A terminal and your preferred language runtime (Node.js 18+, Python 3.8+, or any HTTP client for cURL)
If you are new to APIs, you can still follow this page. The steps appear in the order you need to complete them. First, you create an API app in Aries. Next, you send the user to Aries so they can sign in and approve access. Then you receive a code, exchange it for tokens, and use the access token to call Aries endpoints.
Before your app can talk to Aries, you need to register it. This lets Aries know which app is making the request and what permissions that app will ask for.When you complete this step, Aries gives you two credentials:
Client ID - A public identifier for your app
Client Secret - A private secret that proves the request is coming from your app
Client Name - A descriptive name for your app, such as My Trading App
Redirect URIs - The URL Aries sends the user back to after they approve access, such as https://yourapp.com/oauth/callback
Scopes - The permissions your app needs, such as account access, market data access, and order permissions
Click Generate API key.
What each field means:
Client Name helps you recognize the app later in Aries.
Redirect URIs tells Aries where to return the user after sign-in and approval. The value must exactly match the redirect URI you register in Client Center / Manage Account.
Scopes tell Aries what data or actions your app wants permission to access.
For the examples on this page, use these accepted scopes:
user:information - View user profile and personal details
account:information - View account balances, positions, and account history
order:execution - Place, modify, and cancel orders
order:information - View order history and order status
position:information - View current positions and holdings
market:information - Access live and historical market data
calendar:information - Access earnings, economic, and market schedule data
options:information - Access options chains, Greeks, and expiration data
analytics:information - View ratings, analytics, and market insights
market:supplemental - Access news, company profiles, financials, filings, ETF data, and technical analysis
If your app does not need all of these permissions, request only the scopes you actually use. You can also review the full scope explanations in the OAuth2 guide.Once the API key is generated, you will see your Client ID and Client Secret.
The client_secret is shown only once. Copy it immediately and store it in an environment variable or secrets manager. If you lose it, you’ll need to regenerate it.
Redirect users from your application to the Aries authorization page, where they sign in and grant your application permission to access the requested user scopes. Once authorization is complete, Aries redirects the user back to your application with an authorization code, which you will exchange for an access token in the next step.The authorization URL looks like this:
Replace YOUR_CLIENT_ID, YOUR_REDIRECT_URI, and scope in the URL above with your real values from Step 1.What these values mean:
YOUR_CLIENT_ID - The client ID Aries gave you when you created the app
YOUR_REDIRECT_URI - The same callback URL you registered in Aries
scope - The permissions your app is requesting
state - A random value your app generates to help protect the sign-in flow
In most apps, you build this URL in code and then redirect the user to it automatically. If you want more detail about this step, see the OAuth2 guide or the Authorization Code flow guide.
Now exchange the authorization code from Step 2 for tokens.The most important token is the access token. You send this token with every protected API request. Aries uses it to confirm that your app is allowed to act on behalf of the signed-in user.You also receive a refresh token. When the access token expires, the refresh token lets you request a new access token without asking the user to sign in again.In simple terms:
{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...", // Use this for API requests "token_type": "Bearer", "expires_in": 3600, // Seconds until expiry (1 hour) "refresh_token": "eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0...", // Use to get a new access_token "scope": "user:information account:information order:execution order:information position:information market:information calendar:information options:information analytics:information market:supplemental" // Granted scopes}
What each field means:
access_token - Send this token with your API requests
token_type - Usually Bearer
expires_in - How long the access token remains valid
refresh_token - Use this later to get a new access token
scope - The permissions that were granted
Store the access_token, refresh_token, and expiry time in a secure place. You will need the access token for the next steps.-> Full reference: OAuth2 Token
Now that you have an access token, you can make your first authenticated API call.This step fetches the user’s linked brokerage accounts. If your app will place trades, this step is important because you need the trading_account_id from the response.You can think of this step as: “Show me which accounts this signed-in user can use.”
Before you can request market data or place an order, you need the correct symbol for the stock or asset you want to use.This step lets you search by company name or ticker symbol. In the example below, the search uses AAPL.You will use the returned symbol in the next two steps.
Now use the symbol to fetch current market data.This step helps you see the latest available price information before placing an order. For example, you may want to review the last traded price, the current bid and ask, or the price change before deciding what order price to send.