Plug to UDS Bridge for MFA (Phase 1)
What is the Plug to UDS (P2U) Bridge?
When a utility provider institutes multi-factor authentication (MFA), accounts managed through Utility Data Service (Arcadia's legacy product UDS) lose access to data, and UDS has no interface for customers to complete an MFA challenge like a one-time password (OTP) or code. Without a solution, affected credentials simply fail and data deliveries stop.
The P2U Bridge solves this by connecting your UDS account to Arcadia's Plug platform, which supports MFA natively. When MFA is required, Plug handles the authentication challenge and delivers the retrieved data back to UDS for standard processing and delivery.
You'll complete MFA through the Arcadia Dashboard by selecting your preferred delivery method, such as email or text, and entering the code you receive. Plug stores and re-uses the resulting token to minimize MFA refresh on your behalf. For many providers, the token never expires and no further action is ever needed. For others, the token expires after a set period. When that happens, the credential will appear under Action Required in the Arcadia Dashboard.
What Changes for You
Before the P2U Bridge:
When a utility institutes MFA requirements, your UDS credentials fail and data deliveries stop, and there is no way to complete an MFA challenge from within UDS.
After the P2U Bridge:
Your UDS account is connected to Arcadia's Plug platform. You'll complete, and if required maintain, the MFA authentication through the Arcadia Dashboard - please see the Phase 1 Supported Providers table below for the maintenance and re-auth frequency. Your UDS data deliveries continue without impact.
What stays the same:
Your UDS / Portal data delivery format, schedule, account structure, Charge IDs, and Customer Non-Bill Data (CNBD) data are all unchanged.
Phase 1 Supported Providers
The P2U Bridge launched with support for 14 utility providers, with more being added on an ongoing basis. All require credential-based access. Email ingestion and SFTP/FTP ingestion are not supported.
| Provider | MFA Type | Re-Auth Frequency | Notes |
|---|---|---|---|
| Public Service Enterprise Group - New Jersey (PSE&G) | Token Storage | Every ~30 days | Authenticate once via Arcadia Dashboard at setup; re-authenticate when credential appears under Action Required |
| Atlantic City Electric | Token Storage | One-time only | Authenticate once via Arcadia Dashboard; token does not expire, no future re-auth required |
| Pacific Gas & Electric (PG&E) | Token Storage | Every ~180 days | Authenticate once via Arcadia Dashboard at setup; re-authenticate when credential appears under Action Required |
| San Diego Gas & Electric (SDGE) | Automated MFA | One-time setup only | Authenticate once via Arcadia Dashboard at initial setup; no re-auth ever needed after that |
| Pepco | Token Storage | One-time only | Authenticate once via Arcadia Dashboard; token does not expire, no future re-auth required |
| Commonwealth Edison (ComEd) | Token Storage | One-time only | Authenticate once via Arcadia Dashboard; token does not expire, no future re-auth required |
| Eversource | Automated MFA | One-time setup only | Authenticate once via Arcadia Dashboard at initial setup; no re-auth ever needed after that |
| Delmarva Power | Token Storage | One-time only | Authenticate once via Arcadia Dashboard; token does not expire, no future re-auth required |
| Baltimore Gas & Electric (BGE) | Token Storage | One-time only | Authenticate once via Arcadia Dashboard; token does not expire, no future re-auth required |
| Philadelphia Electric Company (PECO) | Token Storage | One-time only | Authenticate once via Arcadia Dashboard; token does not expire, no future re-auth required |
| Enbridge | Automated MFA | One-time setup only | Authenticate once via Arcadia Dashboard at initial setup; no re-auth ever needed after that |
| Dominion Energy South Carolina | Token Storage | Every ~30 days | Authenticate once via Arcadia Dashboard at setup; re-authenticate when credential appears under Action Required |
| Evergy | Automated MFA | One-time setup only | Authenticate once via Arcadia Dashboard at initial setup; no re-auth ever needed after that |
| Versant Power | Automated MFA | One-time setup only | Authenticate once via Arcadia Dashboard at initial setup; no re-auth ever needed after that |
Getting Started
Your Arcadia account team will guide you through setup. Here's what to expect:
- Your Arcadia CSM confirms eligibility — they verify your inventory has MFA-supported providers with credential-based access.
- Migration planning — your CSM works with you to take stock of all eligible credentials across your MFA-supported providers, understand your team's capacity for migrating credentials, and agree on a provider schedule and timing that fits your operations. We recommend migrating credentials on a provider-by-provider basis rather than all at once, as this keeps the number of simultaneous MFA prompts manageable and gives your team time to confirm each provider is working correctly before moving on to the next. If Arcadia is already managing MFA for some of your providers like Duke and PG&E, those will be migrated seamlessly by Arcadia as part of this process. This means no additional action is needed from you for those providers.
- Arcadia configures the P2U Bridge and migrates credentials — backend setup and credential migration is completed per the agreed provider schedule, typically within 2–4 business days per provider after your request is submitted.
- Provider confirmation — after each provider is authenticated, your CSM confirms that Plug has discovered the expected accounts and that data delivery has resumed before proceeding to the next provider.
- Ongoing — for some providers, the initial authentication step is all that's ever needed. If your provider has a token expiry period, the credential will appear under Action Required in the Arcadia Dashboard when re-authentication is needed, and it typically takes just a few minutes to complete.
Where to Manage Your Credentials
For Phase 1 MFA providers, always add or update credentials in the Arcadia Dashboard once the provider has been migrated, and not in the UDS Portal. The P2U Bridge automatically syncs credentials from the Arcadia Dashboard to UDS.
Why this matters: If you add a credential directly in UDS for an MFA provider, the P2U Bridge will sync it to the Arcadia Dashboard and immediately encounter an MFA challenge, requiring you to complete authentication in the Dashboard anyway. Save the extra step and start in the Arcadia Dashboard.
Monitoring Your Account
Your UDS / Portal monitoring and delivery records remain your primary view of data delivery status. Check credential health in the Arcadia Dashboard.
| What to check | Where to look | Healthy state |
|---|---|---|
| Credential authentication status | Arcadia Dashboard | No credentials under Action Required |
| Data delivery records | UDS / Portal | Normal delivery history |
| Account monitoring status | UDS / Portal | DAQ_PRODUCTION |
If credentials appear under Action Required in the Arcadia Dashboard, re-authentication is needed. Log into the Dashboard to complete it, or contact your Arcadia CSM. If you use the Plug API, you can make a request to the Retrieve Credential endpoint, or subscribe to webhook events to be notified of these kinds of changes.
What is NOT supported in Phase 1 but coming in Phase 2?
CNBD Auto-Sync
The initial account connection from UDS to Plug will propagate the UDS CNBD values into associated Plug Custom Data fields, but this is at initial setup. Arcadia is working on an automated sync that will mirror any changes to these custom values from Plug into UDS, which will be live in Phase 2.
Be prepared to make Custom Data updates within Plug, and CNBD updates in tandem for UDS.
Auto-enrollments within UDS
There are two scenarios for new account additions to the Plug instance:
- Net-new enrollments: a new credential enrollment with no existing and activated accounts for the submitted credential.
- Credential account additions: a newly-found account that is part of an existing, already-enrolled credential.
In both scenarios, these accounts will be considered "Discovered". If your organization has “Auto-Enroll” enabled for Plug and UDS, then these “Discovered” accounts will be automatically activated in Plug; and once data is found for the account and sent to UDS, those accounts will automatically move to “Enrolled” within UDS.
Otherwise, if your organization does NOT have "Auto-Enroll" enabled, these accounts will be “Discovered” for both scenarios and need to be activated in Plug. Then, once data is found for the account and sent to UDS, these account records will be “Discovered” in UDS and will need to be Enrolled.
Be prepared to follow the initial Plug activation with a UDS enrollment until Phase 2.
Account State Sync
The current P2U Bridge solution is intended to send data from Plug to UDS. Deactivating a credential within Plug will also deactivate the credential within UDS and will prevent Arcadia from retrieving, sending, and charging for data for those accounts. However, this will not subsequently deactivate the account within UDS.
Deactivating an individual Plug account on a credential with multiple accounts will not deactivate UDS accounts.
Be prepared to make account state updates in both Plug and UDS.
Frequently Asked Questions
Will my Charge ID configuration change?
No. Charge ID is managed independently in UDS and is not affected by the P2U Bridge. While the Plug platform does not have Charge IDs in the same manner as UDS,
Will my CNBD data still come through the UDS delivery correctly?
Yes. CNBD is an account-level field in UDS and is not affected by the P2U Bridge. As long as the CNBD data in UDS is up-to-date, it will come through correctly.
How will I know when re-authentication is needed?
The credential will appear under Action Required in the Arcadia Dashboard — this is how most users monitor for this. If you use the Plug API, you can also detect it by polling the Credentials endpoint or by subscribing to webhook events.
Do I need to do anything on a recurring basis?
All providers require a one-time MFA authentication at initial setup. After that, it depends on your provider: many use tokens that never expire, while others have tokens that expire after a set period. Automated MFA providers never require re-authentication after initial setup. See the provider table above for your specific provider's re-auth frequency.
Why does Arcadia migrate credentials per provider rather than all at once?
When credentials are migrated, they each require your team to submit an MFA code in the Arcadia Dashboard. Migrating everything simultaneously would flood your team with prompts at once. Migrating provider-by-provider gives you time to handle each set cleanly and confirm that accounts are discovered correctly before moving on. Your CSM will work with you during the planning stage to agree on a provider schedule that suits your team.
I have accounts at a provider not on the list above. Are they affected?
No. Only supported P2U Bridge providers are included in the program. The P2U Bridge launched with 14 providers and more will be added over time. Contact your CSM to ask about a specific provider.
Can I still manage accounts in UDS / Portal as I do today?
Yes. Account management, enrollment, monitoring, and data delivery records in UDS are unchanged. However, any MFA accounts will need to be authenticated through Arcadia’s Dashboard, so net-new accounts should be submitted and enrolled through Plug. The P2U Bridge only affects how authentication is handled for supported MFA providers.
What happens if MFA fails?
For token-storage providers with expiring tokens, the credential will appear under Action Required in the Arcadia Dashboard. Log in and complete re-authentication. For automated MFA providers, if anything fails after initial setup, Arcadia handles it with no action required from you.
My organization has accounts with multiple Arcadia orgs. Are we supported?
Multi-org scenarios are not supported in Phase 1. Please contact your CSM for guidance on your specific situation and roadmap.
I use email ingestion or SFTP/FTP for some accounts. Does the P2U Bridge support those?
Not in Phase 1. The P2U Bridge supports credential-based access only. Email ingestion and SFTP/FTP ingestion accounts continue to operate through the standard UDS pipeline. Note: when accessing via credentials, utilities may return data as PDFs or HTML, but both are supported.
Will my data arrive faster with the P2U Bridge?
No. The P2U Bridge does not change data delivery frequency or scheduling, only how authentication is handled.
How long does setup take?
Your CSM will work with you during the planning stage to agree on a provider schedule. Each provider typically takes 2–4 business days for Engineering to configure and migrate credentials. The initial MFA authentication step itself takes just a few minutes per provider in the Arcadia Dashboard.
Why do my credentials show an error right after migration?
This is expected. When Arcadia migrates your credentials, authentication needs to be re-established, and the credentials will show a connection error until you submit a fresh MFA code. Your CSM will coordinate the exact timing for when to do this. Do not submit a code until your CSM gives the signal, as submitting too soon may result in the code being rejected.
For UDS API-Integrated Customers
This section applies only if you access UDS data programmatically via the API. If you use the Urjanet Portal only, you can skip this section.
What Changed for API Integrations
For P2U Bridge-enrolled accounts, Arcadia's Plug platform now handles credential navigation and MFA resolution. UDS no longer manages this directly for these accounts. Your UDS data delivery continues normally, but the way you detect credential health must change: several UDS credential status fields no longer update to reflect failures that occur on the P2U Bridge side. See table below.
This affects accounts at Phase 1 providers using credential-based access. Accounts using email ingestion or SFTP/FTP ingestion are unaffected.
UDS Fields No Longer Reliable for P2U Bridge Accounts
⚠️ Do not use these fields to assess credential health for P2U Bridge-enrolled credentials.
enrollmentStatus
Once enrollmentStatus reaches SUCCESSFUL_DELIVERED, it never moves backward, even if the P2U Bridge later fails. Do not use this field to assess ongoing credential health. You may still use it to confirm initial successful enrollment.
extractionStatus (MULTI_FACTOR_AUTH_FAILURE etc.)
MULTI_FACTOR_AUTH_FAILURE will not be set for P2U Bridge accounts because UDS navigation is disabled. MFA failures occur in Plug and are not propagated to this field.
UDS Fields That Remain Reliable
The following UDS fields are unaffected by the P2U Bridge and continue to behave normally:
| Field | Still Reliable? | Notes |
|---|---|---|
| Delivery records / data payloads | ✅ Yes | Data arriving in UDS is correct. The P2U Bridge changes delivery timing, not data quality. |
monitoringStatus (DAQ_PRODUCTION) | ✅ Yes | Should be DAQ_PRODUCTION for all P2U Bridge-enabled accounts. If not, contact Arcadia support. |
| Delivery timestamps | ✅ Yes | Arrival timing may shift by up to 3 hours vs. previous behavior. |
The Authoritative Health Signal: Plug API
For P2U Bridge-enrolled accounts, Plug credential status is the single source of truth for credential health. The Plug API uses a status / statusDetail pair on each credential, along with isCustomerActionRequired and isAccessible boolean fields.
status | statusDetail | isCustomerActionRequired | isAccessible | Meaning |
|---|---|---|---|---|
CONNECTION_SUCCESS | LOGIN_AND_DATA_DISCOVERY_SUCCESS | false | true | P2U Bridge healthy; last navigation succeeded. |
CONNECTION_IN_PROGRESS | varies | false | varies | Navigation in progress or a transient issue is being resolved. No customer action needed. |
CONNECTION_FAILURE | MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIRED | true | false | MFA session expired; customer must submit a new OTP via the Arcadia Dashboard. Applies to token-storage providers upon token expiry. Data access is blocked. |
CONNECTION_FAILURE | MULTI_FACTOR_AUTHENTICATION_FAILURE | true | false | MFA OTP was invalid. For automated MFA providers: system-level issue at Arcadia; do not prompt the end-user. For token-storage providers: end-user may need to retry. |
CONNECTION_FAILURE | MULTI_FACTOR_AUTHENTICATION_TIMEOUT | true | false | OTP was not submitted in time or the request was abandoned. |
CONNECTION_FAILURE | UNSUPPORTED_MULTI_FACTOR_AUTHENTICATION | true | false | Arcadia does not support this MFA type. The customer may be able to disable MFA at the utility account level. Contact Arcadia support if this appears on a P2U Bridge account. |
CONNECTION_FAILURE | INVALID_CREDENTIALS | true | false | Username/password incorrect; customer must update credentials. |
CONNECTION_DEACTIVATED | DATA_EXTRACTION_NOT_REQUESTED | false | false | Credential has been deactivated. Reactivate to re-enable access. |
📝 These are Plug API values. Credential states are not synced back to UDS credential fields. Plug is the only place these statuses are visible.
The isCustomerActionRequired and isAccessible Flags
isCustomerActionRequired and isAccessible FlagsisAccessible: falseon anyCONNECTION_FAILUREstatus means data via credential access is currently blocked. Do not expect UDS delivery while this flag is set to false.CONNECTION_FAILURE/MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIRED+isCustomerActionRequired: true— Token-storage provider token expired. The customer must log into the Arcadia Dashboard to submit a new OTP. Your application should surface a re-authentication prompt.CONNECTION_FAILURE/MULTI_FACTOR_AUTHENTICATION_FAILURE+isCustomerActionRequired: trueon an automated MFA provider — Although the flag istrue, no customer action is possible or appropriate. This is a system-level issue at Arcadia. Do not prompt the end-user. Contact Arcadia support.
Handling MFA Re-authentication in Your Integration
Token Storage providers — tokens that expire have durations vary from 30 to 180 days.
Integration guidance for expiring tokens:
- Monitor for
CONNECTION_FAILURE/MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIREDvia Plug API polling or webhook subscription. - Surface a re-authentication prompt to your end user when this state is detected.
- Build tolerance for UDS delivery gaps of up to 24–48 hours during the re-auth window.
Delivery Timing
After a successful MFA authentication for P2U Bridge-enrolled accounts, expect data to be processed and stored for UDS delivery pickup within 3 hours. Your data will then most likely appear within the next UDS delivery. Build tolerance for this window in any SLA-sensitive integrations, since deliveries will not arrive faster than this for P2U Bridge accounts.
Recommended Integration Pattern
Step 1 — Detect P2U Bridge enrollment. Check whether the account is at a Phase 1 provider with credential-based access. If yes, apply P2U Bridge-aware logic around credential monitoring and delivery timing.
Step 2 — Poll Plug for credential health. Replace any UDS credentialStatus / extractionStatus polling for P2U Bridge accounts with Plug API polling. Healthy state = CONNECTION_SUCCESS/LOGIN_AND_DATA_DISCOVERY_SUCCESS(isAccessible: true).
Step 3 — Handle token expiry. If Plug returns CONNECTION_FAILURE / MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIRED for a token-storage provider, surface a re-authentication prompt to the end-user.
Step 4 — Handle automated provider failures. If Plug returns CONNECTION_FAILURE / MULTI_FACTOR_AUTHENTICATION_FAILURE for an automated MFA provider, do not prompt the user. Open a support ticket with Arcadia instead.
Step 5 — Use UDS for delivery data only. Continue reading UDS for all delivery-related fields like bill data, intervals, and timestamps. These remain reliable.
Common Scenarios
| Scenario | UDS credentialStatus | UDS extractionStatus | Plug status / statusDetail | isAccessible | Action |
|---|---|---|---|---|---|
| P2U Bridge healthy, data delivering normally | OK (may be stale) | No change | CONNECTION_SUCCESS / LOGIN_AND_DATA_DISCOVERY_SUCCESS | true | None |
| PSE&G or Dominion Energy SC token expired (~30 days) | OK (unreliable) | Not set | CONNECTION_FAILURE / MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIRED | false | Prompt end-user to re-auth via Arcadia Dashboard |
| PG&E token expired (~180 days) | OK (unreliable | Not set | CONNECTION_FAILURE / MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIRED | false | Prompt end-user to re-auth via Arcadia Dashboard |
| Customer re-authed; data delivery pending | OK | No change | CONNECTION_SUCCESS / LOGIN_AND_DATA_DISCOVERY_SUCCESS | true | None |
| Automated MFA provider system failure | OK (unreliable | Not set | CONNECTION_FAILURE / MULTI_FACTOR_AUTHENTICATION_FAILURE | false | Contact Arcadia support; do not prompt end-user |
| Account not P2U Bridge-enrolled (standard UDS) | Normal | Normal | N/A | N/A | No change to existing behavior |
Migrating Existing UDS Logic
If your integration uses UDS credentialStatus, enrollmentStatus, or extractionStatus to detect MFA failures or drive re-auth workflows, update that logic for P2U Bridge-enrolled accounts:
- Identify which accounts are at Phase 1 providers.
- Add a P2U Bridge-aware flag or segment to those accounts in your integration.
- Route health checks for flagged accounts to the Plug API instead of UDS credential status fields.
- Update alerting that triggers on
extractionStatus=MULTI_FACTOR_AUTH_FAILURE, since this will never fire for P2U Bridge accounts. Use PlugCONNECTION_FAILURE/MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIREDinstead. - Update SLA logic to tolerate up to 3-hour storage gaps for P2U Bridge accounts. This could bleed into the following delivery, depending on timing of events.
- For token-storage providers with expiring tokens, add logic to handle
CONNECTION_FAILURE/MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIREDand surface a re-auth prompt to the owner. - Test against a P2U Bridge-enrolled account in a staging environment before deploying.
API FAQ
Will I still receive UDS delivery events for P2U Bridge accounts? Yes. The delivery pipeline is unchanged. What changes is only the credential health signaling.
How do I know if a specific account is P2U Bridge-enrolled? Contact Arcadia support to confirm whether a specific account is P2U Bridge-enrolled. You can also infer it by checking whether the account is available within Plug and for a Phase 1 provider with credential-based access.
What if I'm not calling the Plug API today? If your integration depends on UDS health signals for P2U Bridge accounts, you will need to integrate with the Plug API. Contact your Arcadia account manager to request Plug API access and documentation.
Can I use UDS delivery gaps as a proxy for P2U Bridge health?
With caution. A delivery gap of more than 3 days combined with CONNECTION_SUCCESS in Plug suggests a data pipeline issue; contact Arcadia support. A gap combined with CONNECTION_FAILURE / MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIRED indicates token expiry; prompt an MFA challenge again.
What happens to SLAs during the re-auth window?
Arcadia does not apply standard UDS delivery SLAs during the period when CONNECTION_FAILURE / MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIRED is active. Build your SLA notifications to suppress during this window to avoid false positives.
Who do I contact for P2U Bridge-related API issues? Contact Arcadia support or your CSM with the account ID, provider, and the Plug and UDS status values you are seeing. For issues affecting multiple accounts simultaneously, escalate to your CSM immediately.
Updated 1 day ago