OAuth Reference #
OAuth allows you to request market data and manage portfolios on behalf of your end-users. For further details on the OAuth functionality, please see the OAuth documentation.
Note: Each endpoint may have different base URLs.
Redirect user for authorization
GET /oauth/authorize
Redirect your user from your application to this endpoint with the following query parameters.
Use the following base URL: https://app.alpaca.markets
.
Example Request URL: https://app.alpaca.markets/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URL&state=SOMETHING_RANDOM&scope=account:write%20trading
Parameters
Query Parameters
Attribute | Type | Requirement | Description |
---|---|---|---|
response_type |
string | Required |
Must be code to request an authorization code. |
client_id |
string | Required |
The Client ID you received when you registered the application. |
redirect_uri |
string | Required |
The URL where the user will be sent after authorization. It must match one of the whitelisted redirect URIs for your application. |
state |
string | Optional |
An unguessable random string, used to protect against request forgery attacks. |
scope |
string | Optional |
A space-delimited list of scopes your application requests access to. Read-only endpoint access is assumed by default. |
Response
Redirect to Alpaca authorization page.Allowed Scopes #
Attribute | Notes |
---|---|
account:write |
Write access for account configurations and watchlists. |
trading |
Place, cancel or modify orders. |
data |
Access to the Data API. |
Retrieve an access token
POST /oauth/token
Exchange your temporary code for an access token.
Use the following base URL: https://api.alpaca.markets
.
Parameters
Body Parameters
Attribute | Type | Requirement | Description |
---|---|---|---|
grant_type |
string | Required |
Must be set to authorization_code for an access token request. |
code |
string | Required |
The temporary authorization code received from redirection request. |
client_id |
string | Required |
The Client ID you received when you registered the application. |
client_secret |
string | Required |
The Client Secret you received when you registered the application. |
redirect_uri |
string | Required |
The redirect URI you used for the authorization code request. |
Response
The access tokenNote: this request should take place behind-the-scenes from your backend server and shouldn’t be visible to the end users for security purposes.
The content type must be application/x-www-form-urlencoded
as defined in RFC.
Example Response #
{
"access_token": "79500537-5796-4230-9661-7f7108877c60",
"token_type": "bearer",
"scope": "account:write trading"
}