Looking through the documentation and testing of the APIs, I have a summary of how security works for API Key + dedicated password. Before I start finalizing my framework, I wanted to present my summary and get a critic of my understanding of security with Tradovate.
The security is implemented as follows, The API key creation process uses the dedicated password and generates the secret key and cid for authentication. This set of information is called access keys or AK. The second set of information is the device key or DK, which consist of unique host machine identifier and username, which is implemented on the host machine. Upon the initial authorization (get_access_token), the AK or DK are bound together. Any use of the AK from any other machine will result in a login error and/or rate limiting message (p-ticket), since the DK is unknown.
Also, multiple processes can be supported for a specific user as long as the AK + DK is used appropriately on the same host machine.
Multiple users are also supported on a single host, as long as each user has different set of AK and DK, and the proper AK and DK are used during authentication.
Additional users on different host can be supported as long as a different set of AP and DK for each user. The most likely scenario is a disaster recover machine.
Please confirm or correct my understand of your APIs. If this is correct, please add it to the standard documentation, as it can reduce the effort for some other API user in the future.