• Invest: 1-855-880-2559
  • Open 24/7

Ally Invest API

OAuth

Here are some details around our current OAuth implementation:

  • We support OAuth 1.0a
  • Sign requests using HMAC-SHA1
  • Timestamp boundary is 10 seconds

OAuth Clients

We recommend using a client library that exists for your language. These libraries are usually well-tested and can be dropped into existing code to start making requests quickly.

You can find a list of OAuth clients on the OAuth site here: (http://oauth.net/code/)

Making Requests

Each authenticated request needs to include a valid, well-formed OAuth Header. An example OAuth header looks like the following:

Authorization: OAuth
  oauth_consumer_key="0685bd9184jfhq22",
  oauth_token="ad180jjd733klru7",
  oauth_signature_method="HMAC-SHA1",
  oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
  oauth_timestamp="137131200",
  oauth_nonce="4572616e48616d6d65724c61686176",
  oauth_version="1.0"

Personal Applications

If you are just looking to write your own personal application. The keys you received when you registered your application are all that is required. You can use the consumer key and secret and access token and secret to immediately begin signing requests and getting data from the API.

Once your application is created and you have your keys, you're ready to start writing code.

Distributable Applications

Distributable applications require a little more effort to authenticate different users. The two keys and two secrets created will only provide access to the accounts for the username that created the application.

In order to authenticate other users an OAuth authorization flow must be implemented. This will enable Ally Invest customers to login to the application via Ally Invest authentication endpoints. If you're interested in having other customers authenticate to your application, please contact Ally Invest.

For more information on the authorization flow and how authentication works using OAuth, please visit (http://oauth.net/api/invest/documentation/getting-started/).

Authentication Endpoints

You can use the endpoints below to allow users to authorize your application on their account. This will allow you to create applications that you may distribute to other customers.

Request Token: https://developers.tradeking.com/oauth/request_token
User Authorization: https://developers.tradeking.com/oauth/authorize
Access Token Retrieval: https://developers.tradeking.com/oauth/access_token
Disclaimer:

Any mention of actual symbols are to be used for coding purposes only and do not imply a recommendation or solicitation to buy or sell a particular security or to engage in any particular investment strategy.

At the time of publication and in the preceding month, Ally Invest did not have ownership greater than 1% in any stocks mentioned here and does not have any other actual, material conflict of interest known at the time of publication.

Ally Invest did not receive compensation from a public offering or from investment banking services related to any companies mentioned here within the past 12 months, or expects to receive any in the next 3 months. Ally Invest did not engage in market making in the securities mentioned here.

Ally Invest Securities' background can be found at FINRA's BrokerCheck. Options involve risk and are not suitable for all investors.

Review the Characteristics and Risks of Standardized Options brochure (PDF) before you begin trading options. Options investors may lose the entire amount of their investment in a relatively short period of time.