TD Ameritrades API uses Oauth2

  1. Create an Application with TD Ameritrade. You'll have to create a separate TD Developer account: https://developer.tdameritrade.com/user/me/apps

    1. Set the required fields when creating the application

      1. App Name
      2. CallbackURL (if you don't know what this is, set it as http://localhost)
      3. Purpose

    2. Once the App is created and has been approved (usually instant), note the Consumer Key. It will be needed later.

  2. Generate your TD Ameritrade Auth URL

    Example URL

    <https://auth.tdameritrade.com/auth?response_type=code&redirect_uri=http%3A%2F%2Flocalhost&client_id=CONSUMER_KEY%40AMER.OAUTHAP>

    A couple important things to note from this URL.

    1. The CONSUMER_KEY bit will need to be replaced with a real Consumer Key.
    2. The redirect_uri need to match your URL encoded CallbackURL. If you left it as http://localhost, no changes need to be made.

  3. Get Auth Code using generated auth url

    1. Paste the URL into your browser and login.

    2. After you login, it will redirect you to your the specified redirect url. Copy the code from the url (everything after ?code=)

      Example URL: https://localhost/?code=AVPe1iYC%2F.....sL

    3. Continue the manual way on the next step, or if familiar with cURL, use the following curl command and skip to step 5. (update command to contain your code and consumer key)

      curl -X POST --header "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&refresh_token=&access_type=offline&code=MY_URL_ENCODED_CODE&client_id=MY_CONSUMER_KEY%40AMER.OAUTHAP&redirect_uri=http%3A%2F%2Flocalhost" "<https://api.tdameritrade.com/v1/oauth2/token>"

    4. Decode the URL encoded auth code

      1. You can use https://www.urldecoder.org/.
        1. Paste the auth code in, and click Decode.
        2. Copy out your decoded auth code

  4. Get Refresh Token using decoded code

    1. The Post Access Token developer page can be used to get the refresh token with the following parameters
      1. grant_type authorization_code
      2. refresh_token (leave blank)
      3. access_type offline
      4. client_id [email protected]
      5. redirect_url http://localhost
    2. The Refresh Token from the response, as it will only be shown once, and will be used to get auth tokens for the next 90 days.
    3. The Refresh Token needs to be used to get Access Tokens anytime you want to interact with the API. Access Tokens are only valid for 30 minutes, so you'll want to script fetching a new Access Token any time you run your bot/app

  5. Test Refresh Token

    1. Test fetching a new access token on the Post Access Token developer page using the following parameters
      1. grant_type refresh_token
      2. refresh_token MY_REFRESH_TOKEN
      3. client_id [email protected]
    2. Response should be a JSON object containing your access_token valid for the next 30 minutes.

IMPORTANT: Refresh Tokens expire after 90 days. Make sure you set a reminder to generate a new refresh token before 90 days is up.