The Investment API uses opaque access tokens obtained using the OAuth 2.0 Client Credentials flow.
During the onboarding process, each client receives a client ID and a client secret that can be used to request access tokens via our OAuth2 endpoints.
The Upvest Investment API supports granular authentication scopes, thus improving security. You can restrict the permissions and data that is requested during authentication by specifying the scopes.
The following table lists available scopes:
| Scope | Permissions |
|---|---|
| Users, Account Management, and Taxes | |
accounts:read | Read accounts and accounts groups. |
accounts:admin | Create/update/delete accounts and accounts groups. |
checks:admin | Create and read user checks. |
checks:read | Read checks by user or by the check ID. |
users:admin | Create/update/delete users and user identifiers. |
users:read | Read users and user identifiers. |
| Taxes | |
taxes:admin | Modify tax residencies and create/modify tax exemptions. |
taxes:read | Read tax residencies. |
| Instruments and Prices | |
instruments:read | Read instruments. |
prices:read | Read instrument prices including latest price and OHLC prices. |
| Orders | |
orders:admin | Create/update/delete orders. |
orders:read | Read orders. |
| Investment Solutions | |
account_liquidations:admin | Trigger/read/cancel accounts liquidations. |
account_liquidations:read | Read accounts liquidations. |
portfolios:admin | Modify portfolios including allocations, configurations, and rebalancing. |
portfolios:read | Read portfolios. |
savings_plan:admin | Create/read savings plans. |
savings_plan:read | Read savings plans. |
| Payments | |
payments:admin | Payments and withdrawal operations including direct debits and withdraws. |
payments:read | Payments and withdrawal read operations. |
mandates:admin | Create/update/delete mandates. |
mandates:read | Read mandates. |
reference_accounts:admin | Create/update/delete reference accounts. |
reference_accounts:read | Read reference accounts. |
topups:admin | Top-ups operations. |
topups:read | Top-ups read operations. |
credit_fundings:read | Read credit fundings details. |
| Balances | |
positions:read | Read positions and cash balances. |
valuations:read | Read account valuations. |
account_returns:read | Read accounts returns. |
virtual_cash_balances:admin | Increase and decrease virtual cash balances. |
| Fees | |
fees:admin | Create and read fee operations. |
fees:read | Read fee operations. |
| Reporting | |
files:read | Read files metadata. |
reports:admin | Create reports. |
reports:read | Read reports. |
transactions:read | Read cash and securities transactions. |
| Webhooks | |
webhooks:admin | Create/update/delete webhooks. |
webhooks:read | Read webhooks. |
| Tests | |
tests:admin | Trigger a bank transaction for testing purposes. |
Request a users:read access token to read user data but not be able to change user data. Then request a users:admin access token to be able to onboard new users.
More on available permissions see here.
Once the access token is returned, the token can be used in all requests for the specific required scopes using the standard authorization header as shown below:
Authorization: Bearer <access_token>The use of client_credentials alone allows us to identify you and authorise your request. However, it does not protect against a man-in-the-middle attack, where the request can be maliciously modified. To mitigate this risk, there is an additional layer of public key infrastructure in the form of HTTP message signatures.