Refresh Tokens must be stored securely.
offline_access scope must be included in the authorization request scope parameter to allow for Refresh Tokens.
Access Tokens have a lifetime of 20 minutes. After an Access Token has expired or it becomes invalid, the Refresh Token grant type is used in order to obtain a new Access Token. By default, Refresh Tokens of TradeStation API Keys will be valid indefinitely. You can request that they are configured to expire and rotate every 40 minutes for increased application security by contacting Client Services.
To refresh your Access Token, make a
POST request to the
/oauth/token endpoint, using
grant_type=refresh_token and header
content-type:application/x-www-form-urlencoded. If your TradeStation API Key is configured to expiring and rotating Refresh Tokens, you will receive a new Refresh Token in the response, in addition to the new Access Token.
|required||Set this to |
|required||The client application’s API Key.|
|optional||The secret for the client application’s API Key. Required for standard Auth Code Flow. Not required for Auth Code Flow with PKCE.|