The Questrade API allows developers to create their own fully featured trading and analytical applications trough their brokerate account.
The security measures implemented by Questrade support the OAuth 2.0 version security protocol. Any OAuth library can be used to make requests against the Questrade API.
Questrade only allows API requests via HTTPS (TLS) and refuse connections when accessed via HTTP. In addition, the required HTTP method (GET, POST etc.) must also be defined.
Obtaining a refresh token
To make an authenticated call via your API application:
- In the API section of the Questrade security center, register your API application and obtain a client ID (an alpha-numeric identifier that Questrade assigns to a registered application).
- Generate a refresh token for your API application.
- Redeem the refresh token for an access token.
Obtaining an access token
Once you have a refresh token, you can redeem it for an access token to make authenticated calls through your API application. Redeeming the authorization code requires making a request to the access token endpoint using the following request parameters:
Always set to “refresh_token”.
Refresh token you receive from the security centre.
Access token for making authenticated calls.
Type of token (always set to “Bearer”).
Duration of the time token in which it became active (in seconds).
URL of the API server that the client application should contact.
Sample JSON response
"p4VTj45GhS8lY7aFoKDNZxB8yQHMOr+f""Bearer" 1800"aSBe7wAAdx88QTbwut0tiu3SYic3ox8F" "https://api01.iq.questrade.com/v1"
To revoke authorization, you can do one of the following:
- Go to API Centre > Personal applications, and click Revoke to immediately expire the token that was issued previously or click Delete to delete the personal app.
- Use the revoke endpoint to revoke the authorization from your application code as per the example below:
Revoke endpoint URL: https://login.questrade.com/oauth2/revoke
Revoke endpoint example
Making an authorized request
Authorized requestes can be made toward API servers. The URL of the API servers will be provided to your application as a response to every access token request you make. Once your application obtains an access token and URL of proxy server to contact, it can then make authenticated calls on behalf of the user that authorized the application using a number of REST endpoints.
Your API application must pass the access token in the “Authorization” HTTP header as described in the sample request below:
Sample authorized request
IQ API OAuth scopes
As part of its OAuth 2.0 implementation, IQ API defines OAut scopes – permissions that the account holders grants to the authorized API client application. Each API call belongs to one and only scope.
The following table describes scopes that the API provides and the mapping of API calls to these scopes.
|Scope||Scope identifier||API calls|
Read account information
GET time GET accounts
Read market data
Report an issue
Have questions about Questrade's API? Tell us how we can help, send us an email.Get Started
Request a feature
We want your ideas on how we can improve our API. If you have a suggestion for a minor tweak, a major overhaul, or something brand new, please share it with us.Get Started
Start a free trial
Try out the features of your application in a simulated environment without affecting your real positions.Get Started