OAuth 2.0
Authenticate and authorize your users securely using the OAuth 2.0 Authorization Code Flow.
OAuth authentication overview
To unlock the full functionality of Deriv APIs, your app must first authenticate and authorize users through our OAuth 2.0 provider. Once authenticated, the returned access tokens are used by the WebSocket server to verify the user and allow secure communication with the Deriv API.
OAuth 2.0 ensures that users can log in to third-party applications without sharing their password or permanent API tokens, offering a safer way to grant temporary, scoped access.
How OAuth 2.0 Works
- Your app redirects the user to Deriv’s OAuth 2.0 authorization page to sign in and review permissions.
- The authorization server handles login and consent securely.
- After login, the user is redirected back to your app with an authorization code.
- Your app exchanges this code for tokens (with PKCE if used).
- The OAuth server returns the access token (and optional refresh token).
- Your app securely stores and uses the access token for WebSocket or REST API calls.
Before You Begin
- Ensure your redirect URL is correctly registered.
- The redirect URL must use HTTPS.
- Your app must handle redirects, read the authorization code, and exchange it for tokens.
- You must have a registered OAuth 2.0 client.
- Make sure you have valid credentials: client_id, client_secret, and redirect_uri.
1. Redirect the User to the Authorization Endpoint
Send users to the OAuth 2.0 authorization endpoint:
https://auth.deriv.com/oauth2/authInclude:
- response_type=code
- client_id
- redirect_uri
- scope
- state
- code_challenge + code_challenge_method=S256 (PKCE)
Important
state parameter and generate your code_challenge from a secure random code_verifier.2. User Login & Consent (Handled by OAuth Provider)
The user signs in and approves requested permissions. All login and consent screens are managed by the OAuth provider.
3. Receive the Authorization Code
https://your-app.com/callback?code=AUTH_CODE&state=ORIGINAL_STATE- Verify the state matches the original value.
- Extract the authorization code.
- The code is short-lived and single-use.
4. Exchange the Code for Tokens
POST https://auth.deriv.com/oauth2/tokenInclude:
- grant_type=authorization_code
- client_id
- client_secret (if applicable)
- code_verifier
- code
- redirect_uri
5. Token Response
{
"access_token": "...",
"expires_in": 3600,
"token_type": "bearer"
}Store tokens securely on the server and never expose them in frontend code.
6. Use the Access Token in API Calls
Authorization: Bearer ACCESS_TOKENExample:
curl -X GET "https://staging-api.derivws.com/trading/v1/options/accounts" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"