Important Updates to SmartAPI in Compliance with SEBI Guidelines

KC

Why is cancel order API also impacted?

admin

@staticip

The Addition of Static IP is live in the portal.

We have not yet kept static IP mandatory, but users can register their static IP by Logging in to SmartAPI -> My Profile -> My APIs (new)

admin

@hemanthkumar097 said in Important Updates to SmartAPI in Compliance with SEBI Guidelines:

rader with rate limits less than 10 orders per second (M

Yes, you would still need a static IP, you will not need to register your algo with the exchange.

admin

@kc Cancel orders API also goes to the exchange. To avoid any kind of impact at the exchange, we have kept a OPS of 10 on cancel order too.

Lakshay.kh

@admin Is it mandatory to add Static IP in existing API before 1st August 2025, if so then please let me know how to add one in existing API. I guess by Logging in to SmartAPI -> My Profile -> My APIs (new) we can add static IP to new API's and not to the existing API

openalgo

Dear SmartAPI Team,

Thank you for the important update.

I have a few queries regarding the new OAuth implementation:

Where can I find the OAuth documentation? Will it be published on the current API docs portal?

How long will the old login flow (API key + secret) continue to work? Is there a grace period before deprecation?

Is the new OAuth login flow mandatory from 1st August 2025, or will both flows be supported for some time during the transition?

A brief clarification on the timeline for phasing out the old login method will help us plan our migration accordingly.

Thanks in advance for your support.

Best regards,
Rajandran R

Tushar22

@admin
I have visited the new section for static ip where I found few things and have certain requests to make and questions to ask which are as follows:

1. Only one (1) api app can be created with a unique primary static ip. Say for instance, if I create a second app with same primary static ip, then it is not proceeding further and stating "Primary static IP is already associated with another app."
   Kindly allow all app which are created to have same primary static ip as different apps are used in different scripts for different purposes. However you can keep a OPS requirement check on account level as it won't be possible for a single person to have multiple static ips for multiple apps.

2. Earlier we could create n number of api apps, however I noticed that there is now a restrictions of max 5 api apps with static ip. Request you to remove the restrictions and make it as it was earlier where we could create multiple api apps.

3. Majorly I require different api apps for historical data extraction in different scripts. So could it be done that static ip requirement can be there for order placement/ modifications / cancelling and no static ip requirement for api calls other than orders such as historical data or websocket.
   This can be implemented if you keep the older api app live where all api calls other than order related calls work as before and for anything realted to orders are to be done through new static ip api apps.

Hereby I request SmartApi Team to consider my suggestions and make the necessary updates as suggested to smooth flow of working along with complying with SEBI's and NSE's guidelines.

Thanks. Waiting for an early affirmative and supportive response.

admin

@lakshay-kh The deadline in the new circular is for 1st October. So it is not mandatory as of now.

But do keep a static IP handy, and register it before the deadline to avoid any last minute hiccups.

admin

@openalgo OAuth will be live soon, and for some time, it will be live along the current login process.

shambhurao.rane

I have created new app and registered a static IP. However the I am not able to generate session using new client ID as it says invalid client ID.

projectSB

@admin What about the old APP? When I registered my static IP, I could not register it with my existing App. Is that expected?

admin

@tushar22 As per the circular, only 1 API key can be used for non registered, client generated algos.

By providing more API keys, it will be non compliant with the circular.

admin

Hello All,

The changes will take place on 1st October 2025.

Lakshay.kh

@admin @shambhurao-rane facing the same issue

hemanthkumar097

@lakshay-kh @admin Facing the same issue i registered my app using static ip i getting the error message while creating session Response: {'message': 'Invalid apiKey', 'errorcode': 'AB1053', 'status': False, 'data': None}

StaticIP

@admin

Static IP Whitelisting Process - Potential Misuse and Suggested Improvements

Current Process Understanding:

• Users submit their static IP address through the broker's web portal
• System checks if the IP is already registered by another user
• If not registered, the IP gets successfully registered under the submitting user's name

Identified Issue:
The current implementation has a significant vulnerability where:

1. Intentional Misuse: Someone can deliberately register my IP address before I attempt to register
2. Accidental Entry: Users may mistakenly enter incorrect IP addresses, blocking legitimate owners
3. Dynamic IP Reassignment: If an IP was previously registered by another user and later assigned to me by my ISP, I cannot register despite being the legitimate current owner

Real-world Impact:

• Legitimate users are blocked from registering their own IP addresses
• No verification mechanism to confirm actual ownership/usage of the IP
• Potential for malicious blocking of competitors or other users

Suggested Solutions:

1. IP Ownership Verification Process

• Require users to access the registration portal FROM the IP address they wish to register
• Only allow registration when the request originates from the claimed IP address

2. API Call Verification

• Allow IP registration through web portal but mark as "Pending Verification"
• Require at least one successful API call from the registered IP within 24-48 hours to confirm registration
• Auto-expire unverified registrations after the timeout period

3. Active Usage Validation

• Implement periodic validation (monthly/quarterly) requiring API activity from registered IPs
• Auto-deregister IPs with no trading activity for extended periods
• Send advance notifications before deregistration

4. Dispute Resolution Mechanism

• Provide a process for users to claim ownership of their legitimate IP addresses
• Require documentation (ISP letters, network configuration proofs) for disputed IPs
• Allow override of existing registrations with proper verification

5. Enhanced Registration Flow

Step 1: User submits IP via web portal (from any location)
Step 2: System generates unique verification token
Step 3: User must access verification URL from the claimed IP address
Step 4: System confirms IP ownership and completes registration

Questions for Clarification:

1. Is there any current mechanism to handle IP address disputes?
2. Can you implement real-time IP verification during the registration process?
3. Is there a possibility to add IP ownership validation through API calls?

Request:

Please consider implementing enhanced IP validation mechanisms to prevent misuse while ensuring legitimate users can register their IP addresses without unnecessary obstacles.
Looking forward to your response and potential improvements to this critical security process.