Each Finch access_token can only make API calls to endpoints the end-user has granted an application permission to. Permissions are specified by the product parameter when launching Connect. Valid permissions are—

company/employer/companyRead basic company data
directory/employer/directoryRead company directory and organization structure
individual/employer/individualRead individual data, excluding income and employment data
ssn/employer/individualRead SSN for individuals.
employment/employer/employmentRead individual employment and income data
payment/employer/paymentRead payroll and contractor related payments by the company
pay_statement/employer/pay-statementRead detailed pay statements for each individual
benefits/employer/benefits/*Create and manage benefits and benefit enrollment within a company