Enterprise Security
Optional hardening controls for enterprise partners — IP allowlists, scoped keys, signed requests, mTLS, and short-lived OAuth client-credentials tokens — plus the go-live certification checklist MyStocks reviews before production approval. Production-only, full-key required.
Optional hardening controls for enterprise partners — IP allowlists, scoped keys, signed requests, mTLS, short-lived OAuth tokens — plus the go-live certification checklist MyStocks reviews before production approval. These endpoints are production-only (not mirrored in sandbox) and require a full API key.
Scoped keys
With scopedKeysRequired enabled, a key with no scopes is denied (403) — enforced, not advisory.
Give a full-access key the "*" scope explicitly; scope others to just what they need
(e.g. market:read, trading:write).
Signed requests
Send X-MS-Timestamp + X-MS-Signature = hex
HMAC-SHA256(apiKey, "{ts}.{METHOD}.{path}{?query}.{sha256(body)}"). The query string is part of
the signed path (leading ?, empty when absent).
mTLS
Your gateway must verify the client certificate and forward x-client-cert-verified: success
(or a genuine Envoy XFCC with a Hash=), and strip any client-supplied copies of those headers at
the edge — the app trusts them only under that assumption.
Security policy
GET /security · PATCH /security
Read or update your enterprise security policy: IP allowlist, requireSignedRequests, requireMtls,
key-rotation window, and security-evidence URLs. Once signed requests or mTLS are enabled, subsequent
write requests must satisfy the configured controls — enable them from a machine that already complies.
The response also shows your key's scopes and when rotation is next due.
OAuth tokens
POST /oauth/token
OAuth 2.0 client-credentials grant for partners with oauthClientCredentialsEnabled in their security
policy. Send your pk_live_ key as the client secret (HTTP Basic auth, form body, or JSON body) and
receive a short-lived ms_oauth_ Bearer token (15 minutes) — optionally narrowed to a scope subset.
Use tokens instead of the raw key inside less-trusted workloads.
Certification
GET /certification · PATCH /certification · POST /certification
The go-live certification checklist: sandbox golden path, concurrency/idempotency tests, webhook retry
handling, failover drill, reconciliation exports, and enterprise security controls. PATCH
partner-owned checks with status, evidenceUrl, and notes. POST requests a MyStocks go-live review
once your checks pass and evidence is attached — the final approval check can only be set by MyStocks
operations.