OAuth Reference #

OAuth allows you to request market data and manage portfolios on behalf of your end-users. For further details on the OAuth functionality, please see the OAuth documentation.

Note: Each endpoint may have different base URLs.

Redirect user for authorization

GET /oauth/authorize

Redirect your user from your application to this endpoint with the following query parameters.

Use the following base URL: https://app.alpaca.markets.

Example Request URL: https://app.alpaca.markets/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URL&state=SOMETHING_RANDOM&scope=account:write%20trading

Parameters

Query Parameters

Attribute Type Requirement Description
response_type string
Required
Must be code to request an authorization code.
client_id string
Required
The Client ID you received when you registered the application.
redirect_uri string
Required
The URL where the user will be sent after authorization. It must match one of the whitelisted redirect URIs for your application.
state string
Optional
An unguessable random string, used to protect against request forgery attacks.
scope string
Optional
A space-delimited list of scopes your application requests access to. Read-only endpoint access is assumed by default.

Response

Redirect to Alpaca authorization page.

Allowed Scopes #

Attribute Notes
account:write Write access for account configurations and watchlists.
trading Place, cancel or modify orders.
data Access to the Data API.

Retrieve an access token

POST /oauth/token

Exchange your temporary code for an access token.

Use the following base URL: https://api.alpaca.markets.

Parameters

Body Parameters

Attribute Type Requirement Description
grant_type string
Required
Must be set to authorization_code for an access token request.
code string
Required
The temporary authorization code received from redirection request.
client_id string
Required
The Client ID you received when you registered the application.
client_secret string
Required
The Client Secret you received when you registered the application.
redirect_uri string
Required
The redirect URI you used for the authorization code request.

Response

The access token
Note: this request should take place behind-the-scenes from your backend server and shouldn’t be visible to the end users for security purposes.
The content type must be application/x-www-form-urlencoded as defined in RFC.

Example Response #

{
    "access_token": "79500537-5796-4230-9661-7f7108877c60",
    "token_type": "bearer",
    "scope": "account:write trading"
}