🔑 Login Flow (fixed endpoints)

1) TOTP Login → returns viewToken + viewSid

curl -X POST "<https://mis.kotaksecurities.com/login/1.0/tradeApiLogin>" \\
  -H "Authorization: <access_token>" \\
  -H "neo-fin-key: neotradeapi" \\
  -H "Content-Type: application/json" \\
  -d '{
        "mobileNumber": "<+91XXXXXXXXXX>",
        "ucc": "<client_code>",
        "totp": "<6_digit_totp>"
      }'

2) MPIN Validate → returns session token (Auth) + session sid (Sid) + baseUrl

In your collection, viewSid and viewToken are sent as headers to this call.

curl -X POST "<https://mis.kotaksecurities.com/login/1.0/tradeApiValidate>" \\
  -H "Authorization: <access_token>" \\
  -H "neo-fin-key: neotradeapi" \\
  -H "sid: <viewSid_from_previous_step>" \\
  -H "Auth: <viewToken_from_previous_step>" \\
  -H "Content-Type: application/json" \\
  -d '{
        "mpin": "<mpin>"
      }'

📌 Response gives you:

baseUrl (use it for all post-login APIs)
Auth = session token
Sid = session sid

🔁 Using `baseUrl` (important)

If MPIN validate returned:

"baseUrl": "<https://neo-gw.kotaksecurities.com/xyz>"

and the spec shows:

{{baseUrl}}/quick/order/cancel

then your final URL is:

<https://neo-gw.kotaksecurities.com/xyz/quick/order/cancel>

👉 Just replace {{baseUrl}} with the returned string. No braces in the final URL.

🔑 Login Flow (fixed endpoints)

1) TOTP Login → returns viewToken + viewSid

2) MPIN Validate → returns session token (Auth) + session sid (Sid) + baseUrl

🔁 Using baseUrl (important)

🔁 Using `baseUrl` (important)