For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Support Center
OverviewAPIResources
OverviewAPIResources
  • REST API Endpoints
    • GETGet Timestamp
    • GETO IDC User Info
      • POSTAccess Token Request
      • GETChallenge
      • POSTCountry Is Banned
      • POSTGet Product
      • GETJ WKS
      • GETMe
      • POSTO Auth Token
      • GETProducts
      • GETRenew Access Token
      • POSTSearch
      • GETWell Known Openid Configuration
Support Center
LogoLogo
REST API EndpointsAuthentication

Access Token Request

POST
https://demo-d.tradovateapi.com/v1/auth/accesstokenrequest
POST
/v1/auth/accesstokenrequest
1const url = 'https://demo-d.tradovateapi.com/v1/auth/accesstokenrequest';
2const options = {
3  method: 'POST',
4  headers: {'Content-Type': 'application/json'},
5  body: '{"name":"string","password":"string"}'
6};
7
8try {
9  const response = await fetch(url, options);
10  const data = await response.json();
11  console.log(data);
12} catch (error) {
13  console.error(error);
14}
200Successful
1{
2  "errorText": "string",
3  "hibpHint": "EmailAndPasswordCompromised",
4  "accessToken": "string",
5  "expirationTime": "2024-01-15T09:30:00Z",
6  "passwordExpirationTime": "2024-01-15T09:30:00Z",
7  "userStatus": "Active",
8  "userId": 1,
9  "name": "string",
10  "hasLive": true,
11  "hasSimPlus": true
12}
#### Request an access token using your user credentials and API Key. See the [Access](/#tag/Access) section for more details. ### Acquiring an Access Token ```js const URL = 'https://live.tradovateapi.com/v1' const credentials = { name: "Your credentials here", password: "Your credentials here", appId: "Sample App", appVersion: "1.0", cid: 0, sec: "Your API secret here" } async function getAccessToken() { let response = await fetch(URL + '/auth/accessTokenRequest', { method: 'POST', headers: { 'Content-Type': 'application/json' } }) let result = await response.json() return result // { accessToken, mdAccessToken, userId, ... } } //... async function main() { const { accessToken, mdAccessToken, userId } = await getAccessToken() //use access token } ``` ### Using an Access Token ```js //use the Authorization: Bearer schema in API POST and GET requests //simple /account/list endpoint requires no body or query async function getAccounts() { let response = await fetch(URL + '/account/list', { method: 'GET', headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${accessToken}` //Access Token use in HTTP requests } }) let result = await response.json() return result } ``` ### Expiration and Renewal Access Tokens have a natural lifespan of 90 minutes from creation. However, you can extend that lifetime by calling the [`/auth/renewAccessToken`](#operation/renewAccessToken) operation. It is advised that you call the renewal operation about 15 minutes prior to the expiration of the token. ### Other Important Notes Calling the `accessTokenRequest` endpoint successfully will start a new session on our servers. This session is tracked, and you are limited to 2 concurrent sessions. Once a third (or additional) sessions are created, the oldest sessions are closed. This can be problematic in the following situations: | Situation | Problem | Solution |:---------|:-------|:----- | You have many services that don't share a central point of access, and each request their own sessions via `auth/accessTokenRequest`. | Your oldest sessions will be closed, and subsequent calls using the old access tokens will throw 408, 429, or 500 level errors. | Create a service to manage the access token, then distribute the identical valid token to dependent services | You log on to `.tradovate.com` websites with your API user while running more two or more API-powered applications. | Your API application risks being booted after a few of these spontaneous logins. | Your API user should be a dedicated user that doesn't require more than 2 concurrent logins. | You call `auth/accessTokenRequest` more frequently than necessary, or instead of calling `auth/renewAccessToken`. | Whether this is by mistake or not, you should request a single token per instance of API-powered application, and keep that token alive as long as possible.
Was this page helpful?
Previous

Challenge

Next
Built with

Request an access token using your user credentials and API Key.

See the Access section for more details.

Acquiring an Access Token

1const URL = 'https://live.tradovateapi.com/v1'
2
3const credentials = {
4    name:       "Your credentials here",
5    password:   "Your credentials here",
6    appId:      "Sample App",
7    appVersion: "1.0",
8    cid:        0,
9    sec:        "Your API secret here"
10}
11
12async function getAccessToken() {
13    let response = await fetch(URL + '/auth/accessTokenRequest', {
14        method: 'POST',
15        headers: {
16            'Content-Type': 'application/json'
17        }
18    })
19    let result = await response.json()
20    return result // { accessToken, mdAccessToken, userId, ... }
21}
22
23//...
24
25async function main() {
26    const { accessToken, mdAccessToken, userId } = await getAccessToken()
27
28    //use access token
29}

Using an Access Token

1//use the Authorization: Bearer schema in API POST and GET requests
2
3//simple /account/list endpoint requires no body or query
4async function getAccounts() {
5    let response = await fetch(URL + '/account/list', {
6        method: 'GET',
7        headers: {
8            'Content-Type': 'application/json',
9            Authorization: `Bearer ${accessToken}` //Access Token use in HTTP requests
10        }
11    })
12    let result = await response.json()
13    return result
14}

Expiration and Renewal

Access Tokens have a natural lifespan of 90 minutes from creation. However, you can extend that lifetime by calling the /auth/renewAccessToken operation. It is advised that you call the renewal operation about 15 minutes prior to the expiration of the token.

Other Important Notes

Calling the accessTokenRequest endpoint successfully will start a new session on our servers. This session is tracked, and you are limited to 2 concurrent sessions. Once a third (or additional) sessions are created, the oldest sessions are closed. This can be problematic in the following situations:

SituationProblemSolution
You have many services that don’t share a central point of access, and each request their own sessions via auth/accessTokenRequest.Your oldest sessions will be closed, and subsequent calls using the old access tokens will throw 408, 429, or 500 level errors.Create a service to manage the access token, then distribute the identical valid token to dependent services
You log on to .tradovate.com websites with your API user while running more two or more API-powered applications.Your API application risks being booted after a few of these spontaneous logins.Your API user should be a dedicated user that doesn’t require more than 2 concurrent logins.
You call auth/accessTokenRequest more frequently than necessary, or instead of calling auth/renewAccessToken.Whether this is by mistake or not, you should request a single token per instance of API-powered application, and keep that token alive as long as possible.

Request

This endpoint expects an object.
namestringRequired<=64 characters
passwordstringRequired<=512 characters
hibpCheckbooleanOptional
appIdstringOptional<=64 characters
appVersionstringOptional<=64 characters
deviceIdstringOptional<=64 characters
cidstringOptional<=64 characters
secstringOptional<=8192 characters

Response

AccessTokenResponse
errorTextstring<=8192 characters

Non-empty if the request failed

hibpHintenum
EmailAndPasswordCompromised, PasswordCompromised
Allowed values:
accessTokenstring<=8192 characters
expirationTimedatetime
passwordExpirationTimedatetime
userStatusenum
Active, Closed, Initiated, TemporaryLocked, UnconfirmedEmail
Allowed values:
userIdlong
namestring<=64 characters
hasLiveboolean
hasSimPlusboolean