Screen Scraping vs. API Access: How Do Apps Get Your Bank Data?
Two very different techniques can produce the same-looking result — a budgeting app that displays a bank balance — and which one sits underneath makes a real difference in how much trust that connection actually deserves.
The short answer
Screen scraping is an older technique where a third-party app logs into a bank’s website using the account holder’s actual username and password, then extracts data by reading the page the way a person would. API access is the newer approach, where the bank exposes specific data through a structured, permission-based connection that never requires sharing login credentials. The industry has been shifting toward API access because it’s more secure, more reliable, and gives the account holder more precise control over what gets shared.
How screen scraping works
In a screen-scraping setup, the account holder hands their actual bank login credentials to the third-party app, which then logs in on their behalf and parses the resulting web page to find the numbers it needs. From the bank’s perspective, this login looks identical to the account holder logging in directly, which makes it hard for the bank to distinguish legitimate aggregator activity from something more concerning. It also means the third party is holding onto a real password, which is a meaningful liability if that company is ever breached.
How API access works instead
With an API-based connection, the account holder authorizes access through the bank’s own secure login screen, and the bank issues the third party a limited, revocable token rather than sharing the actual password. The third-party app requests only specific pieces of data — say, transaction history for a particular account — and the bank can see exactly which app is asking and for what, which it generally cannot do with scraped access.
Why the shift has been happening
- Credential exposure. Screen scraping requires trusting a third party with real login information, multiplying the number of places a password could leak from.
- Fragility. A scraper depends on a bank’s website looking a certain way; a redesign can break the connection until the scraper is updated, sometimes leaving an aggregation service showing stale or missing data.
- Lack of granularity. Scraping tends to be all-or-nothing, pulling whatever is visible on the page, while APIs can be scoped to exactly the data a service needs.
- Bank visibility. Because API access is authorized and tracked individually, a bank can see which third parties are connected and shut off one without affecting others, something far harder to do with scraped logins that look like ordinary account access.
What this means for choosing financial apps
A service still relying on screen scraping isn’t necessarily unsafe, since the technique has been used for years without major incident, but it does mean an actual password sits with a company outside the bank. Where a choice exists, a service built on modern API connections generally offers a cleaner security model — no shared password, clearer permissions, and an easier way to revoke access later through the bank’s own settings rather than having to change a password everywhere the old credentials were used.
What to weigh
The technical distinction between these two methods isn’t always visible from the outside, so it can be worth asking directly, or checking a service’s own documentation, about how it connects to linked banks. That single detail says a fair amount about how the service treats the security of the data it’s been given access to.