# Partner API Authentication

This guide will walk you through generating an access token and making your first request to the Tradevest API.

### 1. Prerequisites

Before you begin, ensure you have gathered your credentials and identified the correct environment URLs.

#### Client Credentials

You will need a `client_id` and `client_secret`. These are provided by the Tradevest support team.

#### Environment URLs

| Service                | Sandbox (Testing)                             | Production (Live)                             |
| ---------------------- | --------------------------------------------- | --------------------------------------------- |
| **Authentication URL** | `https://b2b.auth.platform-test.tradevest.ai` | `https://b2b.auth.platform-prod.tradevest.ai` |
| **API Base URL**       | `https://tvda-api.platform-test.tradevest.ai` | `https://tvda-api.platform-prod.tradevest.ai` |

***

### 2. Authenticate (Get a Token)

Tradevest uses the **OAuth 2.0 Client Credentials flow**. You must exchange your credentials for a temporary access token at the Auth URL.

#### The Request

Send a `POST` request to the token endpoint using `application/x-www-form-urlencoded`.

```bash
# Example for Sandbox Environment
curl -X POST https://b2b.auth.platform-test.tradevest.ai/connect/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=<YOUR_CLIENT_ID>" \
  -d "client_secret=<YOUR_CLIENT_SECRET>" \
  -d "scope=tradevest.api"
```

#### The Response

If successful, you will receive a Bearer token valid for **1 hour** (3600 seconds).

```json
{
  "access_token": "eyJhbGciOiJIUzI1Ni...",
  "token_type": "Bearer",
  "expires_in": 3600
}
```

{% hint style="danger" %}
**Security Note:** Treat your `client_secret` like a password. Never include it in client-side code (mobile apps/browsers) or commit it to public repositories.
{% endhint %}

***

### 3. Make Your First Request

Now that you have a token, you can access protected resources at the **API Base URL**. Include the token in the `Authorization` header.

**Endpoint:** `GET /prices`

```bash
# Note: Use the API URL here, not the Auth URL
curl -X GET https://tvda-api.platform-test.tradevest.ai/v1/prices?symbol=BTC \
  -H "Authorization: Bearer <YOUR_ACCESS_TOKEN>"
```

***

### 4. The Requestor-ID Header

To ensure auditability and regulatory compliance, most operations require you to identify the specific individual performing the action.

#### The Header

`Requestor-ID: <UUID-OF-ENTITY>`

{% hint style="info" %}
**When is this NOT required?** You do not need to include the `Requestor-ID` for:

* **Authentication:** The token exchange step.
* **Onboarding:** Creating a new Natural Person or Legal Entity.
  {% endhint %}

{% hint style="warning" %}
**Mandatory Requirement** For all other commands (e.g., **"Create Market Order"**), the `Requestor-ID` is **mandatory**. Requests missing this header will return a `400 Bad Request` or `403 Forbidden`.
{% endhint %}