### App Registration Process Source: https://developer.itigerup.com/docs/openapi/repository/7/markdown/master/oauth2/docs/registration.en-us Before integrating with Tiger's API, third-party applications must register their company and app information. This process involves submitting specific details, and after approval (typically within 48 hours), certification information will be emailed. ```APIDOC ## App Registration ### Description Register your third-party application with Tiger's API to obtain necessary credentials for integration. This process requires submitting detailed company and application information. ### Method POST ### Endpoint /api/v1/apps/register ### Parameters #### Request Body - **companyName** (string) - Required - Includes the company's common name, Chinese name, English name, etc. (fill in at least one name). - **companyInfo** (string) - Required - Describes the three-party platform's basic information, including: the business scope, user scale, transaction scale, common transaction types, transaction frequency, etc. - **homepageUrl** (string) - Required - The full URL to the company's homepage. - **contactInfo** (dict) - Required - The name, phone number and email address of the person in charge of communication with Tiger's API team on behalf of the App. - **name** (string) - Required - **phone** (string) - Required - **email** (string) - Required - **appCodeName** (string) - Required - Name of the App consists of only lower latin characters, numbers, dots and hyphen (-). - **appName** (string) - Required - Name of the App to be presented to the End-User. - **appDescription** (string) - Optional - Description of the App to be presented to the End-User. - **appLogo** (string) - Optional - Logo of the App to be presented to the End-User (URL or image data). - **redirectUris** (list[string]) - Required - Array of Redirection URI values used by the App. - **grantTypes** (list[string]) - Required - Array containing a list of the OAuth 2.0 grant_type that the App is declaring that it will restrict itself to using. - **responseTypes** (list[string]) - Required - Array containing a list of the OAuth 2.0 response_type values that the App is declaring that it will restrict itself to using. - **authMethod** (string) - Required - The Authentication method that the App is declaring that it will use at certain Endpoints. ### Request Example ```json { "companyName": "老指引; Tiger Securities; 向上一心科技有限公司; US TIGER SECURITIES, INC.", "companyInfo": "A leading financial technology platform providing comprehensive investment services.", "homepageUrl": "https://www.tiger.com", "contactInfo": { "name": "John Doe", "phone": "+1234567890", "email": "john.doe@example.com" }, "appCodeName": "my-trading-app", "appName": "My Trading App", "appDescription": "An application for seamless trading and portfolio management.", "appLogo": "https://example.com/logo.png", "redirectUris": ["https://my-app.com/callback"], "grantTypes": ["authorization_code", "refresh_token"], "responseTypes": ["code"], "authMethod": "Secret Basic" } ``` ### Response #### Success Response (200) - **clientId** (string) - The unique identifier for your application. - **clientSecret** (string) - The secret key for your application. Keep this secure. - **scopes** (list[string]) - The permissions granted to your application. - **audiences** (list[string]) - The intended recipients of your application's requests. - **publicKey** (string) - The public key used to verify the signature of Tiger's Access Token. #### Response Example ```json { "clientId": "your_client_id", "clientSecret": "your_client_secret", "scopes": ["read:portfolio", "trade"], "audiences": ["tiger.api.com"], "publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----" } ``` ``` -------------------------------- ### Authentication Methods Source: https://developer.itigerup.com/docs/openapi/repository/7/markdown/master/oauth2/docs/other.en-us Details on the two supported authentication methods for interacting with the Authorization Server: Secret Basic and Secret Post. ```APIDOC ## Authentication Methods Applications are required to authenticate their identity when interacting with the Authorization Server. Two methods are supported: ### Secret Basic #### Description Uses HTTP Basic Authentication with `client_id` and `client_secret`. #### How to Use Include the `client_id` and `client_secret` in the `Authorization` header, Base64 encoded. #### Example Header ``` Authorization: Basic ``` ### Secret Post #### Description Includes `client_id` and `client_secret` in the request body. #### How to Use Add `client_id` and `client_secret` as parameters in the request body. #### Example Request Body ```json { "client_id": "your_client_id", "client_secret": "your_client_secret", "grant_type": "authorization_code", "code": "authorization_code_from_redirect", "redirect_uri": "your_redirect_uri" } ``` ``` -------------------------------- ### Secret Basic Authentication Source: https://developer.itigerup.com/docs/openapi/repository/7/markdown/master/oauth2/docs/other.en-us This method requires the App to include its `client_id` and `client_secret` in the HTTP Basic authorization header. The credentials should be base64 encoded in the format `client_id:client_secret`. ```http Authorization: Basic ``` -------------------------------- ### Token Introspection API Source: https://developer.itigerup.com/docs/openapi/repository/7/markdown/master/oauth2/docs/other.en-us This endpoint allows applications to introspect an access token to check if it has been revoked. The token must be provided in the request, and the application must authenticate itself. ```APIDOC ## POST /introspect ### Description Introspect an access token to check its validity and revocation status. ### Method POST ### Endpoint /introspect ### Parameters #### Query Parameters - **token** (string) - Required - The access token to introspect. #### Request Body *No request body is expected for this endpoint. Authentication is handled via headers.* ### Request Example ``` POST /introspect HTTP/1.1 Host: your-authorization-server.com Authorization: Basic Content-Type: application/x-www-form-urlencoded token=your_access_token_here ``` ### Response #### Success Response (200) - **active** (boolean) - Indicates if the token is active (`true`) or revoked/invalid (`false`). - **[other claims]** (any) - If the token is active, other claims from the JWT payload (excluding `jti`) are returned. #### Response Example ```json { "active": true, "iss": "your-authorization-server.com", "sub": "user_id", "aud": "your_client_id", "exp": 1678886400, "iat": 1678882800, "scope": "read write" } ``` #### Error Response Example (Revoked Token) ```json { "active": false } ``` ``` -------------------------------- ### Token Revocation API Source: https://developer.itigerup.com/docs/openapi/repository/7/markdown/master/oauth2/docs/other.en-us This endpoint allows applications to revoke both the access token and the refresh token when they are no longer needed. The token to be revoked must be provided in the request, and the application must authenticate itself. ```APIDOC ## POST /revoke ### Description Revoke an access token and its associated refresh token. ### Method POST ### Endpoint /revoke ### Parameters #### Query Parameters - **token** (string) - Required - The token (access or refresh) to revoke. #### Request Body *No request body is expected for this endpoint. Authentication is handled via headers.* ### Request Example ``` POST /revoke HTTP/1.1 Host: your-authorization-server.com Authorization: Basic Content-Type: application/x-www-form-urlencoded token=your_token_to_revoke ``` ### Response #### Success Response (200) *A successful revocation typically returns a 200 OK status with no specific body content.* #### Response Example *No specific response body is defined for success.* #### Error Response Example *Error responses will typically indicate failure with an appropriate HTTP status code and possibly an error message in the body.* ```json { "error": "invalid_token", "error_description": "The provided token is invalid or has already been revoked." } ``` ``` -------------------------------- ### Token Introspection Endpoint Source: https://developer.itigerup.com/docs/openapi/repository/7/markdown/master/oauth2/docs/other.en-us The Introspection Endpoint can be used to check if a token has been revoked. The request must include the token to be introspected and authenticate the app. A response with 'active: false' indicates revocation or invalidity, while 'active: true' signifies an active token with claims matching the JWT payload (excluding 'jti'). === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.