Authorization
API resources provide access not only to publicly available exchange data, but also to private information about portfolios and positions of a certain trading account. In addition, the API allows the user to manage orders placed on behalf of the Broker's client.
To keep user data and funds secure, most requests to the HTTP API and all WebSocket API commands require confirmation that the sender has access rights.
Access to all provided authorization options requires developer account.
Authorization
Depending on how requests to the API will be executed, the system provides two authorization options:
- JSON Web Token (JWT) for users making requests directly to the system's APIs
- OAuth 2.0 service for developers of third-party applications, whose users will interact with the system through these applications
Test Environment supports only one authorization option — via JWT. More details in related article.
Identification and authentication
Before the system will be able to check the access rights to the requested resource (authorization), it needs to recognize who is making the request (identification) and confirm their identity (authentication).
Regardless of the request authorization option selected, user authentication and identification uses the trading account provided with the submitted request.
Developer account is not involved directly in the processes of identifying, authenticating or authorizing users and their requests. The purpose of this account is to provide access to the provided authorization options.
Available authorization options have differences in the user authentication process based on the way the data of used trading account is transmitted to the system:
- When using JWT, user authentication requires binding a trading account directly to the developer account
- When using the OAuth 2.0 service, trading account data must be passed to the service by the application asking for authorization of the executed actions