userId and accountId for every user.
When a user authorizes your application, you attach your identifier to that grant. Fluz stores the pairing between your identifier and the userโs Fluz account, scoped to your application. From that point forward, you can reference the user by your own ID when generating tokens, sending transfers, and matching webhook events.
๐ Where youโll see it The field appears asexternal_idin the OAuth authorization URL and asexternalReferenceIdin the GraphQL API and webhook payloads. They are the same value.
What can it be?
โ ๏ธ Do not use PII as an external reference ID Avoid email addresses, phone numbers, or names. These can change over time and would break your mapping, and they unnecessarily transmit personal data in URLs and tokens. A UUID or your database primary key is the right choice.
Where do we use it?
The external reference ID flows through four surfaces:
It is also embedded in the OAuth access token issued for the user, so the association persists across token refreshes.
How do we use it?
1. Assign it during the OAuth authorization flow
When you direct your end user to the authorization URL (see Client facing OAuth grant flow), append your identifier as theexternal_id query parameter:
usr_8f3d2a91 against that userโs authorization of your application. The same parameter applies when launching an embedded widget โ see Widget Overview.
๐ง Required for widget applications
All widget application types (deposit, payouts, payins, virtual card, gift card catalog, bill pay, and external payout widgets) require an external reference ID when establishing a user session. The request will be rejected with External reference ID is required for <type> applications if it is omitted. For standard OAuth applications it is optional, but strongly recommended.
2. Generate user access tokens with it
Once the pairing exists,generateUserAccessToken accepts externalReferenceId in place of userId and accountId:
userId/accountId alongside externalReferenceId, but they must match the user the external reference ID resolves to. If they donโt, the request is rejected.
3. Address transfer destinations with it
When creating a wallet transfer to another Fluz account (see Transfer to Another Fluz Account), the destination can be identified by external reference ID instead of a Fluz account ID:destination.accountId or destination.externalReferenceId โ never both. The destination user must have authorized your application; otherwise the transfer is rejected.
4. Match webhook events back to your users
Webhook payloads includeexternalReferenceId so you can correlate Fluz events to your own user records without maintaining a lookup table of Fluz IDs:
๐ Privacy note
externalReferenceId is omitted from webhook payloads where the userโs grant has no external reference ID associated, or where the event is flagged as private.
Validation rules and errors
Adding an external reference ID to an existing grant
If a user authorized your application before you adopted external reference IDs, you can supply one on a subsequent authorization or token request and Fluz will backfill it onto the existing grant โ provided the grant does not already carry one. An existing external reference ID is never overwritten.What an external reference ID is not
- It is not a Fluz
userIdoraccountId. Those are Fluz-issued UUIDs; the external reference ID is issued by you. - It is not the
external_idor external account identifiers that appear on withdrawal records or linked funding sources elsewhere in the API. Those reference banking and processor records, not users. [TBD: confirm whether any of these are exposed in the public schema and should be cross-referenced here]