Overview
This page is reorganized as a practical OAuth 2.0 access flow for new integrations.
✅Tip
Prefer using SDKs for faster integration:
Notes
| Precautions | Reference |
|---|---|
| Prefer SDKs over raw HTTP when possible | SDK Quick Start |
| Enable required OpenAPI services first | How to enable OpenAPI |
| Understand permissions and restrictions | Permissions and restrictions |
| Check common error codes for troubleshooting | Error Codes |
OAuth 2.0 (Default)
For new integrations, OAuth 2.0 is the default path.
API-key signature mode can remain as a fallback for legacy compatibility, but it is not the default.
Discovery endpoints
- Production:
https://openapi.longportapp.com/.well-known/oauth-authorization-server - China:
https://openapi.longportapp.cn/.well-known/oauth-authorization-server
Supported grant types (from discovery):
authorization_coderefresh_token
OAuth 2.0 flow (step-by-step)
1) Register OAuth client
If there is no UI for client creation in your environment, register dynamically:
bash
curl -X POST https://openapi.longportapp.com/oauth2/register \
-H "Content-Type: application/json" \
-d '{
"client_name": "my-openapi-app",
"redirect_uris": ["https://your-app.com/callback"],
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code"]
}'Registration may return only
client_id(public client, noclient_secret). In this case, use PKCE and do not sendclient_secretin token requests.
2) Build authorization URL and get code
text
https://openapi.longportapp.com/oauth2/authorize
?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=3
&state=YOUR_RANDOM_STATE
&code_challenge=YOUR_CODE_CHALLENGE
&code_challenge_method=S256After user consent, callback receives:
text
YOUR_REDIRECT_URI?code=AUTH_CODE&state=YOUR_RANDOM_STATE3) Exchange code for access_token
bash
curl -X POST https://openapi.longportapp.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "client_id=YOUR_CLIENT_ID" \
-d "redirect_uri=YOUR_REDIRECT_URI" \
-d "code=AUTH_CODE" \
-d "code_verifier=YOUR_CODE_VERIFIER"
# only when your client has secret:
# -d "client_secret=YOUR_CLIENT_SECRET"4) Call API with Bearer token (TSLA.US example)
bash
curl -X GET "https://openapi.longportapp.com/v1/quote/get_security_list?market=US&category=Overnight" \
-H "Authorization: Bearer ACCESS_TOKEN"Real response (excerpt, keeping TSLA.US row):
json
{
"code": 0,
"message": "success",
"data": {
"list": [
{
"symbol": "TSLA.US",
"name_cn": "特斯拉",
"name_hk": "",
"name_en": ""
}
]
}
}5) Refresh token
Use OAuth token endpoint for refresh (details in Refresh Token):
bash
curl -X POST https://openapi.longportapp.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token" \
-d "client_id=YOUR_CLIENT_ID" \
-d "refresh_token=REFRESH_TOKEN"
# only when your client has secret:
# -d "client_secret=YOUR_CLIENT_SECRET"Relationship with legacy docs
- This page: OAuth 2.0 main flow for new integrations.
- Refresh Token: refresh step details only, to avoid duplication.