Skip to content
Skip to main content

OAuth vs API Keys

TradeZero supports two authentication paths. For most developers building personal trading tools, only one is needed.

Decision guide

ApproachBest forHow it works
API key headers (recommended)Scripts, dashboards, and personal tools you run for your own accountSend TZ-API-KEY-ID and TZ-API-SECRET-KEY on every HTTPS request
OAuth2 JWT exchangePartners building OAuth2-compliant flows that exchange tokens before API callsPOST /v1/api/oauth2/jwtexchange returns a Bearer JWT used on subsequent requests
Default path

If you are following the Quickstart Recipes or any guide on this site, use API key headers. No token refresh loop, no session state — the headers are validated on every request.

Generate a key pair in the TradeZero Portal and attach both headers to every REST and WebSocket call:

-H 'TZ-API-KEY-ID: {YOUR_PUBLIC_KEY}' \
-H 'TZ-API-SECRET-KEY: {YOUR_SECRET}'
  • Paper and live use the same base URL (https://webapi.tradezero.com); the key pair selects the environment.
  • No expiry — keys stay valid until you regenerate or disable them in the Portal.
  • Never embed secrets in browser or mobile bundles.

See Authentication for the full portal walkthrough and lifecycle rules.

OAuth2 JWT exchange

The OpenAPI spec describes POST /v1/api/oauth2/jwtexchange and HTTP Bearer (jwt_auth) for OAuth2-style partner integrations. That exchange endpoint is not part of the production customer API today — use API key headers for all live integrations. Registered partners should contact TradeZero to enable OAuth2 flows.

Which should I use?

Building a personal tool on your own account?
→ API key headers

Building a registered partner app with OAuth2 consent flows?
→ JWT exchange + Bearer tokens (coordinate with TradeZero)