Get Token
API to acquire an access token via an authorization_code exchange and concurrently includes the user's profile in the response.
The access_token
obtained through this API has a specific validity period that lasts until 3:30 AM
the following day, regardless of the time it was generated. For instance, if you generate a token at 8 PM on Tuesday, it will expire at 3:30 AM on Wednesday. This also means that a token created at 2:30 AM on Wednesday will still expire at 3:30 AM on the same Wednesday. Therefore, users are advised to plan their activities accordingly, ensuring they accommodate the token's expiration schedule in their usage.
Header Parameters
Name | Required | Type | Description |
---|---|---|---|
Content-Type | true | string | Indicates the media type of the resource, set as application/x-www-form-urlencoded . |
Accept | true | string | Defines the content format the client expects, which should be set to application/json . |
Request Body
Name | Required | Type | Description |
---|---|---|---|
code | true | string | The code is a unique parameter included in the URL upon a successful Authorize API authentication. |
client_id | true | string | The API key obtained during the app generation process. |
client_secret | true | string | The API secret obtained during the app generation process. This private key remains confidential, known only to the application and the authorization server. |
redirect_uri | true | string | The URL provided during app generation. |
grant_type | true | string | This value must always be authorization_code . |
The code
sent as part of this request is valid for a single use, regardless of whether the access token generation succeeds or encounters an issue.
- 200
- 4XX
Response Body
{
"email": "******",
"exchanges": ["NSE", "NFO", "BSE", "CDS", "BFO", "BCD"],
"products": ["D", "CO", "I"],
"broker": "UPSTOX",
"user_id": "******",
"user_name": "******",
"order_types": ["MARKET", "LIMIT", "SL", "SL-M"],
"user_type": "individual",
"poa": false,
"is_active": true,
"access_token": "******************"
"extended_token": "******************"
}
Name | Type | Description |
---|---|---|
string | E-mail address of the user | |
exchanges | string[] | List of exchanges enabled for the user. Valid exchanges can be found in the Exchange Appendix |
products | string[] | Lists the types of products enabled for the user. Possible values: I , D , CO , MTF |
broker | string | The broker ID |
user_id | string | Uniquely identifies the user (commonly referred as UCC) |
user_name | string | Name of the user |
order_types | string[] | Order types enabled for the user. Possible values: MARKET , LIMIT , SL , SL-M |
user_type | string | Identifies the user's registered role with the broker. This will be individual for all retail users |
poa | boolean | Indicates whether the user has authorized power of attorney for transactions. |
is_active | boolean | Indicates if the account status is active. |
access_token | string | The authentication token to be used with every subsequent API request. |
extended_token | string | This token is designed for prolonged usage, primarily for read-only access to various API endpoints. For more detailed information on the extended token, including its benefits and how to opt for it, please refer to the Extended Token Documentation. |
If a user attempting to log in has no active segments, the error No segments for these users are active. Manual reactivation is recommended from Upstox app/web.
will occur, preventing the Token API from generating the access_token. To resolve this, users must manually reactivate their segment through the Upstox web or mobile application before attempting to log in again.
Error codes
Error code | Description |
---|---|
UDAPI100069 | Check your 'client_id' and 'client_secret'; one or both are incorrect. - Thrown when one of the credentials you've passed to this API is invalid. |
UDAPI100070 | The 'redirect_uri' provided is invalid. Please enter the valid URI and try again. - Thrown when the redirect_uri passed to this API is invalid. |
UDAPI100057 | Invalid Auth code - Thrown when the code value passed to the API is invalid. |
Examples
A comprehensive set of examples is provided to illustrate various use cases and implementation scenarios for this API. To view detailed examples and access sample code, please refer to: API Examples.