IIFL Securities Open APIs provide a backend infrastructure for various types of trading functionalities which can be integrated into applications. Clients can access their trading/demat account details and trade through the APIs. To keep such transactions secure, some kind of security features are required. Open APIs’ authentication mechanism provides this security to the infrastructure. But let’s first understand the meaning of authentication.
Authentication:
Authentication checks the identity of the person accessing any particular system or sending requests through APIs. Authentication can be done by validating the username and password of the user or with the session tokens. IIFL Securities provide a set of user ID and user password for the client and partner accessing Open APIs. These user ID and user password are provided along with other API keys. User ID is a unique ID assigned for the identity of the user and user password is unique password for accessing the API through the associated user ID. Along with these, Open APIs work only with the session tokens, either a cookie or a JWT token. Before jumping to the usage of these session tokens, let’s understand what a cookie or JWT token is.
Cookie:
Whenever a user visits any website, certain cookies get stored in their web browser. These cookies store user’s data in the form of small blocks. Whenever user logs into any platform, platform generates an authentication web cookie and store in the browser. Let’s understand with the example of Facebook.
A user opens the web browser and logs into the Facebook. Facebook has now generated an authentication cookie for the user and stored it into the browser. Now, the user closes the tab for the Facebook and visit some other webpages. If the user tries to open the Facebook page in the same page again, he doesn’t have to login again as his authentication cookie is already stored in the browser which identifies the user and let him login automatically to the dashboard.
This way, cookies help in authenticating the user and make the user journey on digital platform seamless. IIFL Securities also provides a similar web cookie on calling the login API. This cookie is generated with the name of “IIFLMarcookie” and required in every other API for successful request. In an API request, this cookie can be passed in the headers with the key as “Cookie” and value as “IIFLMarcookie:{cookie_value}”.
JWT Token:
JWT token or JSON Web Token is a base 64 encoded JSON object which is generated using a private key usually. This token contains the identity of the user. This token can be generated using the login methods and is required in the further API calls. IIFL Securities has structured its APIs in a way that user can easily pass JWT token in the payload of Open APIs. JWTs often comes with an expiry associated with it and usually are short-lived. Few of the Open APIs asks like place, modify and cancel order APIs ask the JWT in the request payload data. Few of them including historical candle API ask the JWT in the headers and few of them including APIs for mutual funds ask the JWT as bearer token. But it is also required for successful authentication of the user.
Expiry of Session Tokens:
Both JWT token and cookie have an expiry associated with them. The token stays valid for 10 hours and cookie stays valid for 8 hours from the time of generation provided they are being actively used in the APIs. If it is not used in any of the API for 30 minutes, i.e. if they are inactive for the duration of 30 minutes, they automatically get expired.