API Tokens
All TickQuote Market Data API requests require a product API key. This guide explains how to send that key and keep it separate from website login credentials.
- Auth
- Bearer
- Storage
- Browser
- Scope
- Backend enforced
API Tokens
API tokens are generated from your dashboard. Each token is tied to your account and inherits the rate limits and permissions assigned to that account.
Token Format
Market API tokens are sent at the transport layer: REST and WebSocket both use the Authorization Bearer header.
REST transport
- header
- Authorization
- scheme
- Bearer
- format
- Bearer <tkp_api_key>
WebSocket Header
- header
- Authorization
- format
- Bearer <tkp_api_key>
Using Tokens
Include your API token in the Authorization header using Bearer authentication:
curl "https://api.tickquote.com/api/v1/market/quotes/latest?tickers=EURUSD" \
-H "Authorization: Bearer $TICKQUOTE_API_KEY"Open the socket with the Authorization header, then send subscribe after connection. Native browser WebSocket cannot set custom headers, so browser direct-connect needs a separately approved transport.
Authorization: Bearer tkp_****redacted****Market scopes
REST and WebSocket access use product-level scopes. Keep API key permissions scoped to the integration that needs them.
REST
- market:read
WebSocket
- market:stream
Failure semantics
- REST invalid token
- unauthorized
- WebSocket auth reject
- unauthorized
Frontend Storage Notes
Use browser-held API keys intentionally.
The docs playground can use a selected dashboard key for testing. For production applications, prefer server-side storage when possible.
Never bake tokens into static assets.
Keep tokens out of source control, HTML, and public JavaScript bundles.
Rotate tokens regularly.
Generate new tokens periodically and revoke old ones.
Restrict origins and scope.
Use scoped keys and allowed origins so each integration receives only the access it needs.
Next up
REST API
Continue into the REST reference and test a signed market data request.