Alpaca

MOC, WebSocket, CORS, Bug & Security Fixes

It’s only been about a week after our big launch of commission-free short selling and margin, but we had a productive cycle this week and delivered a lot of improvements in our platform and API. I felt it would be great to share with you guys what has been fixed and changed recently with some highlights. Before jumping into each, these improvements are the result of both the great team and user community as always. Kudos!

Market-on-Close and Limit-on-Close Orders Support

One of the biggest achievements this week was the support for Market-on-Close (MOC) and Limit-on-Close (LOC). These have been requested by a number of users for a number of reasons, and now it’s here! To use this feature, you can simply set the time-in-force parameter on our Trading API to “cls” to indicate the order is to target the market close. For example, if you are running the code that aims to stay flat everyday, now you can submit MOC orders during the market session and forget about it. This feature is available effective immediately in the API v2, including paper trading simulator.

Fix for OPG (At-the-Open) Orders in Paper Trading

Along with this MOC/LOC release, we have addressed the issue around OPG orders. OPG orders are orders that can be submitted to fill at the time of market opening. You can submit the orders earlier in the day before the market opens. Prior to the fix, the behavior in paper trading for OPG orders was not very consistent with the intended design. These issues have been addressed in this release. Try it for free in paper trading!

Allow CORS for v2 API, or browser JavaScript Trading Algorithm

Cross-origin Resource Sharing, or CORS is the standard protocol to allow browser JavaScript program to access useful resources from different origin sites. Traditionally, browser JavaScript (typically Ajax) program was restricted to make such request to such sites, so that malicious websites may not be granted to read such data unexpectedly. But there are cases when there is reason to allow this especially when it comes to the public resource like our Trading API. CORS is to basically tell browsers that it is ok to do so.

Until this release, Alpaca’s Trading API was not accepting Ajax request from JavaScript code in non-alpaca domain. After carefully evaluating the risk and placing the security protection, CORS is now allowed and you can call Trading API from JavaScript code running in any website in the world. What this means is that you can run your trading algorithm with only HTML and JavaScript! Often the challenges of the first step to the programming is to set up such an environment to run your program, but HTML and JavaScript is so easy since virtually everyone already has web browsers.

Of course, not only trading algo, but you can also write your own trading UI calling Trading API. We will demonstrate more examples of doing this, and will post here later.

Websockets migration from NATS

For the real-time and historical market price data, Alpaca has been working closely with Polygon. Our client SDK libraries and API integration have been using NATS protocol for the real-time data streaming, but we have completed the migration to websockets. This would help a lot in the latency in data delivery as well as address unresolved issues that were happening. We have released the new version of our Python SDK last week first, but we will move on to C#, JS and Go SDK soon to support the same.

Better Error Message for Insufficient Positions

Developer experience (or DX) is one of our top priorities at Alpaca, as an API-first company. Last week, we picked up the long-time awaited request to improve the error message when a sell order is submitted with insufficient positions. Previously, the message was like

{
   “code”:  40310000,
   “message”: “insufficient position (100 < 0)”
}

As of today, you will see something like this.

{
   "available": "0",
   "code": 40310000,
   "existing_qty": "500",
   "held_for_orders": "500",
   "message": "insufficient qty available for order (requested 100,  available: 0)",
   "symbol": "ALPACA"
}

This would help a lot of debugging with more information.

Mobile Apps Update to Adapt to v2

Our showcase open-source mobile app built in React Native has been updated and the binary has been released both for Android and iOS. This release supports the new API v2 for margin and shorting, as well as extended hours trading (MOC/LOC will be coming too.)

Keep in mind that this app is open-source! You can take the code and improve it for your own needs, or even develop some great new features and share them back to the community!

Notable Bug Fix

If you were trading in the pre-market, there was a chance that the Position API unrealized_intraday_pl field was calculating the profit/loss incorrectly. This has been resolved.

Security Fixes

As a trading platform, we are committed to building one of the highest security levels in the industry. We appreciate the feedback we have received from the community and will continue to enhance our security reporting program. Please stay tuned! Recently we have addressed these issues.

  • X-Frame-Options header is now set to “SAMEORIGIN”. This prevents clickjacking to our dashboard page.
  • The unnecessary authentication methods have been dropped from our Trading API endpoints to further bolster the security around the API.

Dashboard Updates

There are a number of small improvements in the dashboard, but most notably we have implemented the display of the withdraw-able amount you can transfer out and the input is verified against this value quickly. This will help you understand how much you can withdraw.


Technology and services are offered by AlpacaDB, Inc. Brokerage services are provided by Alpaca Securities LLC (alpaca.markets), member FINRA/SIPC. Alpaca Securities LLC is a wholly-owned subsidiary of AlpacaDB, Inc.

You can find us @AlpacaHQ, if you use twitter.