I receive a 500 error code and "Invalid API key provided by application" message when I make request to the API. I am sure the API key was correct.

When you first set up with TradeIt, you will receive 2 API keys: QA and production. If you are making requests to the QA environment, make sure you are the QA key. Likewise, production key for the production environment. If you need your API keys again, please don't hesitate to contact us at

We are currently integrating the oAuth login window (/getOAuthLoginPopupUrlForWebApp). Is a pop-up window the only solution? Can we embed the login window as a iFrame?

While it is possible to use an iFrame solution for the oAuth login window, we do not recommend it due to several reasons. First, pop-ups are the industry standard as they allow users to verify the URL and the security certificate to be reassured that their credentials are safe. Furthermore, E*Trade and Tradestation do not work with iFrames.

Please explain the userToken and userId that I got from calling /getOAuthAccessToken successfully?

The userId is a user oAuth token. It is generated when given credentials for a broker. The token can be used to authenticate the user in the future without the user having to re-enter the credentials. And because of this the userId/userToken should be handled like a username/password. Please keep in mind that the tokens expire after 30 days and user will have to re-enter their credentials to link again.

We want to stop users from creating the same broker connections multiple times, would I be able to check if an account already existed for a given user?

As a security feature, it is not possible to check for user duplicate links by design. For us to know that a user has already linked a certain account, we would have to store the account number, and we purposefully don't store any identifiable user data.

I made a request to place an order and received an exception saying it is at an invalid state: "It is in ORDER_PLACED state instead of PLACE_ORDER..."

This happens when the app tries to call place order with the same order number twice or more. Make sure you have successfully previewed an order before placing the order.

I called /answerSecurityQuestion and received an exception saying it is at an invalid state: "It is in ANSWER_SECURITY_QUESTION state instead of AUTHENTICATED..."

This happens when the app tries to call /answerSecurityQuestion twice or more. Make sure you only try to answer security question after you have received a successfully response from calling /authenticate and "status" is "INFORMATION_NEEDED". Also, this sometimes happens when the srv in the request param for /authenticate doesn't match with the one in /answerSecurityQuestion

When running example app from the SDK, I am facing errors regarding missing framework like promiseKit, MBProgressHUD, SwiftyUserDefaults?

Try running 'pod update', 'pod install' on the commend line before you run the exampleApp.Try running 'pod update', 'pod install' on the commend line before you run the exampleApp.

Experiencing unusual latency when making API calls?

Brokers often run batch processing hours before the market open (9:30 EST), and brokers can be slower in the lead up to market open.

How can I test and trigger the 301 error code?

You can try triggering the 301 error by putting in a wrong userId or userToken when you call authentication a few times. After 3 invalid login attempts in a row, the user IP will be blocked from TradeIt servers for a duration of 5 minutes.

What is the lifespan of the userToken and userId?

All tokens expire after 30 days, at which point a renew token function will need to be called and the user re-authenticated. We also provide a delete token function that should be implemented in the event the user wants to disconnect from your service.

What is the lifespan of the session token?

15 minutes. It is important to handle expiration of session token at any time since brokers can invalidate session tokens at any time they want and often do so for maintenance or if they deem anything as suspicious in a user account

After the oAuth pop up window, how do I retrieve the oAuth verifier?

On success, the oAuth verifier is returned via postmessage

Can I pass in the srv field as post body?

You must pass in the srv as request param in the URL as shown in the API doc. Otherwise, subsequent request calls will fail.

How can I integrate the TradeIt WIDGET on my site?

Please contact to schedule a demo and receive details about the TradeIt Trading Ticket and the TradeIt APIs.

How do I capture the oAuthVerifier?

"Capturing the oAuthVerifier will be handled by the code sample under Example Javascript Post Message Code in the API Doc.
After retrieving the oAuth popup URL, you will open it in a popup window, the receiveMessage function above will then take care of capturing the verifier using the EventListener, and you can see the verifier is then saved into a variable called oAuthVerifier.
Then you can use the oAuthVerifier to call /getOAuthAccessToken and continue with the oAuth process. "

Get TradeIt for your platform.

Get Started