OpenAPI

We recommend all applications to use the authorization code flow if possible as it provides a better end-user experience and allows for a longer session duration because of the refresh token, but if no access to a back-end server is available, the implicit flow can instead be used. Our implementation follows the 'Implicit Grant' specification in The official OAuth 2.0 Authorization Framework.

Below is a guide to get started using this authorization flow.

Your OpenAPI Application

When an application is created for you on OpenAPI, you will receive the following application details:


NameDescriptionExample
AppUrl

A URL uniquely representing your app.

http://localhost/mytestapp
AuthenticationUrl
The URL of the Saxo Bank authentication & authorization server.
https://sim.logonvalidation.net/
AppKey
The Application key identifying your application.
1234-5678-9101
AppSecret
The Application "secret" identifying your application.
abcdefghijklmn
OpenApiBaseUrl
Base URL for calling OpenAPI REST endpoints.
https://gateway.saxobank.com/sim/openapi/


These can be mapped to the necessary OAuth parameters:

OAuth Parameter

Saxo App Value

Example
client_id
AppKey
1234-5678-9101
redirect_uri
AppUrl
http://localhost/mytestapp
authorization_url
AuthenticationUrl + '/authorize'
https://sim.logonvalidation.net/authorize
Below parameters are determined by the developer:
response_type
Must always be set to 'token'
token
state
Randomly generated string used by the client to maintain state between the request and callback.
y90dsygas98dygoidsahf8sa
scope
Not used


Authorization Request

To initiate the authentication flow, redirect the client to the /authorize with the required parameters in the query string. Make sure to set the content-type to 'application/x-www-form-urlencoded'.

Example:

Example Authorize request (line breaks for display purposes)
GET /authorize?response_type=token
        &client_id=1234-5678-9101
        &state=y90dsygas98dygoidsahf8sa
        &redirect_uri=http%3A%2F%2Flocalhost%2Fmytestapp


Once the user is logged in, he will be redirected back to the provided redirect_url with an access token as a hash fragment.

Authorize response
HTTP/1.1 302 Found
Location: http://localhost/mytestapp#access_token=eyJhbG[...]deICk4pA&token_type=bearer&expires_in=1199&state=y90dsygas98dygoidsahf8sa


In case of an error during the authorization process, the error will similarly be returned as a hash fragment

Authorize error response
HTTP/1.1 302 Found
Location: http://localhost/mytestapp#error=access_denied&state=y90dsygas98dygoidsahf8sa


See the code sample in JavaScript on the Implicit Flow.