🔑 Tokens & Authentication

Q1. What is an access token, and what’s new about it?

The access token now comes from the Neo app/web → Invest → TradeAPI → API Dashboard (not via /oauth2/token). Send it as a plain string (no Bearer). Resetting it immediately invalidates all sessions.

Q2. What happens if I reset the token?

All active sessions break instantly. Re-login (TOTP → MPIN validate) to obtain new session token (Auth) and session sid (sid).

Q3. Demystify tokens: access token, view token, session token (trade token), view sid, session sid, neo-fin-key

• Access Token – From Neo dashboard. Used for login APIs and Quotes/Scripmaster.
• View Token + View SID – Returned by /login/1.0/tradeApiLogin (TOTP step).
• Session Token (aka Trade Token) + Session SID – Returned by /login/1.0/tradeApiValidate (MPIN step). Use these as Auth and sid headers for all post-login APIs.
• neo-fin-key – Always send neotradeapi (static) except in Quotes/Scripmaster, where it is not required.

⏱️ Login & baseUrl

Q4. What are the login endpoints (fixed)?

• TOTP Login: https://mis.kotaksecurities.com/login/1.0/tradeApiLogin
• MPIN Validate: https://mis.kotaksecurities.com/login/1.0/tradeApiValidate → returns baseUrl, session token (header Auth) and session sid (header sid).

Q5. Is baseUrl static or dynamic?

It’s stable for the day and even after that rarely changes. Always capture it after MPIN validate and use it for that session.

Q6. Which APIs need baseUrl?

All post-login APIs: Orders, Reports, Portfolio, Limits, Margins, Quotes, Scripmaster. (Only login endpoints are fixed.)

Q7. Show me how to replace {{baseUrl}} with a real example.