> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://partner.ninjatrader.com/llms.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://partner.ninjatrader.com/_mcp/server. # Access Token Request POST https://live.tradovateapi.com/v1/auth/accesstokenrequest Content-Type: application/json #### Request an access token using your user credentials and API Key. See the [Authentication](#tag/Authentication) section for more details. ### Acquiring an Access Token ```js const URL = 'https://live.tradovateapi.com/v1' const credentials = { name: "Your credentials here", password: "Your credentials here", appId: "Sample App", appVersion: "1.0", cid: 0, sec: "Your API secret here" } async function getAccessToken() { let response = await fetch(URL + '/auth/accessTokenRequest', { method: 'POST', headers: { 'Content-Type': 'application/json' } }) let result = await response.json() return result // { accessToken, mdAccessToken, userId, ... } } //... async function main() { const { accessToken, mdAccessToken, userId } = await getAccessToken() //use access token } ``` ### Using an Access Token ```js //use the Authorization: Bearer schema in API POST and GET requests //simple /account/list endpoint requires no body or query async function getAccounts() { let response = await fetch(URL + '/account/list', { method: 'GET', headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${accessToken}` //Access Token use in HTTP requests } }) let result = await response.json() return result } ``` ### Expiration and Renewal Access Tokens have a natural lifespan of 90 minutes from creation. However, you can extend that lifetime by calling the [`/auth/renewAccessToken`](#operation/renewAccessToken) operation. It is advised that you call the renewal operation about 15 minutes prior to the expiration of the token. ### Other Important Notes Calling the `accessTokenRequest` endpoint successfully will start a new session on our servers. This session is tracked, and you are limited to 2 concurrent sessions. Once a third (or additional) sessions are created, the oldest sessions are closed. This can be problematic in the following situations: | Situation | Problem | Solution |:---------|:-------|:----- | You have many services that don't share a central point of access, and each request their own sessions via `auth/accessTokenRequest`. | Your oldest sessions will be closed, and subsequent calls using the old access tokens will throw 408, 429, or 500 level errors. | Create a service to manage the access token, then distribute the identical valid token to dependent services | You log on to `.tradovate.com` websites with your API user while running more two or more API-powered applications. | Your API application risks being booted after a few of these spontaneous logins. | Your API user should be a dedicated user that doesn't require more than 2 concurrent logins. | You call `auth/accessTokenRequest` more frequently than necessary, or instead of calling `auth/renewAccessToken`. | Whether this is by mistake or not, you should request a single token per instance of API-powered application, and keep that token alive as long as possible. Reference: https://partner.ninjatrader.com/eval/api/rest-api-endpoints/authentication/access-token-request ## OpenAPI Specification ```yaml openapi: 3.1.0 info: title: eval version: 1.0.0 paths: /auth/accesstokenrequest: post: operationId: access-token-request summary: Access Token Request description: >- #### Request an access token using your user credentials and API Key. See the [Authentication](#tag/Authentication) section for more details. ### Acquiring an Access Token ```js const URL = 'https://live.tradovateapi.com/v1' const credentials = { name: "Your credentials here", password: "Your credentials here", appId: "Sample App", appVersion: "1.0", cid: 0, sec: "Your API secret here" } async function getAccessToken() { let response = await fetch(URL + '/auth/accessTokenRequest', { method: 'POST', headers: { 'Content-Type': 'application/json' } }) let result = await response.json() return result // { accessToken, mdAccessToken, userId, ... } } //... async function main() { const { accessToken, mdAccessToken, userId } = await getAccessToken() //use access token } ``` ### Using an Access Token ```js //use the Authorization: Bearer schema in API POST and GET requests //simple /account/list endpoint requires no body or query async function getAccounts() { let response = await fetch(URL + '/account/list', { method: 'GET', headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${accessToken}` //Access Token use in HTTP requests } }) let result = await response.json() return result } ``` ### Expiration and Renewal Access Tokens have a natural lifespan of 90 minutes from creation. However, you can extend that lifetime by calling the [`/auth/renewAccessToken`](#operation/renewAccessToken) operation. It is advised that you call the renewal operation about 15 minutes prior to the expiration of the token. ### Other Important Notes Calling the `accessTokenRequest` endpoint successfully will start a new session on our servers. This session is tracked, and you are limited to 2 concurrent sessions. Once a third (or additional) sessions are created, the oldest sessions are closed. This can be problematic in the following situations: | Situation | Problem | Solution |:---------|:-------|:----- | You have many services that don't share a central point of access, and each request their own sessions via `auth/accessTokenRequest`. | Your oldest sessions will be closed, and subsequent calls using the old access tokens will throw 408, 429, or 500 level errors. | Create a service to manage the access token, then distribute the identical valid token to dependent services | You log on to `.tradovate.com` websites with your API user while running more two or more API-powered applications. | Your API application risks being booted after a few of these spontaneous logins. | Your API user should be a dedicated user that doesn't require more than 2 concurrent logins. | You call `auth/accessTokenRequest` more frequently than necessary, or instead of calling `auth/renewAccessToken`. | Whether this is by mistake or not, you should request a single token per instance of API-powered application, and keep that token alive as long as possible. tags: - subpackage_authentication responses: '200': description: AccessTokenResponse content: application/json: schema: $ref: '#/components/schemas/AccessTokenResponse' requestBody: content: application/json: schema: $ref: '#/components/schemas/AccessTokenRequest' servers: - url: https://live.tradovateapi.com/v1 description: https://live.tradovateapi.com/v1 components: schemas: AccessTokenRequest: type: object properties: hibpCheck: type: boolean name: type: string password: type: string appId: type: string appVersion: type: string deviceId: type: string cid: type: string sec: type: string required: - name - password title: AccessTokenRequest AccessTokenResponseHibpHint: type: string enum: - EmailAndPasswordCompromised - PasswordCompromised description: EmailAndPasswordCompromised, PasswordCompromised title: AccessTokenResponseHibpHint AccessTokenResponseUserStatus: type: string enum: - Active - Closed - Initiated - TemporaryLocked - UnconfirmedEmail description: Active, Closed, Initiated, TemporaryLocked, UnconfirmedEmail title: AccessTokenResponseUserStatus AccessTokenResponse: type: object properties: errorText: type: string description: Non-empty if the request failed hibpHint: $ref: '#/components/schemas/AccessTokenResponseHibpHint' description: EmailAndPasswordCompromised, PasswordCompromised accessToken: type: string expirationTime: type: string format: date-time passwordExpirationTime: type: string format: date-time userStatus: $ref: '#/components/schemas/AccessTokenResponseUserStatus' description: Active, Closed, Initiated, TemporaryLocked, UnconfirmedEmail userId: type: integer format: int64 name: type: string hasLive: type: boolean hasSimPlus: type: boolean showKIDs: type: boolean title: AccessTokenResponse ``` ## Examples **Request** ```json { "name": "string", "password": "string" } ``` **Response** ```json { "errorText": "string", "hibpHint": "EmailAndPasswordCompromised", "accessToken": "string", "expirationTime": "2024-01-15T09:30:00Z", "passwordExpirationTime": "2024-01-15T09:30:00Z", "userStatus": "Active", "userId": 1, "name": "string", "hasLive": true, "hasSimPlus": true, "showKIDs": true } ``` **SDK Code** ```python import requests url = "https://live.tradovateapi.com/v1/auth/accesstokenrequest" payload = { "name": "string", "password": "string" } headers = {"Content-Type": "application/json"} response = requests.post(url, json=payload, headers=headers) print(response.json()) ``` ```javascript const url = 'https://live.tradovateapi.com/v1/auth/accesstokenrequest'; const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"name":"string","password":"string"}' }; try { const response = await fetch(url, options); const data = await response.json(); console.log(data); } catch (error) { console.error(error); } ``` ```go package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "https://live.tradovateapi.com/v1/auth/accesstokenrequest" payload := strings.NewReader("{\n \"name\": \"string\",\n \"password\": \"string\"\n}") req, _ := http.NewRequest("POST", url, payload) req.Header.Add("Content-Type", "application/json") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := io.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```ruby require 'uri' require 'net/http' url = URI("https://live.tradovateapi.com/v1/auth/accesstokenrequest") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true request = Net::HTTP::Post.new(url) request["Content-Type"] = 'application/json' request.body = "{\n \"name\": \"string\",\n \"password\": \"string\"\n}" response = http.request(request) puts response.read_body ``` ```java import com.mashape.unirest.http.HttpResponse; import com.mashape.unirest.http.Unirest; HttpResponse response = Unirest.post("https://live.tradovateapi.com/v1/auth/accesstokenrequest") .header("Content-Type", "application/json") .body("{\n \"name\": \"string\",\n \"password\": \"string\"\n}") .asString(); ``` ```php request('POST', 'https://live.tradovateapi.com/v1/auth/accesstokenrequest', [ 'body' => '{ "name": "string", "password": "string" }', 'headers' => [ 'Content-Type' => 'application/json', ], ]); echo $response->getBody(); ``` ```csharp using RestSharp; var client = new RestClient("https://live.tradovateapi.com/v1/auth/accesstokenrequest"); var request = new RestRequest(Method.POST); request.AddHeader("Content-Type", "application/json"); request.AddParameter("application/json", "{\n \"name\": \"string\",\n \"password\": \"string\"\n}", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```swift import Foundation let headers = ["Content-Type": "application/json"] let parameters = [ "name": "string", "password": "string" ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://live.tradovateapi.com/v1/auth/accesstokenrequest")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error as Any) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```