Skip to content
Partner API Docs

Enterprise Security

Optional hardening controls for enterprise partners — IP allowlists, scoped keys, signed requests, mTLS, and short-lived OAuth client-credentials tokens — plus the go-live certification checklist MyStocks reviews before production approval. Production-only, full-key required.

Optional hardening controls for enterprise partners — IP allowlists, scoped keys, signed requests, mTLS, short-lived OAuth tokens — plus the go-live certification checklist MyStocks reviews before production approval. These endpoints are production-only (not mirrored in sandbox) and require a full API key.

Scoped keys

With scopedKeysRequired enabled, a key with no scopes is denied (403) — enforced, not advisory. Give a full-access key the "*" scope explicitly; scope others to just what they need (e.g. market:read, trading:write).

Signed requests

Send X-MS-Timestamp + X-MS-Signature = hex HMAC-SHA256(apiKey, "{ts}.{METHOD}.{path}{?query}.{sha256(body)}"). The query string is part of the signed path (leading ?, empty when absent).

mTLS

Your gateway must verify the client certificate and forward x-client-cert-verified: success (or a genuine Envoy XFCC with a Hash=), and strip any client-supplied copies of those headers at the edge — the app trusts them only under that assumption.

Security policy

GET /security · PATCH /security

Read or update your enterprise security policy: IP allowlist, requireSignedRequests, requireMtls, key-rotation window, and security-evidence URLs. Once signed requests or mTLS are enabled, subsequent write requests must satisfy the configured controls — enable them from a machine that already complies. The response also shows your key's scopes and when rotation is next due.

{ "policy": { "ipAllowlist": ["203.0.113.10"], "requireSignedRequests": true, "requireMtls": false, "keyRotationDays": 90, "oauthClientCredentialsEnabled": true }, "key": { "keyType": "full", "scopes": ["market:read", "trading:write"], "rotationDueAt": "2026-09-28T00:00:00Z" } }

OAuth tokens

POST /oauth/token

OAuth 2.0 client-credentials grant for partners with oauthClientCredentialsEnabled in their security policy. Send your pk_live_ key as the client secret (HTTP Basic auth, form body, or JSON body) and receive a short-lived ms_oauth_ Bearer token (15 minutes) — optionally narrowed to a scope subset. Use tokens instead of the raw key inside less-trusted workloads.

{ "access_token": "ms_oauth_...", "token_type": "Bearer", "expires_in": 900, "scope": "market:read trading:read" }

Certification

GET /certification · PATCH /certification · POST /certification

The go-live certification checklist: sandbox golden path, concurrency/idempotency tests, webhook retry handling, failover drill, reconciliation exports, and enterprise security controls. PATCH partner-owned checks with status, evidenceUrl, and notes. POST requests a MyStocks go-live review once your checks pass and evidence is attached — the final approval check can only be set by MyStocks operations.

{ "checks": { "sandbox_golden_path": { "status": "passed", "evidenceUrl": "https://trust.partner.example/golden-path.pdf" }, "webhook_retry": { "status": "in_progress" }, "mystocks_go_live_approval": { "status": "not_started" } }, "requiredPassed": 2, "requiredTotal": 7 }

On this page