Skip to content
Partner API Docs

Changelog

All notable MyStocks Partner API changes by version, from the v1.0 initial release through v2.6. Entries marked Deprecated are removed on the date in the Sunset header — see API Versioning for the deprecation policy.

All notable API changes. Entries marked Deprecated will be removed on the date listed in the Sunset header — see API Versioning for the deprecation policy.

v2.6 — July 2026

  • Fixed — Asset-detail endpoints (GET /bonds/{id}, /funds/{id}, /opportunities/{id}, /market-intel/{id}) now return a clean 404 for any unresolvable id, including Firestore-reserved patterns (e.g. __x__) that previously threw a 500.
  • Added — Sandbox parity: PATCH /settings and the SMTP test now work in sandbox, and POST /api-keys/rotate rotates your sandbox key in place. Both were previously 422 stubs.
  • Changed — Enterprise scoped-key enforcement is now enforced, not advisory. With scopedKeysRequired enabled, a key with no scopes is denied (403); a full-access key must hold the "*" scope.
  • Changed — Signed requests now cover the query string: HMAC-SHA256(apiKey, "{timestamp}.{METHOD}.{path}{?query}.{sha256(body)}"). Signing without the query string is deprecated.
  • Fixed — mTLS verification is stricter: a bare or spoofed x-forwarded-client-cert no longer counts as a verified certificate. Use x-client-cert-verified: success or a genuine Envoy XFCC with a Hash=.
  • Fixed — API reference corrected: data keys access market data via /market/*; the deprecated /market-data/* aliases are not in the data-key allowlist.

v2.5 — July 2026

  • Changed — Integration test tools renamed: POST /test-tools/deposit, POST /test-tools/trade, GET /test-tools/orders are the new canonical live-key testing paths. The old /sandbox/* paths remain supported aliases but are deprecated.
  • Added — Security guidance: avoid embedding API keys (including pk_data_) in production bundles; proxy through your backend or mint short-lived tokens via POST /oauth/token.
  • Fixed — OpenAPI spec: the data-key prefix is pk_data_ (earlier text showed dk_).
  • Changed — Market data unified under /market/*: GET /market/exchanges and GET /market/ohlcv are the new canonical paths; /market-data/* remain deprecated aliases.
  • Added — camelCase pagination meta on GET /market/movers (totalCount, perPage, hasNext); snake_case aliases deprecated, removal 2026-10-01.
  • Added — Typed response-header components in the spec (X-RateLimit-*, Retry-After) and documented webhook request headers.
  • Added — Webhook delivery semantics documented: at-least-once, possible duplicates/out-of-order, dedupe-by-eventId, gap reconciliation.
  • Added — Retry-guidance table in Authentication.
  • Fixed — Webhook retry policy corrected to the actual scheduler: up to 6 attempts with exponential back-off (immediate, 5 s, 30 s, 5 min, 30 min, 2 h).
  • Added — Concepts & Glossary (15 terms with stable #term-<slug> anchors), Architecture & Custody, and Order & Money Lifecycles sections.
  • Added — Recipes: eight implementation guides at /partners/docs/recipes, each on its own shareable URL.
  • Fixed — Build a Trading App guide now shows the correct two-step GET /quote/{symbol}POST /trade sequence.
  • Fixed — Cash-mode (fractional) trading now works with the quote gate: GET /quote/{symbol} accepts cashValue.
  • Fixed — Sandbox GET /buying-power endpoints now exist; quote quantities accept fractional values.
  • Added — Sandbox webhooks reach full production parity (real endpoints, HMAC signing, retries, delivery log, test-fire).
  • Fixed — Sandbox parity sweep: duplicate externalId returns the existing sub-account (200); structured batch/validation errors.
  • Added — Sandbox top-ups (POST /topup) auto-approve and fire topup.confirmed.
  • Added — OpenAPI: GET /dividends/{symbol}/history documented.
  • FixedGET /stocks documented as a full, non-paginated filtered list with a search param.
  • Fixed — Quick Start step 1 corrected: POST /register authenticates with a Firebase ID token.

v2.4 — July 2026

  • Added — Real-time event stream: GET /stream (Server-Sent Events) — every webhook event, also streamed, with resume via Last-Event-ID / ?since=.
  • Added — Self-serve pricing: GET /pricing + PATCH /pricing (default markup bps + per-symbol/exchange/asset-class overrides + promo window).
  • Added — Webhook corporateaction.declared (split, rights issue, bonus, merger, delisting, symbol change) with affectedSubAccounts[].
  • Added — Tax lots + realized-gain reporting: GET /users/{userId}/tax-lots and GET /users/{userId}/gains.
  • AddedGET /float + PATCH /float (master funding headroom); webhooks topup.confirmed and float.low; optional credit line.
  • Added — Native LIMIT / STOP / STOP_LIMIT orders on sub-account trades (rest in WORKING, fire order.triggered).
  • AddedGET /buying-power endpoints — settlement-aware balances (withdrawableUsd excludes unsettled SELL proceeds).
  • Changed — Sub-account withdrawals can enforce a settlement hold: over-withdrawal returns 400 UNSETTLED_FUNDS.
  • Changed — Unified stock/quote response shape across /market/quotes, /market/movers, /stocks.
  • Deprecated — snake_case aliases on /market/quotes and /market/movers; removal 2026-10-01.
  • Addedprice returned alongside deprecated currentPrice on /stocks/{symbol} and /companies/{symbol}.

v2.3 — June 2026

  • AddedGET /market/movers — paginated top gainers/losers per exchange.
  • Changed — List endpoints use cursor pagination (cursor + nextCursor + hasMore).
  • Fixed — Batch-quote volume returns integer 0 (not null); overflow returns BATCH_LIMIT_EXCEEDED; malformed symbols return 400 INVALID_SYMBOL.
  • Fixed?symbols[]= array bracket notation returns a clear VALIDATION_ERROR pointing to ?symbols=A,B,C.
  • Changed — Error-codes table expanded (MISSING_PARAM, INVALID_SYMBOL, UNKNOWN_EXCHANGE, INVALID_TYPE, BATCH_LIMIT_EXCEEDED).

v2.2 — June 2026

  • Added — OHLCV in chart endpoints: open, high, low, close, volume on every candle plus parallel arrays.
  • Addedopen field on stock and ETF detail responses.
  • Fixed — Missing logo SVGs return a branded placeholder instead of an error page.

v2.1 — May 2026

  • Added — ETF support: GET /etfs, /etfs/{symbol}, /etfs/{symbol}/history, /etfs/{symbol}/chart.
  • Added — Price charts: GET /stocks/{symbol}/chart and /etfs/{symbol}/chart.
  • Added — Multi-symbol batch quotes (up to 50 symbols).
  • Added — Sandbox simulation headers X-Sandbox-Force-Status / X-Sandbox-Force-Error.
  • Changed — Structured error model {"error": {"code", "message"}}.
  • Added — Timing-safe HMAC signature-verification examples (Express, FastAPI).

v2.0 — May 2026

  • Added — Sandbox endpoints: POST /sandbox/deposit, POST /sandbox/trade, GET /sandbox/orders.
  • Added — All sandbox webhook payloads include isSandbox: true.
  • Added — Sandbox tab in the Partner Dashboard; cheat codes (quantity 100 → auto-fill, 999 → auto-reject).

v1.9 — May 2026

  • AddedPOST /auto-register, GET /quote/{symbol}, GET /market/status, GET /webhooks/{id}/deliveries.
  • Added — Webhook events wallet.credited, incident.declared, incident.resolved.
  • Changed — Deposit body accepts localAmount, localCurrency, fxRate.
  • Fixed — Webhook signature example uses timingSafeEqual.

v1.8 — April 2026

  • Added — Company endpoints; GET /usage; GET /audit; partner markupBps; SMTP settings.

v1.7 — March 2026

  • AddedGET /report/revenue, GET /report/invoice, POST /api-keys/rotate & revoke, GET /api-keys/data-key.
  • Changed — Trade body accepts optional stopLoss and takeProfit.

v1.6 — January 2026

  • AddedPOST /users/{userId}/subscribe & redeem, GET /dividends/calendar, GET /report/dividends, webhook dividend.paid.

v1.5 — November 2025

  • Added — Bonds & fixed income, funds & ETFs, private credit & pre-IPO, POST /users/{userId}/kyc.

v1.0 — September 2025

  • Added — Initial release: equity trading, sub-accounts, USD wallets, deposits, withdrawals, webhooks, core stock/portfolio/user/trade/webhook endpoints.

On this page