I can send OSO order in demo ,but Access denied in Replay

the placeOSO param like this:

  "accountSpec": "xxx",
  "accountId": xxx,
  "action": "Buy",
  "symbol": "MNQM2",
  "orderQty": 1,
  "orderType": "Stop",
  "stopPrice": 15140,
  "isAutomated": true,
  "bracket1": {
    "action": "Sell",
    "orderType": "Limit",
    "price": 15145

  "bracket2": {
    "action": "Sell",
    "orderType": "Stop",
    "stopPrice": 15135

it is good at demo model,it return with


but send in replay model,it return with

{"failureReason":"UnknownReason","failureText":"Access is denied"}

the host is wss://replay.tradovateapi.com/v1/websocket
I use websocket api. the login endpoint use https://demo.tradovateapi.com/v1 get the access token to build session market websocket with wss://replay.tradovateapi.com/v1/websocket ,
and build session trade websocket with wss://replay.tradovateapi.com/v1/websocket

This depends on the contract you’re trading and the period that you’re replaying. If the contract you are trying to trade is outside of the scope of the replay, this makes sense. For example, if you wanted to trade ES for last December, you could start a replay for 2022-12-01, then try to trade on ESZ1 (ESM2 will be invalid, as it is the contract expiring in June of 2022).

I can trade the MNQM2 in Tr client in replay model,but in my program,will be Access denied, but the same request is good in demo model,
and I trade MNQM2 in 2022-4-16,in replay time about 2022-4-14,I will not replay so many days ago.

Oh I see, if it only occurs on LIVE or Replay mode, check on how you are configuring your Device ID. You can get details about Device ID here.

Thanks, my device Id is just a md5,I check the code for satisfied it

hi alex,I can not use js lib device-uuid for using java code,but I try the SHA-256 like thes:

private String getDeviceId()
        MessageDigest messageDigest = null;
        String encdeStr = "";
        try {
            messageDigest = MessageDigest.getInstance("SHA-256");
            byte[] hash = messageDigest.digest();
            encdeStr = Hex.encodeHexString(hash);
        } catch (NoSuchAlgorithmException e) {
        return encdeStr;

the id like:


is not good ,place order deny in replay model
and change to md5

String context = userName + pswd + key;
 byte[] byteMsg = new byte[0];
        MessageDigest md = null;
        try {
            byteMsg = context.getBytes("UTF-8");
            md = MessageDigest.getInstance("MD5");
        } catch (UnsupportedEncodingException|NoSuchAlgorithmException e) {
            return "";
       //to hex
        return Hex.encodeHexString(md.digest());

device id like


but the md5 is not OK too

I see the topic:401-error-in-live-mode
It is that mean a device Id I just need kepp it unic,for example use MD5(“name” + “password” + “apiKey”+“cid”),and need approved this device id for use?
but I check my email ,It just has some notify about new device ,has no some email with link to approve device Id

I see In the Tr client, in the Security and private setting,there has the Trust Device list,
I see My program name,It only one data,
I think I change the device ID in my program,so it be denies.
now, I need un link this data of my program,and use a unique device ID with my program,so I can recevie a email about the device name, and aprove it,so I can see the trust device I Tr client?

Hello @Alexander I delete the trust device of my app,and delete the old key.and renew a new key,change the name ,usr a new deviceId that general by Md5(userName+password+apiKey),that can keep unique ,then start My app,the Tr client can see the new device of the new Name,but it still Access is denied error:

When you properly register the app, you’ll get an email asking you to confirm the new app. If you didn’t get that email, you didn’t properly register the app with Tradovate.

thanks for your tip @beebee
But I can not find any entry about the register app,Is that in Trado client? or in some other Control background?
I just found in API key tab,has a oauth setting. but I think it is about Oauth login.

check My email,only has a notify ,has no some link for aprove opration

After you create the app, you must give it some permissions, for instance if u only want to stream market data you change the drop down below market data from denied to read only.

Once that’s done, you’ll see a popup with a generated string – DO NOT LOSE THIS or else you’ll have to start over.

You won’t be accessing the app with curl, but look at the output to see the relevant fields; name, password, appId, appVersion, deviceId, cid, and sec. During testing some aren’t necessary but if you want to go live ALL will be necessary identical, so just make sure they are all properly setup int he beginning.

curl -X POST "https://demo.tradovateapi.com/v1/auth/accesstokenrequest" \
 -H "accept: application/json" \
 -H "Content-Type: application/json" \
 -d "{ \
   \"name\": \"xxxx\", \
   \"password\": \"xxxx\", \
   \"appId\": \"xxx\", \
   \"appVersion\": \"xxx\", \
   \"deviceId\": \"xxxx\", \
   \"cid\": \"xxx\", \
   \"sec\": \"xxx\" \

After the app is created, you’ll see

When u try to connect via websockets, you’ll get an email notification like the one u provided but it will have the appName that you registered.

make sure you give this API Key Access some permissions, currently all permissions are denied so I doubt you would even be able to login with it.

Thanks @beebee ,I only recevie the Email without any aprove link. does I need use the rule to general device Id: UnderstandingDeviceId
the node code:

const crypto = require('crypto')

const myUID = crypto.createHash('sha256')

it is SHA-256 hash in hex format (a 64 character string). The hash is based on some arbitrary, but non-changing fields - username , password , and some kind of app-specific secret
and at last It say

you can use whatever fields you want as long as they don't change.

but I use Md5(username+password+apiSecret),I think it don’t change,and I can see my app in the trust device list ,and recevie the Email (with no any aprove link),but I try send order in Replay and live ,it is be Aceess deny too.
so I confuse the rule of general the device Id ,May be the live and replay model will use a typical rule to general the deviceId to check my id is valid or not?mybat like:

byte[] bytes = SHA256(userName+password+apiSecre);
String hexString = hex(bytes);

but I found the String is like


not similar the example ,like


and I also be Aceess Denies :joy:

I used a uuid function because I am not using javascript. Just make sure that whatever string you return

My deviceId is similar to this one.

My client secret is formatted like this:

Also, take notice that in demo mode your username and passwords are different. Demo mode, name looks like DEMOxxxx, userId is a number; you can see those in the simulation backend or by using the api function get account list or get user list.

In live mode name seems to be your login username and userId is a different number. Also in live mode all fields are required; meaning name, password, appId, appVersion, deviceId, cid and sec.

thank you @beebee very much, I guess my fault ,may be is the account name and account Id,
and should I use the same device Id in demo,replay,live ? or I need user different one

The device id is the same.