Authentication
The Partner API (REST) uses OAuth 2.0 Client Credentials to authenticate requests. This applies to all REST endpoints (margin, signing, accounts, lending, borrow, YLDS). FIX trading uses a separate authentication and connection path — see Trading (FIX).
Use Partner API credentials here. They are gated at the API gateway for market makers (partners) only.
Flow
The Partner API uses the OAuth 2.0 Client Credentials Flow: your application exchanges long-lived client credentials (client ID + secret) for a short-lived access token, then sends that token with each API request. No user interaction is required; this is for machine-to-machine (backend) use.
Getting API credentials
Partner API credentials (client ID and client secret) are self-service. Log in to the Figure Markets web app on behalf of your entity, then go to For Business → API keys (or API key management). There you can generate and manage credentials and set read vs write permission per key.
Keep the client secret confidential; treat it like a password. Do not commit it to version control or expose it in front-end or mobile apps.
Obtaining an access token
Examples use the UAT host (www.figuremarkets.dev). For production and full REST base URLs, see Partner API (REST) — Base path (main domain).
Send a POST request to the token endpoint with your client credentials and grant_type: client_credentials. Set CLIENT_ID and CLIENT_SECRET in your environment. The request body must be JSON.
BODY=$(cat <<EOF
{"client_id":"$CLIENT_ID","client_secret":"$CLIENT_SECRET","grant_type":"client_credentials"}
EOF
)
curl https://www.figuremarkets.dev/service-hft-exchange/beta/partner/oauth2/token \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d "$BODY"
Example response:
{
"expires_in": 7200,
"access_token": "gNnlFyZAicoOCIlS17AML7Tz2ObaMpVR",
"token_type": "bearer"
}
Access tokens typically expire after 2 hours. Obtain a new token before expiry or when you receive 401.
Using the access token
Include the token in the Authorization header as a Bearer token for every Partner API request:
curl https://www.figuremarkets.dev/service-hft-exchange/beta/partner/api/v1/accounts/positions \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_ACCESS_TOKEN'
Security best practices
- Client secret — Never share or log it; store it securely (e.g. secrets manager). Use it only in server-side token requests over HTTPS.
- Access tokens — Short-lived and opaque; don’t persist them longer than needed. Send only in
Authorizationheaders, not in query params or URLs. - Compromise — If credentials or a token are leaked, revoke or regenerate the API key in For Business and rotate the secret.
IP whitelisting
The Partner API (REST) does not use IP whitelisting. You can obtain tokens and call the API from any IP once you have credentials. FIX gateways do use IP whitelisting; Figure Markets coordinates that with you during FIX setup (see Overview → Partner (FIX) setup).