Skip to main content
Module skeleton. The Auth module already has a complete guide — this page orients you and points to it. Everything in the Orders, Account, and Market Data modules depends on having a valid access token first.
Every Aries API call — REST or WebSocket — needs an access token. You get one through OAuth2: send the user to Aries to sign in, receive an authorization code, and exchange it for a token. Then you attach that token to every request.

Where to go

OAuth2 overview

Plain-English walkthrough: terms, scopes, and which flow to pick.

Authorization Code flow

For apps with a backend that can hold a client_secret.

PKCE flow

For browser SPAs and mobile apps with no server secret.

Token endpoint

Exchange codes and refresh tokens at POST /v1/oauth2/token.

Using the token

Once you have an access_token:
  • REST: send it as a header — Authorization: Bearer YOUR_ACCESS_TOKEN.
  • WebSocket: authenticate within 5 seconds of connecting by sending it in the auth request.
Request only the scopes you need — e.g. order:execution to place orders, account:information to read balances and positions.

Quick Start

Get a working authenticated API call in a few minutes.