The security measures implemented by Questrade support the OAuth 2.0 version security protocol. Any OAuth library can be used to make requests against the Questrade API.
Questrade only allows API requests via HTTPS (TLS) and refuse connections when accessed via HTTP. In addition, the required HTTP method (GET, POST etc.) must also be defined.
Obtaining a refresh token
To make an authenticated call via your API application:
- In the API section of the Questrade security center, register your API application and obtain a client ID (an alpha-numeric identifier that Questrade assigns to a registered application).
- Generate a refresh token for your API application.
- Redeem the refresh token for an access token.
Obtaining an access token
Once you have a refresh token, you can redeem it for an access token to make authenticated calls through your API application. Redeeming the authorization code requires making a request to the access token endpoint using the following request parameters:
|Parameter ||Type ||Description |
|grant_type ||String ||Always set to “refresh_token”. |
|refresh_token ||String ||Refresh token you receive from the security centre. |
|Property ||Type ||Description |
|Access token for making authenticated calls. |
|Type of token (always set to “Bearer”). |
|expires_in ||Integer ||Duration of the time token in which it became active (in seconds). |
|api_server ||String ||URL of the API server that the client application should contact. |
POST /oauth2/token HTTP/1.1
Sample JSON response
To revoke authorization, you can do one of the following:
1. Go to API Centre > Personal applications, and click Revoke to
immediately expire the token that was issued previously or click Delete
to delete the personal app.
2. Use the revoke endpoint to revoke the authorization from your
application code as per the example below:
Revoke endpoint URL: https://login.questrade.com/oauth2/revoke
Revoke endpoint example
POST /oauth2/revoke HTTP/1.1
Making an authorized request
Authorized requestes can be made toward API servers. The URL of
the API servers will be provided to your application as a response to
every access token request you make. Once your application obtains
an access token and URL of proxy server to contact, it can then
make authenticated calls on behalf of the user that authorized the
application using a number of REST endpoints.
Your API application must pass the access token in the “Authorization”
HTTP header as described in the sample request below:
Sample authorized request
GET /v1/accounts HTTP/1.1
Authorization: Bearer p4VTj45GhS8lY7aFoKDNZxB8yQHMOr+f
IQ API OAuth scopes
As part of its OAuth 2.0 implementation, IQ API defines OAut scopes – permissions that the account holders grants to the authorized API client application. Each API call belongs to one and only scope.
The following table describes scopes that the API provides and the mapping of API calls to these scopes.
|Scope ||Scope identifier ||API calls |
|Read account information ||read_acc ||
GET time |
|Read market data ||read_md ||
GET markets/quotes/:id |
|Trade ||trade ||
POST accounts/:id/orders[/:orderId] |