Skip to main content

AOP Authentication

Overview#

You will need to either obtain a TradeStation API Key if you do not already have one, or ask Client Services to enable your existing TradeStation API Key for AOP. See FAQ for instructions.

The AOP API uses the same general authentication process as the rest of the TradeStation API, which is documented here. The below sections contain AOP specific implementation details which are required for login and registration of TradeStation users. These modifications are applicable to both the Authorization Code Flow and the Authorization Code Flow with PKCE.

info

Access Tokens configured with the AOP API Audience will not work with other non-AOP TradeStation endpoints.

User Registration#

If your TradeStation API Key is configured for AOP access, you will be able to route users directly to Auth0 Universal Login so they can register as a TradeStation user. Registration is only required if the user does not already have TradeStation user credentials.

Steps:

  1. User is redirected to Universal Login via Authorization URL that contains query parameter enableRegistration set to true and query parameter page set to signup. Pass in other query parameters as shown in the table below.
  2. User completes registration and sets up MFA (Multi Factor Authentication).
  3. Client application completes Auth Code Flow or Auth Code Flow with PKCE.
  4. Client application receives access token and Refresh Token.
  5. Client application includes the access token when making requests to the AOP API.

Example Auth Code Flow Authorization URL for Registration:

https://signin.tradestation.com/authorize?
response_type=code&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://exampleclientapp/callback&
audience=https://aopapi.tradestation.com&
state=STATE&
scope=openid offline_access profile email access:aop&
enableRegistration=true&
page=signup

Example Auth Code Flow with PKCE Authorization URL for Registration:

https://signin.tradestation.com/authorize?
response_type=code&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://exampleclientapp/callback&
audience=https://aopapi.tradestation.com&
state=STATE&
scope=openid offline_access profile email access:aop&
code_challenge=MChCW5vD-3h03HMGFZYskOSTir7II_MMTb8a9rJNhnI&
code_challenge_method=S256&
enableRegistration=true&
page=signup

User Login#

If the user already has TradeStation user credentials, user logs in via Auth0 Universal Login.

  1. User is redirected to Universal Login via Authorization URL that contains query parameter enableRegistration set to true and query parameter page set to login. Pass in other query parameters as shown in the table below.
  2. User completes login and MFA (Multi Factor Authentication).
  3. Client application completes Auth Code Flow or Auth Code Flow with PKCE.
  4. Client application receives access token and Refresh Token.
  5. Client application includes the access token when making requests to the AOP API.

Example Auth Code Flow Authorization URL for Login:

https://signin.tradestation.com/authorize?
response_type=code&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://exampleclientapp/callback&
audience=https://aopapi.tradestation.com&
state=STATE&
scope=openid offline_access profile email access:aop&
enableRegistration=true&
page=login

Example Auth Code Flow with PKCE Authorization URL for Login:

https://signin.tradestation.com/authorize?
response_type=code&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://exampleclientapp/callback&
audience=https://aopapi.tradestation.com&
state=STATE&
scope=openid offline_access profile email access:aop&
code_challenge=MChCW5vD-3h03HMGFZYskOSTir7II_MMTb8a9rJNhnI&
code_challenge_method=S256&
enableRegistration=true&
page=login

AOP Authentication Query Parameter Details#

ParameterRequired/OptionalValue
audiencerequiredAn aspect of token-based authentication that serves as the singular resource identifier (audience) for that token. There can only be one audience per access token. Set to https://aopapi.tradestation.com for the AOP API.
scoperequiredA space-separated list of scopes (case sensitive). openid scope is always required. offline_access is required for Refresh Tokens. access:aop is required for the AOP API. profile and email are required in order to obtain the user's registration information via the Get User Info Auth0 endpoint. See Scopes for more details.
enableRegistrationrecommendedA custom parameter for enabling Registration via Universal Login. A value of true enables display of registration form in the Universal Login user interface. Defaults to false if value is not provided.
pagerecommendedA custom parameter which determines whether the login or registration form is shown on the user's initial navigation to Universal Login. login shows the login form first, while signup shows the registration form first. Defaults to login if value is not provided.