Skip to main content

Authentication

The Trader API uses OAuth 2.0 client credentials for request authentication and authorization. Register an OAuth client, then exchange client ID and client secret for an opaque access token. Send that token as a Bearer token on every request. This applies to low-latency trading on trade.figuremarkets.com and to the standard REST API at www.figuremarkets.com/trader (margin, lending, YLDS, accounts, orders, and OAuth).

info

Use Trader API credentials only. They are gated at the API gateway for API traders. Only one API access type applies per account.

Flow

The Trader API uses the OAuth 2.0 Client Credentials flow: your application exchanges long-lived client credentials for an access token, then sends that token with each API request. No interactive user step is required at token time; this is for machine-to-machine (backend) use.

Getting API credentials

For most API traders, credentials are self-service after onboarding and after you accept the Trader API terms in the Figure Markets app. Use the Trader API entry in the left navigation (Trader API) to generate and manage API credentials. That flow creates the same kind of OAuth2 client as Registering an OAuth client.

Keep the client secret confidential; treat it like a password. Do not commit it to version control or expose it in front-end or mobile apps.

Obtaining an access token

note

Examples use the UAT main host (www.figuremarkets.dev). For production and the full standard REST base, see Standard API — Base path (main domain).

POST the token endpoint with Content-Type: application/x-www-form-urlencoded. The body must include grant_type=client_credentials, client_id, client_secret, and scope (space-separated scopes if more than one). This follows the client secret post style of sending the secret in the form body.

Token endpoint:

  • UAT: POST https://www.figuremarkets.dev/auth/oauth2/token
  • Production: POST https://www.figuremarkets.com/auth/oauth2/token

Do not request tokens on the trade.figuremarkets.* host; OAuth stays on the main domain.

curl --request POST \
  --url https://www.figuremarkets.dev/auth/oauth2/token \
  -H 'content-type: application/x-www-form-urlencoded' \
  -H 'Accept: application/json' \
  --data grant_type=client_credentials \
  --data client_id="$CLIENT_ID" \
  --data client_secret="$CLIENT_SECRET" \
  --data 'scope=TRADER_READ TRADER_TRADE'

Example response:

{
  "access_token": "heMdYPI8IizyO-OLeO7S_efBQFjn1i9BMV06WctXoQu2qbd9_0YisbMe5HQjHoi4z04l8oeaCDMKUXUZmIxLb8v7OsCxJV5QHZHPW8TGGmOG_O3X-tjvlkrth5EDfWLi",
  "scope": "TRADER_READ TRADER_TRADE",
  "token_type": "Bearer",
  "expires_in": 86399
}
info

Access tokens are opaque (not JWTs you parse locally). They are valid for 24 hours (expires_in is in seconds). Obtain a new token before expiry or when you receive 401 Unauthorized.

The OAuth2 token endpoint may be hosted in a different region from your code or target application. Because of this, the first request with a new access token can see higher latency. Subsequent API traffic can take advantage of caching so later calls stay fast.

Scopes

The scope parameter is a space-separated list of scopes. The scopes available to the client are determined during registration.

  • TRADER_READ - Provides read-only access to the Standard Trader API.
  • TRADER_TRADE - Provides trading access to the Standard Trader API and full access to the low-latency trading API.

Using the access token

Include the token in the Authorization header as a Bearer token for every Trader API request (low-latency trading and standard REST):

curl https://trade.figuremarkets.dev/api/v1/get_who_am_i \
  -X POST \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'

For standard REST on the main domain, use the /trader base described in Standard API.

Revocation and propagation

If you revoke a token or delete credentials in the Trader API section of the app, the authorization server stops honoring that token. If a token is compromised, revoke it and rotate the client secret immediately. Revoked tokens may take up to a few minutes to be removed from all regional systems.

Revoke a single authentication by calling the OAuth2 token revoke endpoint:

curl --request POST \
  --url https://www.figuremarkets.dev/auth/oauth2/revoke \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data client_id=$CLIENT_ID \
  --data client_secret=$CLIENT_SECRET \
  --data token=$OPAQUE_TOKEN

If your client secret is compromised you'll want to either rotate the client secret or delete the client via the UI.

Security best practices

TopicGuidance
Client secretNever share or log it; store it securely (e.g. secrets manager). Use it only in server-side token requests over HTTPS.
Access tokensOpaque Bearer tokens; do not persist them longer than needed. Send only in Authorization headers, not in query params or URLs.
CompromiseRevoke the token and/or credential in the Trader API section of the app; rotate the client secret if needed.
IP restrictionsUnless Figure Markets configures IP restrictions for your integration, you can obtain tokens and call the API from any IP once you have credentials.

Standards reference

Token introspection at the gateway follows RFC 7662. OAuth2 behavior aligns with common authorization-server practice (for example Spring Authorization Server introspection).