OpenAPI
Open API Learn Tutorial Reference Docs Explorer Apps Updates Get 24 Hour Token Sign in
Other Products FIX Trading API Client Management Systems API End-of-Day File Transfers Trade Event Notification System OpenAPI for Excel

Authorization Code Grant

Server-side web apps should use the 'Authorization Code Grant' flow as specified by The official OAuth 2.0 Authorization Framework.

Below is a guide to get started using this authorization flow.

Your OpenAPI Application

When an application is created for you on OpenAPI, you will receive the following application details:


NameDescriptionExample
AppUrl

A URL uniquely representing your app.

http://localhost/mytestapp
AuthenticationUrl
The URL of the Saxo Bank authentication & authorization server.
https://sim.logonvalidation.net/
AppKey
The Application key identifying your application.
1234-5678-9101
AppSecret
The Application "secret" identifying your application.
abcdefghijklmn
OpenApiBaseUrl
Base URL for calling OpenAPI REST endpoints.
https://gateway.saxobank.com/sim/openapi/


These can be mapped to the necessary OAuth parameters:

OAuth Parameter

Saxo App Value

Example
client_id
AppKey
1234-5678-9101
client_secret
AppSecret
abcdefghijklmn
redirect_uri
AppUrl
http://localhost/mytestapp
authorization_url
AuthenticationUrl + '/authorize'
https://sim.logonvalidation.net/authorize
token_url
AuthenticationUrl + '/token'
https://sim.logonvalidation.net/token
Below parameters are determined by the developer:
response_type
Must always be set to 'code'
code
state
Randomly generated string used by the client to maintain state between the request and callback.
y90dsygas98dygoidsahf8sa
scope
Not used


Authorization Request

To initiate the authentication flow, redirect the client to the /authorize with the required parameters in the query string. Make sure to set the content-type to 'application/x-www-form-urlencoded'.

Example:

Example Authorize request (line breaks for display purposes)
GET /authorize?response_type=code
        &client_id=1234-5678-9101
        &state=y90dsygas98dygoidsahf8sa
        &redirect_uri=http%3A%2F%2Flocalhost%2Fmytestapp


Once the user is logged in, he will be redirected back to the provided redirect_url with an authorization code as a query parameter.

Authorize response
HTTP/1.1 302 Found
Location: http://localhost/mytestapp?code=09ccbf1c-ec0d-4da2-bcce-a0ba39f57771&state=y90dsygas98dygoidsahf8sa


Access Token Request

Once the authorization code has been obtained, it can be exchanged for an access token by sending a POST request to the /token endpoint. This request needs to be authenticated using HTTP Basic Auth with your client_id as username and client_secret as password. The basic auth should be a base64 encoded string in the following format: "client_id:client_secret".

Example Access Token request - with Authorization header
POST /token HTTP/1.1
Host: sim.logonvalidation.net
Authorization: Basic MTIzNC01Njc4LTkxMDE6YWJjZGVmZ2hpamtsbW4=
Content-Type: application/x-www-form-urlencoded
 
grant_type=authorization_code
&code=09ccbf1c-ec0d-4da2-bcce-a0ba39f57771
&redirect_uri=http%3A%2F%2Flocalhost%2Fmytestapp


If your OAuth library does not support sending the credentials as HTTP Basic Auth, we also accept them as part of the post body:

Example Access Token request - with Authorization header
POST /token HTTP/1.1
Host: sim.logonvalidation.net
Content-Type: application/x-www-form-urlencoded
 
grant_type=authorization_code
&code=09ccbf1c-ec0d-4da2-bcce-a0ba39f57771
&redirect_uri=http%3A%2F%2Flocalhost%2Fmytestapp
&client_id=1234-5678-9101
&client_secret=abcdefghijklmn


The response to this request will contain an access_token and a refresh_token:

Example Access Token response
{
	"access_token" : "eyJhbGc.eyJvYWEiOiIwMDA0NCIsImlzcQ.gElDA_9M0_eDr6Jw",
	"expires_in": 1200,
	"token_type": "Bearer",
	"refresh_token": "5e7fa3d2-5e13-4736-80c1-9c3e5cde660b",
	"refresh_token_expires_in": 2400
}


Using the Refresh Token

If you were provided with a refresh token you can use it to keep the connection alive by exchanging it for a new access and refresh token within it's lifetime.

To do this, send another request to the /token endpoint with 'grant_type=refresh_token':

Example Access Token request - with Authorization header
POST /token HTTP/1.1
Host: sim.logonvalidation.net
Authorization: Basic MTIzNC01Njc4LTkxMDE6YWJjZGVmZ2hpamtsbW4=
Content-Type: application/x-www-form-urlencoded
 
grant_type=refresh_token
&refresh_token=5e7fa3d2-5e13-4736-80c1-9c3e5cde660b
&redirect_uri=http%3A%2F%2Flocalhost%2Fmytestapp


See the code sample in JavaScript on the Authorization Code Grant.