Skip to main content

Refresh token

System environments

The information on this page is applicable to Production environment of the system. Authorization in Test environment comes with some differences. For details about authorization in Test environment, see the corresponding article.

Refresh token is a long-term token created by API user after successfully authorizing in Developer Account and binding a Trading Account to it.

The role of this token is to update the short-term Access token used for authorization of API requests made by a user.

caution

Refresh token allows creating Access tokens that give access to the system equivalent to using a login and password of a trading account. Keep it private.

Viewing and managing tokens

The only option to manage Refresh tokens available to the user is to use the API Access Tokens page.

Created tokens are displayed on the page in a list with the following information about each token:

  1. Token value. By default, it is hidden. Click the `Show' button to display it in the open view
  2. Token creation date
  3. Token expiration date
  4. Token status. For expired and manually revoked tokens the actual status Revoked is displayed, for valid tokens - the button Revoke token is displayed.

The list does not support pagination, so it is not recommended to unnecessarily create a large number of Refresh tokens, even though their quantity is not limited by the system.

The list displays all Refresh tokens created on behalf of the bound trading account, regardless of which developer account they were created by.

Example

Developer accounts “Developer_1” and “Developer_2” with the same trading account created a token each. As a result, both tokens will be displayed in the list for both developers.

The same goes for token revocation — it will be revoked for a trading account, not a specific developer account.

Example

“Developer_1” sees the token created by “Developer_2” for himself in the list and revokes it. As a result, the token has been revoked for both developers.

So, all tokens of a trading account are shared by all API users using that trading account.

Creating token

To create a new Refresh token, follow the steps below:

  1. Log in to the Developer Portal and go to the API Access Tokens page
  2. Click the Create Token button to create a new Refresh token
  3. Click the Show button to view the created token

Received token will be valid for 1 year from the date of creation, unless revoked earlier.

What's next?

Use the received Refresh token to create the Access token required to authorize requests to the system.

Revoking token

If the Refresh token has been compromised or lost its use before the expiration date, it is recommended to revoke it to reduce security risks.

Revocation of a Refresh token can be done on the same page where it was previously created.

To revoke a Refresh token, follow the steps below:

  1. Log in to the Developer Portal and go to the API Access Tokens page
  2. Find the token to be revoked in the list
  3. Click Revoke Token.
caution

Revoking a Refresh token will result in the termination of all Access tokens created with it.

Features and limitations

Please note the following features and restrictions when creating and using Refresh tokens:

  • Token expiration time is limited to 1 year from the moment of creation
  • Each token grants access to all contracts of the specified trading account. It is not possible to issue a token for an individual market
  • Created token is available for all developer accounts to which the trading account used to create it is bound.
  • Created tokens can be manually revoked at any time before their expiration date
  • Revoked token cannot be restored to a working state. It is not possible to temporarily suspend the validity of a token
  • When a Refresh token is revoked, all Access tokens created with it will also be terminated

What's next?

Additionally, we recommend reading the following related articles: