Guide to secure your SmartAPI Account with two factor authentication

admin

How to enable Time-based One Time Password (TOTP) ? (one-time setup)

Step 1 - Visit smartapi.angelbroking.com/enable-totp
Step 2 - Enter your Angel One client id and trading terminal password or PIN
Step 3 - Enter OTP sent to Registered email & mobile. Once OTP is entered, you will see a QR code on the screen.
Step 4 - Open the authenticator app of your choice
Step 5 - Scan the QR code generated from our site on your authenticator app

How to login to SmartAPI using password and TOTP?

Once your authenticator app scans the QR code, it will automatically generate an authentication code (called as TOTP) every 30 seconds. You are required to pass the TOTP code in our existing loginbypassword API endpoint (/rest/auth/angelbroking/user/v1/loginByPassword) by sending a new "totp" parameter via the request body.

The below request parameters illustrates how to send the client code, password and totp to authenticate and get the tokens

{
"clientcode":"your_client_code",
"password":"your_password",
"totp":"enter_the_code_displayed_on_your_authenticator_app"
}

Is the new login flow supported via SDKs?

Yes. To support the login authentication flow using TOTP we have updated and released libraries for Python and Java. Same can be referred here -

Python - https://github.com/angel-one/smartapi-python
Totp changes have been deployed in the latest python release 1.3.0
Please use the following command to upgrade to the latest python release
pip install smartapi-python --upgrade

Java - https://github.com/angel-one/smartapi-java

1. The latest jar version v2.0.0 containing login with totp changes has been released here - https://github.com/angel-one/smartapi-java/tree/main/dist
2. Sample Java Code - https://github.com/angel-one/smartapi-java/blob/main/src/main/java/com/angelbroking/smartapi/sample/LoginWithTOTPSample.java

GOLANG - https://github.com/angel-one/smartapigo

What is 2FA?

Two-factor authentication (2FA) is a method of authentication using the following two factors:

• Knowledge factor i.e. something only the user knows like. password, PIN etc
• Possession factor like OTP, authenticator apps etc

Why use it now?

The exchange vide circular ref no. NSE/COMP/52623 (https://www1.nseindia.com/content/circulars/COMP52623.pdf) has now mandated 2FA for login purposes from September 30, 2022

Which authenticator app to use?

Tested and recommended 2FA authentication applications:

• Google Authenticator
• Microsoft Authenticator

gautamnaik1994

@admin How will I be able to automate the login flow using this method on the server?

gautamnaik1994

@admin https://smartapi.angelbroking.com/enable-totp not opening

ivar

1. Nse circular does not say that you have to use TOTP. This process will make things complicated and orders may fail. Because before placing the orders, the bot/server will have to check if the TOTP is valid or not and then wait/refresh for the latest TOTP. And with 30 second hash

2. Simple solution is to have a one time otp for logging everyday.

anil_patel

@admin Should User Add OTP every day? if yes then I think it is the End of Trading using APIs because no one wants to do the Same Process Again and Again.

I think SEBI Circular is not Telling the OTP required for API Trading. it is only required to Login Account on a Web or Mobile App or Broker.

anil_patel

@admin One Solution is to Provide the TOTP Via API by Sending the Username & Password of User.

anil_patel

@gautamnaik1994 I Agree, need something to Automate the Process.

sachinchauhan

How to enable TOTP

priya

@gautamnaik1994 said in Guide to secure your SmartAPI Account with two factor authentication:

@admin https://smartapi.angelbroking.com/enable-totp not opening

labeebta

@gautamnaik1994 If you are using python, you can use totp module to generate totp automatically

sachinsrm

Using smart api-Angel Broker plugin, include following js file

<script src="https://smartapi.angelbroking.com/common/v1.js"></script>

then passing api key; <smartapi-login href="#" data-smartapi="<api-key>">Login</smartapi-login>

How to solve with this integration?

Durai

@admin not open link

anil_patel

@labeebta what should be the Secret Key to Generate TOTP?

luckymonu007

@admin It already 13:00 and the link still does not work. How can I access the API ?

Meenavenkit

The link http://smartapi.angelbroking.com/enable-totp is not working @admin @administrators . Please help. already last 2 days your APIs never worked with all changes you did without proper testing.

Resolve this please.

admin

@anil_patel @gautamnaik1994 @ivar @sachinchauhan @priya @labeebta @sachinsrm @Durai @luckymonu007 @Meenavenkit

https://smartapi.angelbroking.com/enable-totp is live now

Meenavenkit

@admin The site is working but OTP is not working or sent to the email.

aj_Brk

Hi folks

If anyone looking for automating totp part , you can use the following python sample for the same. The secret here comes after validating on enable-totp url .

from smartapi import SmartConnect # or from smartapi.smartConnect import SmartConnect
import pyotp

import smartapi.smartExceptions(for smartExceptions)

create object of call

obj = SmartConnect(api_key="your api key here ")

login api call

totp = pyotp.TOTP(s='secret key in qr uri after qr generation')

attempts = 5

while attempts > 0:
attempts = attempts-1
data = obj.generateSession("Your client id ", "your password ", totp.now())
if not data['message'].contains('Invalid totp'):
break
time.sleep(2) ###rate limiting might block if we try immediately

refreshToken = data['data']['refreshToken']

aj_Brk

@gautamnaik1994 I have provided a sample code below. You can give it a shot. Worked for me .

anil_patel

@admin @aj_Brk can you tell me how to Create a Secret Key Based on the User ID & Pass of the User?