OAuth vs API Keys
TradeZero supports two authentication paths. For most developers building personal trading tools, only one is needed.
Decision guide
| Approach | Best for | How it works |
|---|---|---|
| API key headers (recommended) | Scripts, dashboards, and personal tools you run for your own account | Send TZ-API-KEY-ID and TZ-API-SECRET-KEY on every HTTPS request |
| OAuth2 JWT exchange | Partners building OAuth2-compliant flows that exchange tokens before API calls | POST /v1/api/oauth2/jwtexchange returns a Bearer JWT used on subsequent requests |
If you are following the Quickstart Recipes or any guide on this site, use API key headers. No token refresh loop, no session state — the headers are validated on every request.
API key headers (recommended)
Generate a key pair in the TradeZero Portal and attach both headers to every REST and WebSocket call:
-H 'TZ-API-KEY-ID: {YOUR_PUBLIC_KEY}' \
-H 'TZ-API-SECRET-KEY: {YOUR_SECRET}'
- Paper and live use the same base URL (
https://webapi.tradezero.com); the key pair selects the environment. - No expiry — keys stay valid until you regenerate or disable them in the Portal.
- Never embed secrets in browser or mobile bundles.
See Authentication for the full portal walkthrough and lifecycle rules.
OAuth2 JWT exchange
The OpenAPI spec describes POST /v1/api/oauth2/jwtexchange and HTTP Bearer (jwt_auth) for OAuth2-style partner integrations. That exchange endpoint is not part of the production customer API today — use API key headers for all live integrations. Registered partners should contact TradeZero to enable OAuth2 flows.
Which should I use?
Building a personal tool on your own account?
→ API key headers
Building a registered partner app with OAuth2 consent flows?
→ JWT exchange + Bearer tokens (coordinate with TradeZero)