Sessions

Create a Session

To create a session, hit the POST /sessions endpoint. This generates a session token which you need to include in all subsequent API requests in the Authorization header.

Your session token is valid for 24 hours. Hitting tastytrade APIs with an expired or invalid session token will return an HTTP 401 error.

For security reasons, our system monitors the /sessions endpoint very closely. If we see a rapid number of invalid login requests, your account will be temporarily blocked from making additional HTTP requests.

To avoid being blocked by our system, please only generate a session when a new session token is needed. Again, a session token is valid for 24 hours. We recommend generating a session and holding the session token in memory for all other API requests you make during your session.

Our system may send you an email when it sees any activity that it deems suspicious, such as a login from an unrecognized device or location. We do this to prevent your identity and account information from becoming compromised. If you are using the API for the first time or from a new location, you may need to verify that the login did in fact come from you and not a malicious actor by following the prompt in the email.

Parameters for Creating a Session

String

required

Username or Email

password

String

required

User Password

remember-me

Boolean

Generates a remember token

POST

/sessions

Mac/Linux

Windows Powershell

Postman

curl -X POST https://api.cert.tastyworks.com/sessions
  -d '{ "login": "myusername", "password": "mypassword", "remember-me": true }'
  -H 'Content-Type: application/json'

$response = Invoke-WebRequest -Uri "https://api.cert.tastyworks.com/sessions" `
    -Method Post `
    -ContentType "application/json" `
    -Body "{ `"login`": `"myusername`", `"password`": `"mypassword`", `"remember-me`": true }"

Response

{
  "data": {
    "user": {
      "email": "johndoe@tastytrade.com",
      "username": "johndoe",
      "external-id": "U0000085345"
    },
    "session-token": "YkF_8uB6tiiGKF2hNRZ4QVs6gLr-d6DMn-Hovg9FrU9-8pCJLCnu8A+C",
    "remember-token": "j69DQ_4p75bzWGYPl_utuxfIbVy1auCj8M8AEYL4BddVO3Pp3sDakA",
    "session-expiration": "2024-09-12T20:25:32.440Z"
  },
  "context": "/sessions"
}

Remember Tokens

A valid remember token can be used in place of password to create a new session. Remember tokens are one-time use, meaning they are invalidated when redeemed. If not redeemed, they will expire after 28 days.

Remember tokens are generated at the same time a session is created. Users wanting to generate a remember token must hit POST /sessions with remember-me: true.

The response is identical to a password login response. The session-token can be used on all subsequent requests in the Authorization header.

The session created is still only valid for 24 hours.

All sessions and remember tokens are invalidated when a user resets their password.

We provide remember tokens for security reasons. If you are using a cloud provider to run your code, you may feel uncomfortable storing your password in the cloud provider's system. The remember token allows you to login to generate a session token without providing a password.

In effect, a valid remember token allows you to continuously generate a session token without the need to provide your password. By always including remember-me: true with your login requests, you will always receive a new remember token in the login response, which can be used the next time you need to generate a session token.

POST

/sessions

Mac/Linux

Windows Powershell

Postman

curl -X POST https://api.cert.tastyworks.com/sessions
  -d '{ "login": "myusername", "remember-token": "myremembertoken", "remember-me": true }'
  -H 'Content-Type: application/json'

$response = Invoke-WebRequest -Uri "https://api.cert.tastyworks.com/sessions" `
    -Method Post `
    -ContentType "application/json" `
    -Body "{ `"login`": `"myusername`", `"remember-token`": `"myremembertoken`", `"remember-me`": true }"

Response

{
  "data": {
    "user": {
      "email": "johndoe@tastytrade.com",
      "username": "johndoe",
      "external-id": "U0000085345"
    },
    "session-token": "8uB6tiiGKF2hNRZ4QVs6gLr-d6DMn-Hovg9FrU9-8pCJLCnu8AYkF_+C",
    "remember-token": "4p75bzWGYPl_utuxfIbVy1auCj8M8AEYL4BddVO3Pp3sDakAj69DQ_",
    "session-expiration": "2024-09-12T20:25:32.440Z"
  },
  "context": "/sessions"
}

Destroy Session

This request requires no body

Returns a '204 No Content' on successful destruction of a Sesssion

Header Parameters

Authorization

String

required

Your session token

DELETE

/sessions

Mac/Linux

Windows Powershell

curl -X DELETE https://api.cert.tastyworks.com/sessions \
  -H 'Authorization: mysessiontoken' \
  -H 'Content-Type: application/json'

$headers = @{
    "Authorization" = "mysessiontoken"
}
$response = Invoke-RestMethod -Uri "https://api.cert.tastyworks.com/sessions" `
    -Method Delete `
    -Headers $headers `
    -ContentType "application/json"