Authentication
Authentication forms the cornerstone of the Arrow Developer API Suite, ensuring secure access to all platform services. This guide provides comprehensive instructions for generating authentication tokens and establishing secure API connections.
Prerequisites
Before proceeding with authentication, ensure you have:
- Valid Arrow user credentials
- Registered your redirect URL in the developer apps section (click on the profile icon and then click on the developer apps on the dropdown menu) of the main Trading App
- Fill in the Form with the required data (the static IP is now mandatory as per the latest SEBI Circular)
- You have your application credentials:
appIDandappSecrethandy
Authentication Flow
The Arrow API employs a secure authentication process combining OAuth-style redirects with SHA256 cryptographic verification.
Step 1: Initiate Login Session
Navigate to the Arrow authentication endpoint with your application ID:
Step 2: Complete User Authentication
- Enter your User ID, Password, and TOTP (Time-based One-Time Password)
- Upon successful authentication, you'll be redirected to your registered redirect URL
- Extract the following parameters from the redirect URL query string:
request-token: Temporary authentication tokenchecksum: SHA256 hash ofrequest-token:appIDfor verification
Step 3: Generate Access Token
Create a secure checksum by generating the SHA256 hash of the concatenated string:
Security Notice
Ensure proper concatenation with colons (:) as delimiters. Incorrect formatting will result in authentication failure.
Step 4: Token Exchange
Submit a POST request to exchange your request token for a permanent access token:
curl --location 'https://edge.arrow.trade/auth/app/authenticate-token' \
--header 'Content-Type: application/json' \
--data '{
"checkSum": "<SHA256_OF_appID:appSecret:request-token>",
"token": "<YOUR_REQUEST_TOKEN>",
"appID": "<YOUR_APP_ID>"
}'
const response = await fetch('https://edge.arrow.trade/auth/app/authenticate-token', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
checkSum: sha256Hash,
token: requestToken,
appID: yourappID
})
});
Successful Response
Upon successful authentication, you'll receive:
{
"data": {
"name": "Abhishek Jain",
"token": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJBSjAwMDEiLCJpc3MiOiJ0aXFzIiwic3ViIjoid2IiLCJleHAiOjE3NDk3NTI5OTksImlhdCI6MTc0OTY5ODY0Nn0.WZCdqCsp9fkqmb7U-XcKV57zISU6TqciWtnYcbZKtbZPomRMGDbf4Ws90jMVxZXaCDcanfTaaQZl_wpALyMBAQ",
"userId": "AJ0001"
},
"status": "success"
}
Using Your Access Token
Include both your token and appID in all subsequent API requests. The token serves as your authentication credential for accessing Arrow trading services.
Token Management
Token Expiration
Access tokens have a limited lifespan (24hrs) due to regulatory compliance. Monitor token expiration and implement proper renewal mechanisms in your application.
Refresh Token Support
For applications requiring extended session management or automatic token renewal capabilities, please contact our development team at tech@arrow.trade to discuss refresh token implementation.
Security Best Practices
Security Recommendations
- Store your
appSecretsecurely and never expose it in client-side code - Implement proper error handling for authentication failures
- Use HTTPS for all authentication requests
- Regularly rotate your application credentials
- Monitor for unusual authentication patterns
Troubleshooting
| Error | Cause | Solution |
|---|---|---|
| Invalid checksum | Incorrect SHA256 generation | Verify concatenation format: appID:appSecret:request-token |
| Token expired | Request token timeout | Restart authentication flow |
| Invalid redirect | Unregistered redirect URL | Update redirect URL in Developer Portal |
Next Steps
With your authentication token secured, you're ready to explore the full capabilities of the Arrow Developer API Suite. Proceed to our API Reference to begin integrating trading functionality into your application.