Access token

System environments

The information on this page is applicable to Production environment of the system. Authorization in Test environment comes with some differences. For details about authorization in Test environment, see the corresponding article.

Access token is a short-lived token created by an API user with the previously created Refresh token.

The role of this token is to confirm that the user has the rights to interact with the requested resources.

caution

Access token gives the same access to the system as the login and password of a trading account. Keep it private.

Getting token

To create an Access token, use a POST request to the /refresh endpoint of the authorization server. The request must contain a valid Refresh token as the value of the token parameter. This parameter can be passed either in the request path (as Query) or in its body (as Body).

tip

Use a single option. If Query and Body are filled concurrently, the latter takes precedence.

Additionally, you can restrict the list of portfolios that can be accessed with the token being created by passing an array with the list of portfolios as the value of the allowedPortfolios parameter.

Query
Body

Endpoint

https://oauth.alor.ru/refresh?token=12b...cac&allowedPortfolios=["Portfolio1", "Portfolio2", "Portfolio3"]

Endpoint

https://oauth.alor.ru/refresh

Body
{
  "token": "12b...cac",
  "allowedPortfolios": [
    "Portfolio1",
    "Portfolio2",
    "Portfolio3"
  ]
}

Where:

12b...cac is a valid Refresh token;
Portfolio1, Portfolio2 and Portfolio3 are portfolios that must be available with the created Access token.

As a response, the authorization server will return a JSON object containing the Access Token:

{
  "AccessToken": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImN0eSI6IkpXVCJ9.eyJzdWIiOiJMb2dpblNhbXBsZSIsImVudCI6ImNsaWVudCIsImVpbiI6IjAxMjM0IiwiY2xpZW50aWQiOiIwMTIzNDU2IiwiYXpwIjoiMDEyMzQ1Njc4OWFiY2RlZjAxMjMiLCJhZ3JlZW1lbnRzIjoiQWdyZWVtZW50U2FtcGxlMSBBZ3JlZW1lbnRTYW1wbGUyIEFncmVlbWVudFNhbXBsZTMiLCJwb3J0Zm9saW9zIjoiUG9ydGZvbGlvU2FtcGxlMSBQb3J0Zm9saW9TYW1wbGUyIFBvcnRmb2xpb1NhbXBsZTMiLCJzY29wZSI6Ik9yZGVyc1JlYWQgT3JkZXJzQ3JlYXRlIFRyYWRlcyBQZXJzb25hbCBTdGF0cyIsImV4cCI6Mjg3MTc2MzE5OSwiaWF0IjowLCJpc3MiOiJBbG9yLklkZW50aXR5IiwiYXVkIjoiQ2xpZW50IFdBUlAgV2FycEFUQ29ubmVjdG9yIHN1YnNjcmlwdGlvbnNBcGkgQ29tbWFuZEFwaSBJbnN0cnVtZW50QXBpIFRyYWRpbmdWaWV3UGxhdGZvcm0ifQ.QOQVMIAoZ6SnF5urnIzJ0EvtQd9P5Sx355069kXoID207wHOTW0wkKNMcrIKXmENEQQ_0yDjqH_kjeqWLBJuqA"
}

Received token will be valid for 30 minutes from creation unless the Refresh token used to create it will be recalled earlier.

Interactive description

An interactive description is available for the Access token update request on the JWT Token page.

Recalling token

There is no way to revoke an individually selected Access token before its expiration date. The only way to terminate an Access token before its expiration date is to revoke the Refresh token used to create it.

Reading token

The ALOR Broker API uses JWT Token as an Access token.

JWT Token is an encrypted JSON object containing information both about the token itself (creation date, expiration date, header parameters) and about the API user, on whose request it was created (trading login, lists of access rights and portfolios, list of resources available for calling). Because of this, we recommend keeping Access tokens private even after their expiration date.

Without knowledge of the secret key, it is impossible to completely decrypt and/or spoof the token. However, with partial decryption, it is possible to obtain a payload of the token.

An example of a token and its content:

Token
Payload
Schema

eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImN0eSI6IkpXVCJ9.eyJzdWIiOiJMb2dpblNhbXBsZSIsImVudCI6ImNsaWVudCIsImVpbiI6IjAxMjM0IiwiY2xpZW50aWQiOiIwMTIzNDU2IiwiYXpwIjoiMDEyMzQ1Njc4OWFiY2RlZjAxMjMiLCJhZ3JlZW1lbnRzIjoiQWdyZWVtZW50U2FtcGxlMSBBZ3JlZW1lbnRTYW1wbGUyIEFncmVlbWVudFNhbXBsZTMiLCJwb3J0Zm9saW9zIjoiUG9ydGZvbGlvU2FtcGxlMSBQb3J0Zm9saW9TYW1wbGUyIFBvcnRmb2xpb1NhbXBsZTMiLCJzY29wZSI6Ik9yZGVyc1JlYWQgT3JkZXJzQ3JlYXRlIFRyYWRlcyBQZXJzb25hbCBTdGF0cyIsImV4cCI6Mjg3MTc2MzE5OSwiaWF0IjowLCJpc3MiOiJBbG9yLklkZW50aXR5IiwiYXVkIjoiQ2xpZW50IFdBUlAgV2FycEFUQ29ubmVjdG9yIHN1YnNjcmlwdGlvbnNBcGkgQ29tbWFuZEFwaSBJbnN0cnVtZW50QXBpIFRyYWRpbmdWaWV3UGxhdGZvcm0ifQ.QOQVMIAoZ6SnF5urnIzJ0EvtQd9P5Sx355069kXoID207wHOTW0wkKNMcrIKXmENEQQ_0yDjqH_kjeqWLBJuqA

{
  "sub": "LoginSample",
  "ent": "client",
  "ein": "01234",
  "clientid": "0123456",
  "azp": "0123456789abcdef0123",
  "agreements": "AgreementSample1 AgreementSample2 AgreementSample3",
  "portfolios": "PortfolioSample1 PortfolioSample2 PortfolioSample3",
  "scope": "OrdersRead OrdersCreate Trades Personal Stats",
  "exp": 2871763199,
  "iat": 0,
  "iss": "Alor.Identity",
  "aud": "Client WARP WarpATConnector subscriptionsApi CommandApi InstrumentApi TradingViewPlatform"
}

Response body parameters

substring

User ID. The login of the trading account is used as the identifier

Example: P39004

entstring

User entity type

Example: client

einstring

Example: 01234

clientidstring

User identification number

Example: 01234

azpstring

Identifier of the application requesting access to system resources

Example: 0123456789abcdef0123

agreementsstring

List of contracts associated with the user

Example: AgreementSample1

portfoliosstring

List of portfolios associated with the user

Example: PortfolioSample1

scopestring

List of permissions requested by the application when accessing the system

Example: OrdersRead

expint64

The time (UTC) of token expiration in Unix Time Seconds format, after which the token becomes invalid.

Example: 2871763199

iatint64

Time (UTC) of token creation in Unix Time Seconds format

Example: 0

issstring

Identifier of the server that created and signed the token

Example: Alor.Identity

azpstring

List of system sections to which the token provides access

Example: CommandApi

Thus, publication of a token, even if it has expired, may result in the leakage of sensitive information. Ensure the privacy of the tokens you create and use, and do not allow them to be transmitted publicly or made publicly available.

Features and limitations

Note the following features and limitations when creating and using Access tokens:

Token expiration time is limited to 30 minutes from the moment of creation. When developing your own API client, add a mechanism to update Access token
A token can only be created with an HTTP API request. No other options are available
The number of Access tokens created with a single Refresh token is unlimited
Access token is JWT token — encrypted JSON-object containing data on portfolios and access rights to the trading system. Posting Access tokens to the public is not recommended, even if they have expired
Access tokens cannot be manually revoked. To prematurely terminate a token, the Refresh token used to create it must be revoked, which will result in termination of all other access tokens created with it

What's next?

Additionally, we recommend reading the following related articles:

Interactive description of JWT token request
Specifics of authorization in Test environment
Guide for HTTP API
Guide for WebSocket API
Quick Start Guide for Production environment
Quick Start Guide for Test environment

Getting token​

Recalling token​

Reading token​

Response body parameters

Features and limitations​

What's next?​

Getting token

Recalling token

Reading token

Features and limitations

What's next?