Access Token Request

#### Request an access token using your user credentials and API Key. See the [Access](/#tag/Access) section for more details. ### Acquiring an Access Token ```js const URL = 'https://live.tradovateapi.com/v1' const credentials = { name: "Your credentials here", password: "Your credentials here", appId: "Sample App", appVersion: "1.0", cid: 0, sec: "Your API secret here" } async function getAccessToken() { let response = await fetch(URL + '/auth/accessTokenRequest', { method: 'POST', headers: { 'Content-Type': 'application/json' } }) let result = await response.json() return result // { accessToken, mdAccessToken, userId, ... } } //... async function main() { const { accessToken, mdAccessToken, userId } = await getAccessToken() //use access token } ``` ### Using an Access Token ```js //use the Authorization: Bearer schema in API POST and GET requests //simple /account/list endpoint requires no body or query async function getAccounts() { let response = await fetch(URL + '/account/list', { method: 'GET', headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${accessToken}` //Access Token use in HTTP requests } }) let result = await response.json() return result } ``` ### Expiration and Renewal Access Tokens have a natural lifespan of 90 minutes from creation. However, you can extend that lifetime by calling the [`/auth/renewAccessToken`](#operation/renewAccessToken) operation. It is advised that you call the renewal operation about 15 minutes prior to the expiration of the token. ### Other Important Notes Calling the `accessTokenRequest` endpoint successfully will start a new session on our servers. This session is tracked, and you are limited to 2 concurrent sessions. Once a third (or additional) sessions are created, the oldest sessions are closed. This can be problematic in the following situations: | Situation | Problem | Solution |:---------|:-------|:----- | You have many services that don't share a central point of access, and each request their own sessions via `auth/accessTokenRequest`. | Your oldest sessions will be closed, and subsequent calls using the old access tokens will throw 408, 429, or 500 level errors. | Create a service to manage the access token, then distribute the identical valid token to dependent services | You log on to `.tradovate.com` websites with your API user while running more two or more API-powered applications. | Your API application risks being booted after a few of these spontaneous logins. | Your API user should be a dedicated user that doesn't require more than 2 concurrent logins. | You call `auth/accessTokenRequest` more frequently than necessary, or instead of calling `auth/renewAccessToken`. | Whether this is by mistake or not, you should request a single token per instance of API-powered application, and keep that token alive as long as possible.