Rest operations

Security

security 

The security measures implemented by Questrade support the OAuth 2.0 version security protocol. Any OAuth library can be used to make requests against the Questrade API.

Questrade only allows API requests via HTTPS (TLS) and refuse connections when accessed via HTTP. In addition, the required HTTP method (GET, POST etc.) must also be defined.

Obtaining a refresh token

To make an authenticated call via your API application:

  1. In the API section of the Questrade security center, register your API application and obtain a client ID (an alpha-numeric identifier that Questrade assigns to a registered application).
  2. Generate a refresh token for your API application.
  3. Redeem  the refresh token for an access token.

Obtaining an access token

Once you have a refresh token, you can redeem it for an access token to make authenticated calls through your API application. Redeeming the authorization code requires making a request to the access token endpoint using the following request parameters:

Request parameters
Parameter Type Description
grant_type String Always set to “refresh_token”.
refresh_token String Refresh token you receive from the security centre.
Response properties
Property Type Description
access_token
String
Access token for making authenticated calls.
token_type
String
Type of token (always set to “Bearer”).
expires_in Integer Duration of the time token in which it became active (in seconds).
api_server String URL of the API server that the client application should contact.

Sample request

POST /oauth2/token HTTP/1.1
Host: https://login.questrade.com
grant_type=refresh_token&refresh_token=p4VTj45GhS8lY7aFoKDNZxB8yQHMOr+f

Sample JSON response

{
	"access_token": "p4VTj45GhS8lY7aFoKDNZxB8yQHMOr+f",
	"token_type": "Bearer",
	"expires_in": 1800,
	"refresh_token": "aSBe7wAAdx88QTbwut0tiu3SYic3ox8F",
	"api_server": "https://api01.iq.questrade.com/v1"
}

Revoking authorization

To revoke authorization, you can do one of the following:

1. Go to API Centre > Personal applications, and click Revoke to immediately expire the token that was issued previously or click Delete to delete the personal app.

OR

2. Use the revoke endpoint to revoke the authorization from your application code as per the example below:
Revoke endpoint URL: https://login.questrade.com/oauth2/revoke

Revoke endpoint example

POST /oauth2/revoke HTTP/1.1
Host: https://login.questrade.com
Content-Type: application/x-www-form-urlencoded
token=p4VTj45GhS8lY7aFoKDNZxB8yQHMOr+f

Making an authorized request

Authorized requestes can be made toward API servers. The URL of the API servers will be provided to your application as a response to every access token request you make. Once your application obtains an access token and URL of proxy server to contact, it can then make authenticated calls on behalf of the user that authorized the application using a number of REST endpoints.

Your API application must pass the access token in the “Authorization” HTTP header as described in the sample request below:

Sample authorized request

GET /v1/accounts HTTP/1.1
Host: https://api01.iq.questrade.com
Authorization: Bearer p4VTj45GhS8lY7aFoKDNZxB8yQHMOr+f

IQ API OAuth scopes

As part of its OAuth 2.0 implementation, IQ API defines OAut scopes – permissions that the account holders grants to the authorized API client application. Each API call belongs to one and only scope.

The following table describes scopes that the API provides and the mapping of API calls to these scopes.

Scope Scope identifier API calls
Read account information read_acc GET time
GET accounts
GET accounts/:id/positions
GET accounts/:id/balances
GET accounts/:id/executions
GET accounts/:id/orders
GET symbols/:id
GET symbols/:id/options
GET markets
Read market data read_md GET markets/quotes/:id
GET markets/candles/:id
Trade trade POST accounts/:id/orders[/:orderId]
POST accounts/:id/orders[:/orderId]/impact
DELETE accounts/:id/orders/:orderId