Authentication

To unlock the complete functionality of Deriv APIs, you must authenticate and authorise your users. Deriv supports two approaches: OAuth 2.0 apps and Personal Access Token (PAT) apps.

Authentication Methods

OAuth 2.0 apps

OAuth 2.0 lets users grant your app access without sharing their password. Your app redirects the user to a Deriv sign-in and consent page. After approval, Deriv returns an authorization code which you exchange for an access token.

Redirect to Deriv

User Logs In

Code Returned

Exchange for Token

Set up OAuth 2.0

PAT apps

With a PAT app, the user generates a Personal Access Token in Deriv and manually enters it into your application. The app stores the token and includes it in API requests as a bearer token.

Generate Token

Paste into App

App Uses Token

Token-based access

Both methods give your app tokens to make authenticated API calls. The key difference is how users sign in and onboard.

Why Authentication Matters

Authentication improves security by keeping user passwords out of third-party apps. Tokens limit access based on scopes and can be revoked independently if needed.

OAuth 2.0 provides a standardized flow with short-lived access tokens to enhance security and user experience. PATs provide a simpler authentication option when manual token entry is acceptable.

OAuth 2.0 app vs PAT app

Aspect	OAuth 2.0 app	PAT app
Best fit	Web-based applications	Desktop/native and non-web contexts
How onboarding works	User redirected to Deriv OAuth 2.0 sign-in; after approval, redirected back with an authorization code.	User generates a PAT in Deriv and manually pastes it into the app.
Redirect URLs	Required for completing the flow.	Not used.
User experience	Seamless web sign-in with consent.	Manual token entry — simple but less automated.
Use case examples	Web dashboards, browser apps.	Desktop tools, CLI apps, native clients.
Security notes	Issues short-lived tokens and minimises long-term credential sharing.	PATs act like scoped API credentials and can be revoked independently.

When to choose which

Choose OAuth 2.0 app when your product can handle browser redirects and you need a standard delegated flow with user authorisation.
Choose PAT app when browser redirects are not practical and manual token entry is acceptable, such as in desktop or native environments.

API Overview OAuth 2.0

Any other questions? Get in touch