Changelog
All notable MyStocks Partner API changes by version, from the v1.0 initial release through v2.6. Entries marked Deprecated are removed on the date in the Sunset header — see API Versioning for the deprecation policy.
All notable API changes. Entries marked Deprecated will be removed on the date listed in the
Sunset header — see API Versioning for the deprecation policy.
v2.6 — July 2026
- Fixed — Asset-detail endpoints (
GET /bonds/{id},/funds/{id},/opportunities/{id},/market-intel/{id}) now return a clean 404 for any unresolvable id, including Firestore-reserved patterns (e.g.__x__) that previously threw a 500. - Added — Sandbox parity:
PATCH /settingsand the SMTP test now work in sandbox, andPOST /api-keys/rotaterotates your sandbox key in place. Both were previously 422 stubs. - Changed — Enterprise scoped-key enforcement is now enforced, not advisory. With
scopedKeysRequiredenabled, a key with no scopes is denied (403); a full-access key must hold the"*"scope. - Changed — Signed requests now cover the query string:
HMAC-SHA256(apiKey, "{timestamp}.{METHOD}.{path}{?query}.{sha256(body)}"). Signing without the query string is deprecated. - Fixed — mTLS verification is stricter: a bare or spoofed
x-forwarded-client-certno longer counts as a verified certificate. Usex-client-cert-verified: successor a genuine Envoy XFCC with aHash=. - Fixed — API reference corrected: data keys access market data via
/market/*; the deprecated/market-data/*aliases are not in the data-key allowlist.
v2.5 — July 2026
- Changed — Integration test tools renamed:
POST /test-tools/deposit,POST /test-tools/trade,GET /test-tools/ordersare the new canonical live-key testing paths. The old/sandbox/*paths remain supported aliases but are deprecated. - Added — Security guidance: avoid embedding API keys (including
pk_data_) in production bundles; proxy through your backend or mint short-lived tokens viaPOST /oauth/token. - Fixed — OpenAPI spec: the data-key prefix is
pk_data_(earlier text showeddk_). - Changed — Market data unified under
/market/*:GET /market/exchangesandGET /market/ohlcvare the new canonical paths;/market-data/*remain deprecated aliases. - Added — camelCase pagination meta on
GET /market/movers(totalCount,perPage,hasNext); snake_case aliases deprecated, removal 2026-10-01. - Added — Typed response-header components in the spec (
X-RateLimit-*,Retry-After) and documented webhook request headers. - Added — Webhook delivery semantics documented: at-least-once, possible duplicates/out-of-order, dedupe-by-eventId, gap reconciliation.
- Added — Retry-guidance table in Authentication.
- Fixed — Webhook retry policy corrected to the actual scheduler: up to 6 attempts with exponential back-off (immediate, 5 s, 30 s, 5 min, 30 min, 2 h).
- Added — Concepts & Glossary (15 terms with stable
#term-<slug>anchors), Architecture & Custody, and Order & Money Lifecycles sections. - Added — Recipes: eight implementation guides at
/partners/docs/recipes, each on its own shareable URL. - Fixed — Build a Trading App guide now shows the correct two-step
GET /quote/{symbol}→POST /tradesequence. - Fixed — Cash-mode (fractional) trading now works with the quote gate:
GET /quote/{symbol}acceptscashValue. - Fixed — Sandbox
GET /buying-powerendpoints now exist; quote quantities accept fractional values. - Added — Sandbox webhooks reach full production parity (real endpoints, HMAC signing, retries, delivery log, test-fire).
- Fixed — Sandbox parity sweep: duplicate
externalIdreturns the existing sub-account (200); structured batch/validation errors. - Added — Sandbox top-ups (
POST /topup) auto-approve and firetopup.confirmed. - Added — OpenAPI:
GET /dividends/{symbol}/historydocumented. - Fixed —
GET /stocksdocumented as a full, non-paginated filtered list with asearchparam. - Fixed — Quick Start step 1 corrected:
POST /registerauthenticates with a Firebase ID token.
v2.4 — July 2026
- Added — Real-time event stream:
GET /stream(Server-Sent Events) — every webhook event, also streamed, with resume viaLast-Event-ID/?since=. - Added — Self-serve pricing:
GET /pricing+PATCH /pricing(default markup bps + per-symbol/exchange/asset-class overrides + promo window). - Added — Webhook
corporateaction.declared(split, rights issue, bonus, merger, delisting, symbol change) withaffectedSubAccounts[]. - Added — Tax lots + realized-gain reporting:
GET /users/{userId}/tax-lotsandGET /users/{userId}/gains. - Added —
GET /float+PATCH /float(master funding headroom); webhookstopup.confirmedandfloat.low; optional credit line. - Added — Native LIMIT / STOP / STOP_LIMIT orders on sub-account trades (rest in
WORKING, fireorder.triggered). - Added —
GET /buying-powerendpoints — settlement-aware balances (withdrawableUsdexcludes unsettled SELL proceeds). - Changed — Sub-account withdrawals can enforce a settlement hold: over-withdrawal returns
400 UNSETTLED_FUNDS. - Changed — Unified stock/quote response shape across
/market/quotes,/market/movers,/stocks. - Deprecated — snake_case aliases on
/market/quotesand/market/movers; removal 2026-10-01. - Added —
pricereturned alongside deprecatedcurrentPriceon/stocks/{symbol}and/companies/{symbol}.
v2.3 — June 2026
- Added —
GET /market/movers— paginated top gainers/losers per exchange. - Changed — List endpoints use cursor pagination (
cursor+nextCursor+hasMore). - Fixed — Batch-quote
volumereturns integer0(notnull); overflow returnsBATCH_LIMIT_EXCEEDED; malformed symbols return400 INVALID_SYMBOL. - Fixed —
?symbols[]=array bracket notation returns a clearVALIDATION_ERRORpointing to?symbols=A,B,C. - Changed — Error-codes table expanded (
MISSING_PARAM,INVALID_SYMBOL,UNKNOWN_EXCHANGE,INVALID_TYPE,BATCH_LIMIT_EXCEEDED).
v2.2 — June 2026
- Added — OHLCV in chart endpoints:
open,high,low,close,volumeon every candle plus parallel arrays. - Added —
openfield on stock and ETF detail responses. - Fixed — Missing logo SVGs return a branded placeholder instead of an error page.
v2.1 — May 2026
- Added — ETF support:
GET /etfs,/etfs/{symbol},/etfs/{symbol}/history,/etfs/{symbol}/chart. - Added — Price charts:
GET /stocks/{symbol}/chartand/etfs/{symbol}/chart. - Added — Multi-symbol batch quotes (up to 50 symbols).
- Added — Sandbox simulation headers
X-Sandbox-Force-Status/X-Sandbox-Force-Error. - Changed — Structured error model
{"error": {"code", "message"}}. - Added — Timing-safe HMAC signature-verification examples (Express, FastAPI).
v2.0 — May 2026
- Added — Sandbox endpoints:
POST /sandbox/deposit,POST /sandbox/trade,GET /sandbox/orders. - Added — All sandbox webhook payloads include
isSandbox: true. - Added — Sandbox tab in the Partner Dashboard; cheat codes (quantity 100 → auto-fill, 999 → auto-reject).
v1.9 — May 2026
- Added —
POST /auto-register,GET /quote/{symbol},GET /market/status,GET /webhooks/{id}/deliveries. - Added — Webhook events
wallet.credited,incident.declared,incident.resolved. - Changed — Deposit body accepts
localAmount,localCurrency,fxRate. - Fixed — Webhook signature example uses
timingSafeEqual.
v1.8 — April 2026
- Added — Company endpoints;
GET /usage;GET /audit; partnermarkupBps; SMTP settings.
v1.7 — March 2026
- Added —
GET /report/revenue,GET /report/invoice,POST /api-keys/rotate&revoke,GET /api-keys/data-key. - Changed — Trade body accepts optional
stopLossandtakeProfit.
v1.6 — January 2026
- Added —
POST /users/{userId}/subscribe&redeem,GET /dividends/calendar,GET /report/dividends, webhookdividend.paid.
v1.5 — November 2025
- Added — Bonds & fixed income, funds & ETFs, private credit & pre-IPO,
POST /users/{userId}/kyc.
v1.0 — September 2025
- Added — Initial release: equity trading, sub-accounts, USD wallets, deposits, withdrawals, webhooks, core stock/portfolio/user/trade/webhook endpoints.