Authentication
Authentication is the first step before you can use the APIs for market data, orders, portfolios, alerts, and more. NinjaFox supports multiple secure login methods including SSO, password + OTP, and QR/biometric login.
To get started, Register your account in middleware which requires User ID, email, mobile and Pan.
SSO based Authentication¶
Single Sign-On (SSO) authentication allows users to securely log in to multiple applications using a single set of credentials. Instead of entering a username and password separately for each system, the user authenticates once through a central identity provider (IdP). The IdP then issues a secure authentication token or code (e.g., authCode) that is validated by the target application.
In API-based workflows, the client passes:
- A
vendorID to identify the requesting system. - An
authCode(issued by the IdP) to confirm the user's identity.
SSO Login¶
| Method | APIS | Detail |
|---|---|---|
| POST | sso/vendor/auth/getUserDetails | Get user Detail |
Get SSO Redirection URL¶
This API is used to authenticate a user using SSO (Single Sign-On) by passing a valid authCode received from the identity provider (e.g., via QR code or redirect) along with a registered vendor ID. On success, it returns the user's basic profile and session information.
Get User Detail¶
This API is used to authenticate a user using SSO (Single Sign-On) by passing a valid authCode received from the identity provider (e.g., via QR code or redirect) along with a registered vendor ID. On success, it returns the user's basic profile and session information.
Request Structure
Input parameters
| Field | Type | Description |
|---|---|---|
| vendor | String | Unique identifier assigned to the application/system initiating SSO login. |
| authCode | String | Redirect from identity provider, used to authenticate the session. |
Response Structure
Input parameters
| Field | Type | Description |
|---|---|---|
| stat | String | General status of the API call (e.g., "Ok"). |
| clientId | String | The unique identifier for the client/user (e.g., "TEST101"). |
| userSession | String (JWT Token) | A JWT (JSON Web Token) which is used for authentication and authorization in further API calls. Contains encoded user identity and roles. |
Login¶
| Method | APIS | Detail |
|---|---|---|
| Post | access/client/verify | Verify User |
| Post | access/pwd/validate | Validate password |
| Post | access/otp/send | Resend OTP |
| Post | access/otp/validate | Validate OTP |
| Post | /access/scanner/generate | Register TOTP |
| Post | /access/scanner/get | Generate TOTP key |
| Post | access/topt/verify | Verify TOTP |
Verify User¶
The Verify Client API is used to validate whether a client’s credentials (User ID, Mobile Number, or Email Address) already exist in the broker’s system. This verification step determines the appropriate next action in the authentication flow—either allowing the client to proceed to the Password Entry Page (for existing users) or redirecting them to the Registration Page (for new users).
Request Structure
{
"UserIdentity": "ABC123",
"osName": "WEBEXTERNAL",
"IsPANEntered": "N",
"DeviceID": "24b49d127a81474bfbdd3e20e5b0ee24"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| UserIdentity | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| osName | String | Source of the request, such as platform or channel. |
| IsPANEntered | String | Indicates if PAN is entered: 'Y' or 'N' of login via PAN. |
| DeviceID | String | Unique device identifier for tracking and security. |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": [
{
"ClientCode": "DVJ6550",
"DeviceBindingStatus": "N",
"IsSecureKeySet": "N",
"ClientName": "SOMU MONISH",
"AccountStatus": "Active",
"isExist": true,
"isPasswordSet": false
}
]
}
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Descriptive message about the API response. |
| status | String | Indicates the overall API call result. Typically "Ok" for successful calls. |
| result | array | Contains client-specific details returned from the broker system. |
| ClientCode | String | Unique identifier assigned to the client |
| DeviceBindingStatus | String | "Y" if the device is bound to the client; "N" if not. |
| IsSecureKeySet | String | "Y" if a secure key is configured; "N" if not |
| ClientName | String | Full name of the client as registered in the broker system. |
| AccountStatus | string | Current status of the client’s account (e.g., "Active", "Inactive"). |
| isExist | boolean | true if the client exists in the system. |
| isPasswordSet | boolean | true if the client has set a password; false if not. |
Validate Password¶
The Validate Password API is used to authenticate a user by verifying their credentials and device/application details during login.
Request Structure
{
"userId":"<USER_ID>",
"password":"Password",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"versionNo": "1.0.0.1.4",
"appName": "<Broker Name>",
"source": "MOB",
"osName": "MOBIOS"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| password | String | The password associated with the user's account. Used to authenticate the client. |
| deviceId | String | Unique ID of the device used for login. |
| versionNo | String | Version number of the app or platform being used. |
| appName | String | Name of the application (e.g., Broker Name) |
| source | String | Source of the request (e.g., MOB, WEB, API) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"message": "An OTP has been sent to your registered Mobile Number and email.",
"status": "Success",
"userId": "XXXXXXX",
"emailId": "mo************in",
"mobileNumber": "95******84",
"resendOtpAfter": "60",
"resendOtpCountsLeft": "4",
"isTOtpAvailable": false,
"token": "XXXXXXX"
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Message confirming OTP sent to registered mobile and email. |
| status | String | Status of the request (e.g., "Success", "Failed"). |
| userId | String | Masked user ID. |
| emailId | String | Masked registered email ID. |
| mobileNumber | String | Masked registered mobile number. |
| resendOtpAfter | String | Time in seconds after which the user is allowed to resend the OTP. |
| resendOtpCountsLeft | String | Number of OTP resend attempts remaining. |
| isTOtpAvailable | boolean | if Time-based OTP (TOTP) is enabled (true or false). |
| token | String | Temporary token to be used for OTP verification in the next API call. |
Resend OTP¶
The Resend OTP API is used to send a new One-Time Password (OTP) to the user’s registered mobile number and/or email in case the previous OTP was not received or expired.
Request Structure
{
"userId":"<USER_ID>",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"versionNo": "1.0.0.1.4",
"appName": "RMONEY",
"osName": "MOBIOS"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| deviceId | String | Unique ID of the device used for login. |
| versionNo | String | Version number of the app or platform being used. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"message": "An OTP has been sent to your registered Mobile Number and email.",
"status": "Success",
"userId": "XXXXXX",
"emailId": "mo************in",
"mobileNumber": "95******84",
"resendOtpAfter": "60",
"resendOtpCountsLeft": "4",
"isTOtpAvailable": false
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Message confirming OTP sent to registered mobile and email. |
| status | String | Status of the request (e.g., "Success", "Failed"). |
| userId | String | Masked user ID. |
| emailId | String | Masked registered email ID. |
| mobileNumber | String | Masked registered mobile number. |
| resendOtpAfter | String | Time in seconds after which the user is allowed to resend the OTP. |
| resendOtpCountsLeft | String | Number of OTP resend attempts remaining. |
| isTOtpAvailable | boolean | if Time-based OTP (TOTP) is enabled (true or false). |
Validate OTP¶
To verify the OTP (One-Time Password) received by the user on their registered mobile number or email during login.
Request Structure
{
"userId":"<USER_ID>",
"receivedOtp": "123456",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"appName": "RMONEY",
"osName": "MOBIOS",
"source":"API",
"vendor":"QYPdhBfGbfsSOFb"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| receivedOtp | String | OTP received by the user that needs to be validated. |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
| source | String | Source of the request (e.g., "API", "WEB", "MOBILE"). |
| vendor | String | Vendor code or identifier for internal tracking (e.g., partner/vendor name). |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"success": "Success",
"serverDate": "2025-06-17 12:49:53",
"clientType": "ACTIVE",
"versionChanged": "N",
"bulkOrderAllowed": "Y",
"runningAuthorization": "Y",
"clientName": "saranya",
"passwordChangeMessage": "NA",
"poaStatus": "",
"ckycStatus": "ACTIVE",
"isDormant": "N",
"roleDescription": "NA",
"isCommIntraAllowed": "N",
"isVtdAllowed": "N",
"isAliasOrderAllowed": "N",
"isDemoTrial": "N",
"userRole": "ACTIVE",
"message": "NA",
"status": "ACTIVE",
"passChangeFlag": "N",
"allowNseCash": "Y",
"allowNseFo": "Y",
"allowNcdex": "Y",
"allowBseFo": "Y",
"allowBseCash": "Y",
"allowMcxComm": "Y",
"allowNseCurrency": "Y",
"allowBseCurrency": "Y",
"allowBseYComm": "Y",
"allowNSEYComm": "Y",
"nseCurrViewRights": "Y",
"nseCashViewRights": "Y",
"nseFoViewRights": "Y",
"bseCashViewRights": "Y",
"bseFoViewRights": "Y",
"ncdexViewRights": "Y",
"mcxCommViewRights": "Y",
"bseCurrViewRights": "Y",
"bseCommViewRights": "Y",
"nseCommViewRights": "Y",
"accessToken": "XXXXXXXXX",
"redirectUrl": "https://webuat.rmoneyindia.co.in/admin/#/?authcode=0ZAFF21SJ32V9A7PCYKP&clientid=TEST102",
"userId": "XXXXXXXX",
"isAuthorized": false
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| success | String | Indicates success of the operation. |
| serverDate | String | Server timestamp in YYYY-MM-DD HH ss format. |
| clientType | String | Type of client status (e.g., "ACTIVE", "INACTIVE"). |
| versionChanged | String | Flag to check if the app version needs to be updated ("Y" or "N"). |
| bulkOrderAllowed | String | Whether the user can place bulk orders ("Y" or "N"). |
| runningAuthorization | String | Indicates if session authorization is in progress ("Y" or "N"). |
| clientName | String | Name of the logged-in client. |
| passwordChangeMessage | String | Message related to password change requirement or status. |
| poaStatus | String | Status of Power of Attorney (if applicable). |
| ckycStatus | String | CKYC (Central KYC) verification status. |
| isDormant | String | Indicates whether the account is dormant ("Y" or "N"). |
| roleDescription | String | Description of user role (if any). |
| isCommIntraAllowed | String | Intra-commodity trading permission. |
| isVtdAllowed | String | Indicates if Virtual Trading Desk access is allowed. |
| isAliasOrderAllowed | String | Flag for alias order feature access. |
| isDemoTrial | String | Whether the user is on a demo/trial account. |
| userRole | String | Role assigned to user (e.g., "ACTIVE", "GUEST"). |
| message | String | Additional message field (if any). |
| status | String | Status of user (usually same as clientType). |
| passChangeFlag | String | Flag indicating if password change is required. |
| allowNseCash | String | Access to NSE Cash segment ("Y"/"N"). |
| allowNseFo | String | Access to NSE Futures & Options. |
| allowNcdex | String | Access to NCDEX commodities. |
| allowBseFo | String | Access to BSE Futures & Options. |
| allowBseCash | String | Access to BSE Cash. |
| allowMcxComm | String | Access to MCX commodities. |
| allowNseCurrency | String | Access to NSE currency market. |
| allowBseCurrency | String | Access to BSE currency market. |
| allowBseYComm | String | Access to BSE Yield Commodities. |
| allowNSEYComm | String | Access to NSE Yield Commodities. |
| nseCurrViewRights | String | Can view NSE currency market. |
| nseCashViewRights | String | Can view NSE cash market. |
| nseFoViewRights | String | Can view NSE F\&O market. |
| bseCashViewRights | String | Can view BSE cash market. |
| bseFoViewRights | String | Can view BSE F\&O market. |
| ncdexViewRights | String | Can view NCDEX. |
| mcxCommViewRights | String | Can view MCX. |
| bseCurrViewRights | String | Can view BSE currency. |
| bseCommViewRights | String | Can view BSE commodities. |
| nseCommViewRights | String | Can view NSE commodities. |
| accessToken | String | JWT token used for authenticated API requests. |
| userId | String | Unique user ID. |
| isAuthorized | boolean | Whether user is authorized for further actions. |
Resigter TOTP¶
The Register TOTP API is used to enroll a client in Time‑based One‑Time Password (TOTP) authentication. This step generates and binds a secure TOTP secret to the client’s account, enabling them to use authenticator apps (e.g., Google Authenticator, Microsoft Authenticator) for two‑factor authentication.
Request Structure
{
"userId":"<USER_ID>",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"appName": "RMONEY",
"osName": "MOBIOS"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"message": "An OTP has been sent to your registered Mobile Number and email.",
"status": "Success",
"userId": "DVJ6559",
"emailId": "sa**********************in",
"mobileNumber": "86******91",
"resendOtpAfter": "60",
"resendOtpCountsLeft": "4",
"isTOtpAvailable": false
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| status | String | Overall API call result (Ok, Error). |
| message | String | General message describing the outcome of the API call. |
| result | object | Contains details about the OTP delivery and client information |
| result.message | String | Human‑readable message confirming OTP delivery |
| userId | String | Unique identifier of the client (e.g., ABC123). |
| emailId | String | Masked email address where OTP has been sent. |
| mobileNumber | String | Masked mobile number where OTP has been sent. |
| resendOtpAfter | String | Time in seconds before the client can request another OTP. |
| resendOtpCountsLeft | String | Number of OTP resend attempts remaining. |
| isTOtpAvailable | boolean | Indicates if TOTP (Time‑based OTP) is available for the client (true/false). |
Generate TOTP Key¶
Generates a scannable QR code and otpauth:// URI for enrolling a client in TOTP (Time‑based One‑Time Password) authentication. The QR code encodes the TOTP secret and metadata (issuer, account name, algorithm, digits, period) for use with authenticator apps.
Request Structure
{
"userId": "DVJ6559",
"receivedOtp": "123456",
"deviceId": "24b49d127a81474bfbdd3e20e5b0ee24",
"appName": "RMONEY",
"osName": "WEBEXTERNAL",
"source": "WEB"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
| source | String | Source of the request (e.g., "API", "WEB", "MOBILE"). |
| receivedOtp | String | OTP entered by client |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"status": "Success",
"message": "Success",
"tOtpEnabled": false,
"scanImge": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAGQAQAAAACoxAthAAACHElEQVR4Xu2TS5IDIQxDuQH3vyUAElFTkSuQmCC",
"secKey": "SQKNYZGZBTNAFOQXMLRNRSVKUNA"
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| status | String | Overall API call result (Ok, Error). |
| message | String | General message describing the outcome of the API call. |
| result | object | Contains details about the OTP delivery and client information |
| result.message | String | Human‑readable message confirming OTP delivery |
| tOtpEnabled | boolean | Indicates whether TOTP is currently enabled for the client (true/false). |
| scanImge | String | Base64‑encoded PNG image of the QR code. Can be rendered directly in the UI for scanning with an authenticator app. |
| secKey | String | Base32‑encoded secret key used for generating TOTP codes. Must be stored securely and never exposed in logs. |
Verify TOTP¶
TOTP (Time-based One-Time Password) is a form of Two-Factor Authentication (2FA) that generates a unique, time-sensitive code used to verify a user's identity.
Request Structure
{
"userId":"<USER_ID>",
"totp": "123456",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"appName": "RMONEY",
"osName": "MOBIOS"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| totp | String | 6-digit TOTP from authenticator app (time-sensitive). |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"success": "Success",
"serverDate": "2025-06-17 17:47:42",
"clientType": "ACTIVE",
"versionChanged": "N",
"bulkOrderAllowed": "Y",
"runningAuthorization": "Y",
"clientName": "saranya",
"passwordChangeMessage": "NA",
"poaStatus": "",
"ckycStatus": "ACTIVE",
"isDormant": "N",
"roleDescription": "NA",
"isCommIntraAllowed": "N",
"isVtdAllowed": "N",
"isAliasOrderAllowed": "N",
"isDemoTrial": "N",
"userRole": "ACTIVE",
"message": "NA",
"status": "ACTIVE",
"passChangeFlag": "N",
"allowNseCash": "Y",
"allowNseFo": "Y",
"allowNcdex": "Y",
"allowBseFo": "Y",
"allowBseCash": "Y",
"allowMcxComm": "Y",
"allowNseCurrency": "Y",
"allowBseCurrency": "Y",
"allowBseYComm": "Y",
"allowNSEYComm": "Y",
"nseCurrViewRights": "Y",
"nseCashViewRights": "Y",
"nseFoViewRights": "Y",
"bseCashViewRights": "Y",
"bseFoViewRights": "Y",
"ncdexViewRights": "Y",
"mcxCommViewRights": "Y",
"bseCurrViewRights": "Y",
"bseCommViewRights": "Y",
"nseCommViewRights": "Y",
"accessToken": "XXXXXXXXX",
"userId": "XXXXXXXX",
"isAuthorized": false
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| success | String | Indicates success of the operation. |
| serverDate | String | Server timestamp in YYYY-MM-DD HHss format. |
| clientType | String | Type of client status (e.g., "ACTIVE", "INACTIVE"). |
| versionChanged | String | Flag to check if the app version needs to be updated ("Y" or "N"). |
| bulkOrderAllowed | String | Whether the user can place bulk orders ("Y" or "N"). |
| runningAuthorization | String | Indicates if session authorization is in progress ("Y" or "N"). |
| clientName | String | Name of the logged-in client. |
| passwordChangeMessage | String | Message related to password change requirement or status. |
| poaStatus | String | Status of Power of Attorney (if applicable). |
| ckycStatus | String | CKYC (Central KYC) verification status. |
| isDormant | String | Indicates whether the account is dormant ("Y" or "N"). |
| roleDescription | String | Description of user role (if any). |
| isCommIntraAllowed | String | Intra-commodity trading permission. |
| isVtdAllowed | String | Indicates if Virtual Trading Desk access is allowed. |
| isAliasOrderAllowed | String | Flag for alias order feature access. |
| isDemoTrial | String | Whether the user is on a demo/trial account. |
| userRole | String | Role assigned to user (e.g., "ACTIVE", "GUEST"). |
| message | String | Additional message field (if any). |
| status | String | Status of user (usually same as clientType). |
| passChangeFlag | String | Flag indicating if password change is required. |
| allowNseCash | String | Access to NSE Cash segment ("Y"/"N"). |
| allowNseFo | String | Access to NSE Futures & Options. |
| allowNcdex | String | Access to NCDEX commodities. |
| allowBseFo | String | Access to BSE Futures & Options. |
| allowBseCash | String | Access to BSE Cash. |
| allowMcxComm | String | Access to MCX commodities. |
| allowNseCurrency | String | Access to NSE currency market. |
| allowBseCurrency | String | Access to BSE currency market. |
| allowBseYComm | String | Access to BSE Yield Commodities. |
| allowNSEYComm | String | Access to NSE Yield Commodities. |
| nseCurrViewRights | String | Can view NSE currency market. |
| nseCashViewRights | String | Can view NSE cash market. |
| nseFoViewRights | String | Can view NSE F\&O market. |
| bseCashViewRights | String | Can view BSE cash market. |
| bseFoViewRights | String | Can view BSE F\&O market. |
| ncdexViewRights | String | Can view NCDEX. |
| mcxCommViewRights | String | Can view MCX. |
| bseCurrViewRights | String | Can view BSE currency. |
| bseCommViewRights | String | Can view BSE commodities. |
| nseCommViewRights | String | Can view NSE commodities. |
| accessToken | String | JWT token used for authenticated API requests. |
| userId | String | Unique user ID. |
| isAuthorized | boolean | Whether user is authorized for further actions. |
Unblock and Forget Password¶
Base URL: https://webuat.rmoneyindia.co.in/auth/v1/
| Method | APIS | Detail |
|---|---|---|
| Post | access/client/unblock | Unblock Account |
| Post | access/client/unblock/verify | Verify Unblock |
| Post | access/pwd/forgot | Forget Password |
| Post | access/pwd/forgot/verify | Verify Forget Password |
| Post | access/pwd/reset | Reset Password |
Unblock Account¶
To unblock a user's account after it has been temporarily locked (e.g., due to multiple failed login attempts, security reasons, etc.).
Request Structure
{
"userId": "XXXXXX",
"pan": "XXXXXXX",
"osName": "MOBIOS",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"appName": "RMONEY"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| pan | String | PAN number of the user (Permanent Account Number). Used for identity validation. |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"message": "An OTP has been sent to your registered Mobile Number and email.",
"status": "Success",
"userId": "XXXXXX",
"emailId": "go*****************in",
"mobileNumber": "98******90",
"resendOtpAfter": "60",
"resendOtpCountsLeft": "4",
"isTOtpAvailable": false,
"token": "1T6C5K4RAOPJC9X6SQL0SQ0HGU1HVHUZ3MBBNRDPMQ3SN0VYUY1O68ZK3ZMYH4TC86D0R2D37TYZCUTJRGSW5HHR8P0S33EQF7Y6Q75LWYT8P2VMH2LQL3TCICWK9A2E8ZDMT24HHL2OMC9SCMQEEFEDNXWCU7A9BWGXJJJW0NWQ611HIU549QAH2GESUS1X6GRDNR5MR1MMF3KE17MZHFUMWF2Z55N529W12J207FUWJUOQQC9D2JY21V94ZPYD"
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Confirmation message indicating the OTP was sent. |
| status | String | Status of the OTP request (e.g., "Success"). |
| userId | String | Unique identifier for the user (e.g., "TEST112"). |
| emailId | String | Masked email address where the OTP was sent. |
| mobileNumber | String | Masked mobile number where the OTP was sent. |
| resendOtpAfter | String | Time in seconds to wait before another OTP can be requested (e.g., "60"). |
| resendOtpCountsLeft | String | Number of remaining times the user can request to resend the OTP (e.g., "4"). |
| isTOtpAvailable | boolean | Indicates if Time-based OTP (TOTP) is available for the user (e.g., false). |
| token | String | A long alphanumeric String (possibly JWT or session token) used for authentication/authorization in the next step of the process. |
Verify Unblock¶
To verify OTP or confirmation for unblocking a user’s account after an unblock request has been initiated. This step ensures the user is authorized to unblock the account.
Request Structure
{
"userId": "XXXXXX",
"otp": "589992 ",
"osName": "MOBIOS",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"appName": "RMONEY"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| otp | String | OTP received by the user that needs to be validated. |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"status": "Success",
"message": "User unblocked successfully"
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| status | String | Operation status indicating the outcome of the unblocking request (e.g., "Success"). |
| message | String | Specific message about the result (e.g., "User unblocked successfully"). |
Forget Password¶
To initiate the password reset process for a user who has forgotten their password. This typically sends an OTP to the user's registered mobile number or email.
Request Structure
{
"userId": "XXXXXXX",
"pan": "XXXXXXXXX",
"osName": "MOBIOS",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"appName": "RMONEY"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| pan | String | PAN number of the user (Permanent Account Number). Used for identity validation. |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"message": "An OTP has been sent to your registered Mobile Number and email.",
"status": "Success",
"userId": "XXXXXXX",
"emailId": "go*****************in",
"mobileNumber": "98******90",
"resendOtpAfter": "60",
"resendOtpCountsLeft": "4",
"isTOtpAvailable": false,
"token": "BJ462XW4D4FO0CS6SI7F9O2UO6YN5KJRRSB0WB6A785NFWBT3DQUZZZ5VLONS3E3EIWIHF1LL83M0QHBBVEWVGCAHQVDDVQCJKEJEU129M09YYAJVTKRCGXPFEH4UM08VF0G8OCL0TZ2MUK9D05ZZIP9WROD1SG1ZTDH0H8NHHBH1BP53BLA6GJS9J10J0FU4NSUYDIROUTKWP100K6N1MS1SNO1CZCU58LTIIMH7I7HJN4AOSFJGEHIY40EDLUY"
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Confirmation message indicating the OTP was sent. |
| status | String | Status of the OTP request (e.g., "Success"). |
| userId | String | Unique identifier for the user (e.g., "TEST112"). |
| emailId | String | Masked email address where the OTP was sent. |
| mobileNumber | String | Masked mobile number where the OTP was sent. |
| resendOtpAfter | String | Time in seconds to wait before another OTP can be requested (e.g., "60"). |
| resendOtpCountsLeft | String | Number of remaining times the user can request to resend the OTP (e.g., "4"). |
| isTOtpAvailable | boolean | Indicates if Time-based OTP (TOTP) is available for the user (e.g., false). |
| token | String | A long alphanumeric String (possibly JWT or session token) used for authentication/ |
| authorization in the next step of the process. |
Verify Forget Password¶
To verify the OTP (One-Time Password) sent during the Forget Password process before allowing the user to reset their password.
Request Structure
{
"userId": "XXXXXXX",
"otp": "123456",
"osName": "MOBIOS",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"appName": "RMONEY"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| otp | String | OTP received by the user that needs to be validated. |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"token": "2NHFMPP5PTDSFDASM9VM7ME5506U6IPYTNKN5O2OYO4TT7VS6IBHDVN3M9ES7VPNN9M91LYWXIU3SXS7YQ5H5YFC99BTK7BI2Y93401U6FBBIC5S5M1B3Z2F0OROVJGUK5N5H431FEX91225KJ2V4IQS6CAGA5SMX084TPK0YHS1WX5X76NZ7BZE2N04C8AM281H894WJAPJVW7U6JUG4ZLMX23VWP3P19SJDILIHLQ14V6BODVFTAI54Z57A9JJ",
"status": "Success",
"message": "Success"
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| token | String | A long alphanumeric token, likely used for session continuation. |
| status | String | Status of the specific operation, here indicating success (e.g., "Success"). |
| message | String | Detailed message describing the result of the operation (e.g., "Success"). |
Reset Password¶
To set a new password after verifying the OTP in the "Forget Password" flow.
Request Structure
{
"userId": "XXXXXXX",
"password": "XXXXXXX",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"appName": "RMONEY",
"osName": "MOBIOS"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| password | String | The new password to be set. It must comply with password policy (e.g., length, complexity). Transmitted securely. |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"status": "Success",
"message": "Password changed successfully"
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| status | String | Status of the password change operation (e.g., "Success"). |
| message | String | Specific message confirming the outcome, such as "Password changed successfully". |
Biometric Login¶
| Method | APIS | Detail |
|---|---|---|
| Post | access/bio/enable | Enable Biometric |
| Post | access/bio/pwd/validate | Validate Biometric |
Enable Biometric¶
The Enable Biometric API allows users to activate biometric login (such as Face ID or Fingerprint) on their registered device. Once enabled, the user can log in securely using their device’s biometric authentication instead of entering a password.
Request Structure
{
"userId": "XXXXXX",
"deviceType": "IOS",
"enable": "true",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"appName": "RMONEY",
"osName": "MOBIOS"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier for the user. It can be a client’s email, mobile number, user ID, or PAN. |
| deviceType | String | Type of the device (e.g., ANDROID, IOS). |
| enable | Boolean | Indicates whether biometric authentication is being enabled ("true") or disabled ("false"). |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"message": "Bio-metric Enabled successfully",
"status": "Success"
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Detailed success message (e.g., "Bio-metric Enabled successfully"). |
| status | String | Status of the biometric enable action (e.g., "Success"). |
Validate Biometric¶
The Validate Biometric API is used to authenticate a user via a previously enabled biometric login (such as Face ID or fingerprint). It verifies the biometric credentials stored on the user’s device and, upon successful validation, logs the user into the application without requiring a password.
Request Structure
{
"userId": "XXXXXX",
"token": "XXXXXXXX",
"deviceId": "38400000-8cf0-11bd-b23e-10b96e40000d",
"appName": "RMONEY",
"osName": "MOBIOS"
}
Input parameters
| Field | Type | Description |
|---|---|---|
| userId | String | Unique identifier of the user (email, mobile number, user ID, or PAN). |
| token | String | Session or authorization token issued after login or OTP verification. |
| deviceId | String | Unique ID of the device used for login. |
| appName | String | Name of the application (e.g., RMONEY) |
| osName | String | Operating system name ("MOBANDROID", "MOBIOS", "EXECLIENT", "EXEMANAGER", "WEBINTERNAL","WEBEXTERNAL") |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": {
"success": "Success",
"serverDate": "2025-06-17 15:41:25",
"clientType": "ACTIVE",
"versionChanged": "N",
"bulkOrderAllowed": "Y",
"runningAuthorization": "Y",
"clientName": "saranya",
"passwordChangeMessage": "NA",
"poaStatus": "",
"ckycStatus": "ACTIVE",
"isDormant": "N",
"roleDescription": "NA",
"isCommIntraAllowed": "N",
"isVtdAllowed": "N",
"isAliasOrderAllowed": "N",
"isDemoTrial": "N",
"userRole": "ACTIVE",
"message": "NA",
"status": "ACTIVE",
"passChangeFlag": "N",
"allowNseCash": "Y",
"allowNseFo": "Y",
"allowNcdex": "Y",
"allowBseFo": "Y",
"allowBseCash": "Y",
"allowMcxComm": "Y",
"allowNseCurrency": "Y",
"allowBseCurrency": "Y",
"allowBseYComm": "Y",
"allowNSEYComm": "Y",
"nseCurrViewRights": "Y",
"nseCashViewRights": "Y",
"nseFoViewRights": "Y",
"bseCashViewRights": "Y",
"bseFoViewRights": "Y",
"ncdexViewRights": "Y",
"mcxCommViewRights": "Y",
"bseCurrViewRights": "Y",
"bseCommViewRights": "Y",
"nseCommViewRights": "Y",
"accessToken": "XXXXXXXXXX",
"userId": "TEST102",
"isAuthorized": false
}
}
Response parameters
| Field | Type | Description |
|---|---|---|
| success | String | Status of the operation (e.g., "Success"). |
| serverDate | String | Current server date-time. |
| clientType | String | Type of client (e.g., "ACTIVE", "INACTIVE"). |
| versionChanged | String | "Y" if app update is required, otherwise "N". |
| bulkOrderAllowed | String | "Y" if client is allowed to place bulk orders. |
| runningAuthorization | String | "Y" if client has running session authorization. |
| clientName | String | Name of the client. |
| passwordChangeMessage | String | Message indicating if password change is required. |
| poaStatus | String | Status of Power of Attorney (POA). |
| ckycStatus | String | Central KYC status of the client. |
| isDormant | String | "Y" if account is dormant; "N" if active. |
| roleDescription | String | Description of the user's role. |
| isCommIntraAllowed | String | "Y" if commodity intraday is allowed. |
| isVtdAllowed | String | "Y" if Value Trading Day is allowed. |
| isAliasOrderAllowed | String | "Y" if alias orders are allowed. |
| isDemoTrial | String | "Y" if user is on a demo trial account. |
| userRole | String | User role in the system (e.g., "ACTIVE"). |
| message | String | Additional message from server (placeholder or "NA"). |
| status | String | Account status (typically "ACTIVE"). |
| passChangeFlag | String | "Y" if password change is required; otherwise "N". |
| allowNseCash | String | Access to NSE Cash segment ("Y"/"N"). |
| allowNseFo | String | Access to NSE Futures & Options. |
| allowNcdex | String | Access to NCDEX commodities. |
| allowBseFo | String | Access to BSE Futures & Options. |
| allowBseCash | String | Access to BSE Cash. |
| allowMcxComm | String | Access to MCX commodities. |
| allowNseCurrency | String | Access to NSE currency market. |
| allowBseCurrency | String | Access to BSE currency market. |
| allowBseYComm | String | Access to BSE Yield Commodities. |
| allowNSEYComm | String | Access to NSE Yield Commodities. |
| nseCurrViewRights | String | Can view NSE currency market. |
| nseCashViewRights | String | Can view NSE cash market. |
| nseFoViewRights | String | Can view NSE F\&O market. |
| bseCashViewRights | String | Can view BSE cash market. |
| bseFoViewRights | String | Can view BSE F\&O market. |
| ncdexViewRights | String | Can view NCDEX. |
| mcxCommViewRights | String | Can view MCX. |
| bseCurrViewRights | String | Can view BSE currency. |
| bseCommViewRights | String | Can view BSE commodities. |
| nseCommViewRights | String | Can view NSE commodities. |
| accessToken | String | JWT token used for authenticated API requests. |
| userId | String | Unique user ID. |
| isAuthorized | boolean | Whether user is authorized for further actions. |
QR Login¶
| Method | APIS | Detail |
|---|---|---|
| GET | access/qr/generate | Generate QR |
| Post | access/qr/login | QR Login |
Generate QR¶
The Generate QR Login API is used to initiate a secure login process via QR code. When called, it generates a unique QR code (in base64 format) and a qrName identifier that can be scanned by an authenticated mobile device to authorize login on a different platform (e.g., web or desktop).
Response Structure
{
"status": "Ok",
"message": "Success",
"result": [
{
"byteCode": "data:image/png;base64,XXXXXXXXXXXXXXXXXXXXX",
"qrName": "d68cb166-67ba-4847-9c54-f3686f"
}
]
}
Response parameters
| Field | Type | Description |
|---|---|---|
| byteCode | String | Base64 encoded image of the QR code. |
| qrName | String | Unique identifier or name associated with the QR code. Typically a UUID. |
QR Login¶
The QR Login API completes the login process after a QR code is scanned and approved by the user via the mobile app. It validates the QR session using the qrName and authorizes the user to access the web or desktop platform without entering credentials.
Request Structure
Input parameters
| Field | Type | Description |
|---|---|---|
| qrName | String | A unique identifier for the QR code to be validated. Typically a UUID generated during QR code creation. |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": [
{
"accessToken": "XXXXXXX",
"clientId": "XXXXXX",
"authorized": false
}
]
}
| Field | Type | Description |
|---|---|---|
| accessToken | String | JWT token used for authorized API requests after successful login. |
| clientId | String | Unique identifier for the client who has logged in. |
| authorized | Boolean | Indicates whether the login via QR was authorized (true or false). |
Guest Login¶
| Method | APIS | Detail |
|---|---|---|
| Post | access/sms/otp/send | Verify Mobile Number |
| Post | access/sms/otp/verify | Validate Mobile OTP |
| Post | access/email/otp/send | Verify Email ID |
| Post | access/email/otp/verify | Validate Email OTP |
| Post | access/create/guest | Cretae Guest User |
Verify Mobile Number¶
Validates the format and existence of a mobile number before sending an OTP. This ensures the number is reachable and ready for secure authentication.
Request Structure
Input parameters
| Field | Type | Description |
|---|---|---|
| mobile | String | Mobile Number |
| source | String | Source of the request (e.g., "WEB", "MOBILE"). |
Response Structure
{
"status": "Ok",
"message": "An OTP has been sent to your registered Mobile Number and email.",
"result": [
{
"id": 70
}
]
}
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Descriptive message about the API response. |
| status | String | Indicates the overall API call result. Typically "Ok" for successful calls. |
| result | array | Contains client-specific details returned from the broker system. |
| result.id | String | Guest User mobile registration ID |
Validate Mobile OTP¶
Checks if the OTP entered matches the one sent to the user’s mobile. Successful validation confirms ownership of the mobile number.
Request Structure
Input parameters
| Field | Type | Description |
|---|---|---|
| mobile | String | Mobile Number |
| source | String | Source of the request (e.g., "WEB", "MOBILE"). |
| OTP | String | OTP Entered by user |
| ID | String | ID generated during verify Mobile API call |
Response Structure
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Descriptive message about the API response. |
| status | String | Indicates the overall API call result. Typically "Ok" for successful calls. |
| result | array | Contains client-specific details returned from the broker system. |
| result.id | String | Guest User mobile registration ID |
Verify Email ID¶
Confirms that the provided email address is valid and deliverable. Triggers dispatch of an OTP to the email.
Request Structure
Input parameters
| Field | Type | Description |
|---|---|---|
| emailId | String | Email ID entered by user. |
| source | String | Source of the request (e.g., "WEB", "MOBILE"). |
| id | String | Guest User registration ID |
Response Structure
{
"status": "Ok",
"message": "An OTP has been sent to your registered Email",
"result": [
{
"id": 70
}
]
}
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Descriptive message about the API response. |
| status | String | Indicates the overall API call result. Typically "Ok" for successful calls. |
| result | array | Contains client-specific details returned from the broker system. |
| result.id | String | Guest User registration ID |
Validate Email OTP¶
Checks if the OTP entered matches the one sent to the user’s mobile. Successful validation confirms ownership of the mobile number.
Request Structure
Input parameters
| Field | Type | Description |
|---|---|---|
| emailID | String | Email ID entered by user. |
| source | String | Source of the request (e.g., "WEB", "MOBILE"). |
| OTP | String | OTP Entered by user |
| ID | String | ID generated during verify Mobile API call |
Response Structure
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Descriptive message about the API response. |
| status | String | Indicates the overall API call result. Typically "Ok" for successful calls. |
| result | array | Contains client-specific details returned from the broker system. |
| result.id | String | Guest User registration ID |
Cretae Guest User¶
Creates a temporary guest profile with minimal details, enabling quick access without full registration. Guest users can later be upgraded to registered accounts for complete functionality.
Request Structure
Input parameters
| Field | Type | Description |
|---|---|---|
| password | String | Password Entered by user. |
| source | String | Source of the request (e.g., "WEB", "MOBILE"). |
| ID | String | ID generated during verify Mobile API call |
Response Structure
{
"status": "Ok",
"message": "Success",
"result": [
{
"accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqNklyMGdzX3RqX2o1Rjl",
"kcRole": "GUEST_USER",
"authorized": false
}
]
}
Response parameters
| Field | Type | Description |
|---|---|---|
| message | String | Descriptive message about the API response. |
| status | String | Indicates the overall API call result. Typically "Ok" for successful calls. |
| result | array | Contains client-specific details returned from the broker system. |
| accessToken | String | A JWT (JSON Web Token) which is used for authentication and authorization in further API calls. Contains encoded user identity and roles. |
| kcRole | String | User Role |
| authorized | boolean |