party application’s experience with that end user’s credentials in order to pinpoint the reported issue. This all takes place using an automated script (our connectors) that understands the bank portal’s layout and knows how to submit the end user's credentials.
In order to do so, the automated script has to have access to the unencrypted set of end-user credentials (as above). All of the above processes are undertaken with supervision from senior staff members, and access to these systems that allow investigation are audited internally to ensure correct levels of access are allocated.
This, in turn, is audited externally as part of our ISO 27001:2013 audits.
Check more information about our debug endpoint here.
Not sure what to send us to help with our investigation? Check our best practices here.