Downloading...
Skip to main content

Authentication

For authorizing our servers before making requests to API PasswordBearer and ServerOAuth2Bearer can be used to retreive access token. Alternatively, fixed token can be used.

If any kind of authorization is used, all requests to Data integration endpoints will have Authorization header with access token.

Important

Due to security and stability considerations we need four separate sets of credentials for your production API

PasswordBearer

This flow uses login and password to authenticate a server. Username and password are sent as parameters to the /authorize endpoint.

If the username and password are valid, then the broker issues an access token and returns it in the response. The access token is sent with every request in the Authorization header.

Expected response:

{
  "access_token": "eyJhbfGujudUf.eyJvYWEiOiIw[omitted for brevity]",
  "expires_in": 1200,
  "token_type": "Bearer",
  "refresh_token": "86fy7fa3d2-5e13-4736-86031-9ehiyiufrow0b",
  "refresh_token_expires_in": 2400
}

ServerOAuth2Bearer

This authentication flow is used for server-to-server requests where authentication needs to be done without human intervention. It can be used with the /history, /symbol_info, /streaming and /groups endpoints.

JSON Web Token (JWT) is used to securely transmit information between broker and TradingView. More information about JWT can be found here.

Application and OAuth2 parameters

The broker provides the following application and OAuth2 parameters to TradingView:

  • Application parameters:

    • AppUrl: A URL uniquely representing broker's application
    • UserId: A user identifier for which the access token will be issued

  • OAuth2 parameters:

    • client_id: A unique client Identifier
    • client_secret: Secret code
    • token_url: A URL to which the access token request will be sent
    • grant_type: Indicates the type of grant being presented in exchange for an access token

X.509 Certificate

The broker provides a valid X.509 certificate to TradingView for signing JWT.

JSON Web Token

JWT for the access token request is created with the following headers and claims:

  • Headers:

    • x5t: Thumbprint of provided X.509 certificate used for signing JWT
    • alg: Algorithm used to sign JWT. RS256 is only supported at the moment

  • Claims:

    • iss: Value should be client_id
    • sub: Value should be the UserId for which token is needed
    • exp: Value should be a Unix timestamp indicating expiry of the token
    • aud: Value should be the token_url
    • spurl: The AppUrl of your application

Requesting the access token

TradingView sends a POST request to the token_url to obtain an access token. The client_id and client_secret are included as parameters in the request body. The JWT is sent in a parameter named assertion.

Example access token request (extra line breaks for clarity):

POST /authorize/token HTTP/1.1
Host: your-rest-implementation.com
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Ayour-broker%3Aoauth%3Agrant-type%3Apersonal-jwt
&assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.eyJpc3Mi[...omitted for brevity...]
&client_id=FGGH7-TRVC3-ECDD2-CDHRG3-FYUDG5
&client_secret=adfegywrtyw

Expected response:

{
  "access_token": "eyJhbfGujudUf.eyJvYWEiOiIw[omitted for brevity]",
  "expires_in": 1200,
  "token_type": "Bearer",
  "refresh_token": "86fy7fa3d2-5e13-4736-86031-9ehiyiufrow0b",
  "refresh_token_expires_in": 2400
}