Token verification and session
cTrader → broker CRM endpoints. The broker's CRM must implement these; cTrader calls them during login, session verification and in-app actions. Authenticated with the CRM API token (see Authentication of API calls).
Verify and exchange an OT token
Verifies an OT token and exchanges it for a long-term access token.
| Method | URL |
|---|---|
POST | /oauth2/onetime/authorize |
Request body
| Key | Required? | Data type | Description |
|---|---|---|---|
code | Yes | string | An OT token generated by the broker's backend. |
Output
| Key | Data type | Description |
|---|---|---|
accessToken | string | A non-repeatable token allowing for long-term access to the trading environment. It is only returned if a user has previously clicked on the 'Keep Me Logged In' tick box or a similarly named alternative. |
userId | integer | The unique ID of a specific user. |
inappToken | string | An optional token that you can use for additional validation when generating an OT token for an in-app action. |
Expected status code
200
Errors
See Error codes.
Request example
curl -X POST 'https://brokerCrmUrl.com/oauth2/onetime/authorize?crmApiToken=cr56mng23454laf5545sdfdf234fs541200sdf' -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"code": "16chD7xeIxc3p387Cjdcnpax2er"}'
Response example
{
"accessToken": "0eZXAw8GJQ55RlDcALSVi6xPDHTRCivfE9STSyBfeMxRWZAGEIe0VujpibDP",
"userId": 10345533,
"inappToken": "12MBoxLAP_2313PxolklqPX_weq1kjksaPASDHJ_sx"
}
Verify a long-term access token
Verifies a long-term access token during the automatic re-login flow.
| Method | URL |
|---|---|
POST | /oauth2/authorize |
Request body
| Key | Required? | Data type | Description |
|---|---|---|---|
accessToken | Yes | string | A non-repeatable token allowing for long-term access to the trading environment. |
Output
| Key | Data type | Description |
|---|---|---|
userId | integer | The unique ID of a specific user. |
inappToken | string | An optional token that you can use for additional validation when generating an OT token for an in-app action. |
Expected status code
200
Errors
See Error codes.
Request example
curl -X POST 'https://brokerCrmUrl.com/oauth2/authorize?crmApiToken=cr56mng23454laf5545sdfdf234fs541200sdf' -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"accessToken": "0eZXAw8GJQ55RlDcALSVi6xPDHTRCivfE9STSyBfeMxRWZAGEIe0VujpibDP"}'
Response example
{
"userId": 10345533,
"inappToken": "12MBoxLAP_2313PxolklqPX_weq1kjksaPASDHJ_sx"
}
Generate an OT token for an in-app action
Requests the creation of an OT token required for performing an in-app action.
| Method | URL |
|---|---|
POST | /oauth2/onetime/generate |
Parameters
| Parameter | Parameter type | Required? | Data type | Description |
|---|---|---|---|---|
inappToken | query | No | string | An optional token that you can use for additional validation when generating an OT token for an in-app action. |
Request body
| Key | Required? | Data type | Description |
|---|---|---|---|
userId | Yes | integer | The unique ID of a specific user. |
Output
| Key | Data type | Description |
|---|---|---|
token | string | An OT token generated by the broker's backend. |
Expected status code
200
Errors
See Error codes.
Request example
curl -X POST 'https://brokerCrmUrl.com/oauth2/onetime/generate?inappToken=12MBoxLAP_2313PxolklqPX_weq1kjksaPASDHJ_sx&crmApiToken=cr56mng23454laf5545sdfdf234fs541200sdf' -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"userId": 10345533}'
Response example
{
"token": "16chD7xeIxc3p387Cjdcnpax2er"
}
Log out a user from the CRM
Logs out the user with the specified userId from the CRM.
| Method | URL |
|---|---|
PUT | /oauth2/logout |
Parameters
| Parameter | Parameter type | Required? | Data type | Description |
|---|---|---|---|---|
userId | query | Yes | string | The unique ID of a specific user. |
accessToken | query | Yes | string | A non-repeatable token allowing for long-term access to the trading environment. It is only returned if a user has previously clicked on the 'Keep Me Logged In' tick box or a similarly named alternative. |
The primary purpose of this API call is to log out a user from your client area whenever they log out of any cTrader app.
Expected status code
200
Errors
See Error codes.
Request example
curl -X PUT 'https://brokerCrmUrl.com/oauth2/logout?crmApiToken=cr56mng23454laf5545sdfdf234fs541200sdf&userId=10345533&accessToken=0eZXAw8GJQ55RlDcALSVi6xPDHTRCivfE9STSyBfeMxRWZAGEIe0VujpibDP' -H 'Content-Type: application/json' -H 'Accept: application/json'