Authentication

Overview

All Brokeret API requests require authentication. We support two authentication methods depending on your use case:

Method	Use Case	Security Level
API Key + Secret	Server-to-server integration	High
OAuth 2.0	Third-party applications acting on behalf of users	High

API Key Authentication

Include your API key in the Authorization header using the Bearer scheme:

Authorization: Bearer bk_live_a1b2c3d4e5f6g7h8i9j0

For additional security, sign requests with your API Secret using HMAC-SHA256:

$timestamp = time();
$payload = $timestamp . $method . $path . $body;
$signature = hash_hmac('sha256', $payload, $apiSecret);

// Include in headers
X-Brokeret-Timestamp: 1710000000
X-Brokeret-Signature: a1b2c3d4...

Environments

We provide separate environments for development and production:

Environment	Base URL	Key Prefix
Sandbox	`https://sandbox.api.brokeret.com`	`bk_test_`
Production	`https://api.brokeret.com`	`bk_live_`

💡

TipUse sandbox keys during development. They connect to simulated trading servers and won't affect real accounts.

Error Responses

Authentication errors return a 401 Unauthorized status with details:

{
  "error": {
    "code": "invalid_api_key",
    "message": "The API key provided is invalid or has been revoked.",
    "doc_url": "https://docs.brokeret.com/authentication#error-responses"
  }
}

Common Error Codes

Code	Description	Resolution
`invalid_api_key`	API key is malformed or does not exist	Check your key and regenerate if needed
`expired_api_key`	API key has expired	Rotate your key in the dashboard
`invalid_signature`	HMAC signature does not match	Verify timestamp, method, path, and body encoding
`ip_not_whitelisted`	Request IP is not in the allowed list	Add the IP in Settings → Security

Best Practices