The security measures implemented follow the OAuth 1.0a specification. We did this so that any OAuth library can be used to make requests against our API.
All API requests are made through a secure-socket layer. This ensures an optimal level of obfuscation to anyone sitting between the application and the Ally Invest servers. Furthermore, request signing allows us to make sure the request you send is the same request we receive.
Each request must also be signed utilizing a unique secret known only by Ally Invest and the application developer. This signature is created by hashing the request and the secret using the HMAC-SHA1 method. This signature is transmitted in the OAuth authorization header and verified by the servers at Ally Invest.
The premise of signing revolves around a shared secret. The shared secret is never sent in a request and is never shared with any third-party. For each application the secret is used to sign each request made to the API. Our servers then verify the signature using the same signing method and secret.
If these two signatures don't match, the request is dropped and an error is reported.
Timestamps are used to make sure that valid, signed requests are used only once. If the timestamp sent in the header is off by more than 10 seconds, the request will be rejected.
In order to make sure that your clock is in sync with ours you can use the market/clock call to receive the server timestamp. Further, our servers use NTP synchronization with worldwide clocks in order to provide accurate timing across the API. You can read more about NTP at http://support.ntp.org/
Nonces are similarly used to ensure each request is unique. A nonce is a random string, uniquely generated for each request. This helps us prevent against various service attacks as well as security breaches.
Any mention of actual symbols are to be used for coding purposes only and do not imply a recommendation or solicitation to buy or sell a particular security or to engage in any particular investment strategy.
At the time of publication and in the preceding month, Ally Invest did not have ownership greater than 1% in any stocks mentioned here and does not have any other actual, material conflict of interest known at the time of publication.
Ally Invest did not receive compensation from a public offering or from investment banking services related to any companies mentioned here within the past 12 months, or expects to receive any in the next 3 months. Ally Invest did not engage in market making in the securities mentioned here.
Ally Invest Securities' background can be found at FINRA's BrokerCheck. Options involve risk and are not suitable for all investors.
Review the Characteristics and Risks of Standardized Options brochure (PDF) before you begin trading options. Options investors may lose the entire amount of their investment in a relatively short period of time.