Navigation

    SmartAPI Forum
    • Register
    • Login
    • Search
    • Categories
    • Popular
    • Groups
    • FAQs
    • API Docs

    Important Updates to SmartAPI in Compliance with SEBI Guidelines

    General Discussion
    11
    23
    149
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      admin @openalgo last edited by

      @openalgo OAuth will be live soon, and for some time, it will be live along the current login process.

      P 1 Reply Last reply Reply Quote 1
      • S
        shambhurao.rane last edited by

        I have created new app and registered a static IP. However the I am not able to generate session using new client ID as it says invalid client ID.

        L 1 Reply Last reply Reply Quote 0
        • P
          projectSB @admin last edited by

          @admin What about the old APP? When I registered my static IP, I could not register it with my existing App. Is that expected?

          1 Reply Last reply Reply Quote 0
          • A
            admin @Tushar22 last edited by

            @tushar22 As per the circular, only 1 API key can be used for non registered, client generated algos.

            By providing more API keys, it will be non compliant with the circular.

            1 Reply Last reply Reply Quote 0
            • A
              admin @admin last edited by

              Hello All,

              The changes will take place on 1st October 2025.

              1 Reply Last reply Reply Quote 0
              • L
                Lakshay.kh @shambhurao.rane last edited by

                @admin @shambhurao-rane facing the same issue

                H 1 Reply Last reply Reply Quote 0
                • H
                  hemanthkumar097 @Lakshay.kh last edited by

                  @lakshay-kh @admin Facing the same issue i registered my app using static ip i getting the error message while creating session Response: {'message': 'Invalid apiKey', 'errorcode': 'AB1053', 'status': False, 'data': None}

                  1 Reply Last reply Reply Quote 0
                  • S
                    StaticIP last edited by

                    @admin

                    Static IP Whitelisting Process - Potential Misuse and Suggested Improvements

                    Current Process Understanding:

                    • Users submit their static IP address through the broker's web portal
                    • System checks if the IP is already registered by another user
                    • If not registered, the IP gets successfully registered under the submitting user's name

                    Identified Issue:
                    The current implementation has a significant vulnerability where:

                    1. Intentional Misuse: Someone can deliberately register my IP address before I attempt to register
                    2. Accidental Entry: Users may mistakenly enter incorrect IP addresses, blocking legitimate owners
                    3. Dynamic IP Reassignment: If an IP was previously registered by another user and later assigned to me by my ISP, I cannot register despite being the legitimate current owner

                    Real-world Impact:

                    • Legitimate users are blocked from registering their own IP addresses
                    • No verification mechanism to confirm actual ownership/usage of the IP
                    • Potential for malicious blocking of competitors or other users

                    Suggested Solutions:

                    1. IP Ownership Verification Process

                    • Require users to access the registration portal FROM the IP address they wish to register
                    • Only allow registration when the request originates from the claimed IP address

                    2. API Call Verification

                    • Allow IP registration through web portal but mark as "Pending Verification"
                    • Require at least one successful API call from the registered IP within 24-48 hours to confirm registration
                    • Auto-expire unverified registrations after the timeout period

                    3. Active Usage Validation

                    • Implement periodic validation (monthly/quarterly) requiring API activity from registered IPs
                    • Auto-deregister IPs with no trading activity for extended periods
                    • Send advance notifications before deregistration

                    4. Dispute Resolution Mechanism

                    • Provide a process for users to claim ownership of their legitimate IP addresses
                    • Require documentation (ISP letters, network configuration proofs) for disputed IPs
                    • Allow override of existing registrations with proper verification

                    5. Enhanced Registration Flow

                    Step 1: User submits IP via web portal (from any location)
Step 2: System generates unique verification token
Step 3: User must access verification URL from the claimed IP address
Step 4: System confirms IP ownership and completes registration

                    Questions for Clarification:

                    1. Is there any current mechanism to handle IP address disputes?
                    2. Can you implement real-time IP verification during the registration process?
                    3. Is there a possibility to add IP ownership validation through API calls?

                    Request:

                    Please consider implementing enhanced IP validation mechanisms to prevent misuse while ensuring legitimate users can register their IP addresses without unnecessary obstacles.
                    Looking forward to your response and potential improvements to this critical security process.

                    P C 2 Replies Last reply Reply Quote 2
                    • P
                      projectSB @StaticIP last edited by

                      @staticip Very good observation! The very concept of Static IP registration means painting a bulls-eye on the user for DDoS attacks by bad actors.

                      1 Reply Last reply Reply Quote 0
                      • P
                        projectSB last edited by

                        @admin - In the context of Static IPs, can multiple clients have SAME static IPs? (rest being unique, like API secret etc.)

                        A lot of people might be trading via 3rd party Algo providers (like Tradetron, AlgoTest etc.)? That is, 1 system (IP) can be executing orders for multiple clients).
                        What about them? Will it work?

                        1 Reply Last reply Reply Quote 0
                        • T
                          Tanay1907 last edited by

                          where i have to add these ip address please help me in that, i checked the api page i couldn't find it

                          1 Reply Last reply Reply Quote 0
                          • C
                            ctrade @StaticIP last edited by

                            @staticip how about who use SmartAPI from abroad will this affect those users who stays outside India IP addresses?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post