OAuth2 Authentication

The Aries API uses OAuth2 Authorization Code flows. Your app redirects users to Aries for login, they grant permissions, and Aries issues access and refresh tokens. Choose the flow that matches your application architecture.

New to OAuth2? Start with the Quick Start to make your first API call in minutes, then return here for implementation details.

Endpoints

Purpose	Endpoint
Authorization	`https://app.aries.com/oauth2/authorize`
Token exchange & refresh	`POST https://api.aries.com/v1/oauth2/token`

Available Scopes

Request only the scopes your application needs.

Scope	Description	Example endpoints
`user:information`	View user profile and personal details	`GET /v1/users/me`
`account:information`	View account balances, positions, and transaction history	`GET /v1/users/me/accounts` `GET /v1/accounts/{id}/balances` `GET /v1/accounts/{id}/positions`
`order:execution`	Place, modify, and cancel orders	`POST /v1/orders` `PUT /v1/orders` `DELETE /v1/orders`
`order:information`	View order history, status, and execution reports	`GET /v1/accounts/{id}/orders`
`position:information`	View current positions and holdings	`GET /v1/accounts/{id}/positions`
`market:information`	Access live and historical market data	`GET /v1/marketdata/search` `WSS /v1/market/ws`
`calendar:information`	Access earnings, economic, and market schedule data	`GET /v1/calendars/economics` `GET /v1/calendars/earnings`
`options:information`	Access options chains, Greeks, and expiration data	`GET /v1/options/stocks/top-volume` `GET /v1/options/etfs/top-volume`
`analytics:information`	View analytics, ratings, and market insights	`GET /v1/analytics/ratings` `GET /v1/analytics/market-breadth`
`market:supplemental`	Comprehensive market data: news, company profiles, financials, filings, ETF data, technical analysis	`GET /v1/news` `GET /v1/company/profile` `GET /v1/financials/statements`

Specify multiple scopes as a space-separated string: account:information order:execution market:information

Choose your flow

Authorization Code Flow

Server-side apps that can securely store client_secret.

PKCE Flow

SPAs and mobile apps that cannot store client_secret.

How it works

Both flows follow this sequence. The difference is how you authenticate when exchanging the code for tokens: the Authorization Code flow uses client_secret, while PKCE uses a code_verifier derived from a one-time random value.

Security Best Practices

Store credentials securely

Never hardcode client_secret or tokens in source code. Use environment variables or a secrets manager.

Use HTTPS only

Always use HTTPS for redirect URIs and all API calls in production. Never transmit credentials over HTTP.

Validate the state parameter

Always generate and verify state to prevent CSRF attacks. Generate a new random value per authorization request.

Rotate tokens proactively

Refresh access tokens before they expire. Persist any newly issued refresh_token returned in the response.

Rate Limits

Rate limits vary by endpoint category:

Authentication

10 requests/minute

User Management

100 requests/minute

Market Data

1,000 requests/minute

Trading

50 requests/minute

Rate limit headers are included in every response:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640000000

When you hit a rate limit (429 Too Many Requests), wait until X-RateLimit-Reset before retrying, or use exponential backoff.

Troubleshooting

invalid_grant — Authorization code expired or already used

Causes: The code expired (10 minutes) or was already exchanged (single-use).
Solution: Start the OAuth flow again and exchange the code immediately after receiving it.

invalid_client — Client authentication failed

Causes: Incorrect client_id or client_secret, or the client was deleted or disabled.
Solution: Verify credentials in Client Center. Regenerate client_secret if lost (it is shown only once).

invalid_scope — Requested scope is invalid

Causes: Typo in scope name (case-sensitive) or scope not enabled for your client.
Solution: Check scope names against the Available Scopes table and client configuration.

redirect_uri_mismatch

Causes: The redirect_uri does not exactly match a registered URI (including protocol, path, and trailing slashes).
Solution: Register all redirect URIs in Client Center. Values must match character for character.

access_denied — User denied authorization

Cause: The user clicked “Deny” on the consent screen.
Solution: Show a clear message explaining why permissions are needed and offer a retry. Consider requesting fewer scopes if users frequently deny.

Next steps

Authorization Code Flow

Implement server-side OAuth2 with client_secret.

PKCE Flow

Implement OAuth2 for SPAs and mobile apps without client_secret.

OAuth2 Token API

Token endpoint reference and interactive testing.

Quick Start

Get your first API call working in minutes.

Implementation

​Endpoints

​Available Scopes

​Choose your flow

Authorization Code Flow

PKCE Flow

​How it works

​Security Best Practices

Store credentials securely

Use HTTPS only

Validate the state parameter

Rotate tokens proactively

​Rate Limits

Authentication

User Management

Market Data

Trading

​Troubleshooting

​Next steps

Authorization Code Flow

PKCE Flow

OAuth2 Token API

Quick Start

Endpoints

Available Scopes

Choose your flow

How it works

Security Best Practices

Rate Limits

Troubleshooting

Next steps