Skip to content

Authorization

Vendor authorization is done using Login API. For any user of a particular vendor who wants to use Nuvama APIs, Vendor authorization is must. This API requires Vendor Name and Vendor password and the generated session will be valid for 24 hours. All the users who are calling Nuvama APIs through a particular vendor, can use same session. User is required to pass Vendor Name and Session (generated using this API) in the header of all the Nuvama APIs.

Vendor can logout using Logout API. Any user under that vendor will not be able to access any of Nuvama APIs.

Vendor Login API

  1. Get in touch with us at APIsupport@nuvama.com or can sign up here to get your Vendor/Partner APIkey, Password & AppID created. If you have already received the credentials you do not need to sign up and create one.
  2. Use those details to login

This API is used to create vendor session which will be valid for 24 hours from time of generation. All the users who are calling Nuvama APIs through a particular vendor, can use same session. User is required to pass Vendor Name and Session (generated using this API) in the header of all the Nuvama APIs.

Key Value
Method POST
URL <baseURL>edelmw-login/login/accounts/loginvendor/{VendorName}
Header Key : Content-Type
Value : application/json
Source Vendor Name

Request Parameters:-

Parameter Data Type Description Is Mandatory?
pwd string Password for the given vendor YES

Response Parameters:

Parameter Data Type Description
msg string Session token generated for the given vendor. Valid for 24 hours from generation. All the users under this vendor can use same Session.
Send this value in Header of all the APIs like below:
Key : SourceToken
Value : msg
success boolean To indicate if validation & token generation was successful

Sample Request

Request Method: POST

Request URL:

https://np.nuvamawealth.com/edelmw-login/login/accounts/loginvendor/TEST2

Headers:

Key Value
Content-Type application/json

Request Body:

{
  "pwd" : "qwerty#$%1"
}

Sample Responses

Success Response

Response Code: 200

Response Body:

{
    "msg": "2120e1a36318d9016878eab72fea1135",
    "success": true
}

Integrating With Nuvama API Connect B2B REST APIs

  1. Redirect the user to login with their nuvama credentials – sample URL: https://nuvamawealth.com/login?ordsrc=apiventest&ordsrctkn=ef56c441afa3bc5641dc 217f6472a1a5&state=test123

    a. ordscr -> Vendor/Partner API key
    b. ordsrctkn -> vendor session token generated from the vendor login
    c. state -> optional field, this will be passed back to you on redirection

  2. On successful login, client will be asked to accept a data sharing consent, if they are logging in for the first time

  3. Once the client clicks on Accept, they will be redirected back to the redirect URL provided by you – sample URL: https://xyz.com/?login_success=true&userid=80126245&state=test123&encrTkn=s+4xF+ilVi U9emMt+8DY/GUcrewqqGnLu3eONHJkgs8o

    a. login_success -> success/fail
    b. userid -> client’s Nuvama Trading account number
    c. state -> same as passed in request URL
    d. encrTkn -> encrypted Auth token for the Client

  4. Decrypt the encrTkn to get the Auth token

    a. The token is encoded using base64, first decode using base 64, then decrypt
    b. Decrypt using algorithm AES 256 bits, with the key
    c. The key is 32 character long- first 16 character will be your Password (API Security Key); second 16 character will be last 16 character of the ordsrctkn (vendor session token generated from the vendor login)

    i. E.g., your password - 4cSfRu2fRZR99KCk
    ii. The token generated - a79d62877efca412313ee9cd898c94af
    iii. Then your decryption key - 4cSfRu2fRZR99KCk313ee9cd898c94af

    d. Cipher is - AES/CBC/PKCS5PADDING
    e. The sample java code to decrypt the encrypted token is provided in the upcoming steps
    f. Auth token will get invalidated after 8 hours of inactivity, or at 12:30 AM every day
    g. As long as the Client’s session remains active, you will get the same Auth Token on re login

  5. Use this Auth token for any of our Client REST APIs

  6. Along with Auth token, please pass AppID key, OrdSrc and OrdSrcTkn in the header– this is mandatory
  7. Sample Java code to Decrypt the Encrypted token - Online Compiler and Editor/IDE for Java, C/C++, PHP, Python, Perl, etc (jdoodle.com)
  8. Once you are satisfied with UAT integration, make below changes to point to production –
    a. Generate your prod API key, Password and AppID key by signing up here
    b. Set your production redirect URL on the partner portal while creating app
    c. Sample Client login URL for production - https://www.nuvamawealth.com/login?ordsrc=CUGAPIVen2&ordsrctkn=faa945393f74075bc2e6e9a30ddef026
    d. Base URL for partner login - https://np.nuvamawealth.com/edelmw-login/login/
    e. Base URL for equity APIs - https://np.nuvamawealth.com/edelmw-eq/eq/

Failure Response

Response Code: 401

Response Body:

{
    "config": {},
    "error": {
        "actCd": "52",
        "errCd": "EGN0009",
        "errMsg": "Login failed. Invalid Vendor Details"
    },
    "msgID": "56d460ed-d597-4828-89f3-23744560dcf9",
    "srvTm": 1588760901467
}

Vendor Logout API

This API is used to logout a Vendor. Any user, who tries to use Nuvama APIs through this vendor after Vendor logout, will get Session Expired error.

Key Value
Method PUT
URL <baseURL>/edelmw-login/login/accounts/logoutvendor/{VendorName}
Header Key : Content-Type
Value : application/json
Source Vendor Name
SourceToken value of msg received in Vendor Login API

Request Body : Not Applicable

Response Parameters:

Parameter Data Type Description
msg string Success or failure message
success boolean To indicate if logout was successful or not

Sample Request

Request Method: PUT

Request URL:

https://np.nuvamawealth.com/edelmw-login/login/accounts/logoutvendor/TEST2

Headers:

Key Value
Content-Type application/json
SourceToken 7623a5e7dacdd6136119d01841f67644

Request Body: Not Applicable

Sample Responses

Success Response

Response Code: 200

Response Body:

{
    "msg": "Vendor logged out successfully",
    "success": true
}
Failure Response

Response code: 401

Response Body:

{
    "config": {},
    "error": {
        "actCd": "52",
        "errCd": "ETRD0001",
        "errMsg": "Invalid Source Token. Session Expired"
    },
    "msgID": "6af38ee6-9cc5-409e-8edd-94318603c289",
    "srvTm": 1588761263201
}