Getting Started with the Nordnet API
The Nordnet API allows you to connect your own trading application to Nordnet’s trading platform. The full documentation of all available endpoints can be found in the Nordnet API documentation. This guide outlines the first steps needed to start using the Nordnet API in an application.
Getting Access to the Nordnet API
Using the API requires you to apply for access. For more information please visit the Nordnet API product page. When your application has been processed and you have been given access, you will receive the information necessary to start using the API.
Preparing to Use the Nordnet API
The API access is tied to one of your accounts which you specify when you apply for access. This needs to be set up as the default (also called preselected) account in your profile.
Nordnet API URL
The Nordnet API is only accessible using the https scheme.
The Nordnet API host depends on your country and will be either public.nordnet.dk, public.nordnet.fi, public.nordnet.no or public.nordnet.se.
All Nordnet API URIs are prefixed with /api/2.
So for example, a user with a Swedish account must start logging in to the Nordnet API by sending a request to https://public.nordnet.se/api/2/login/start.
In the following paragraphs the host part of URLs will be omitted.
See Logging in to the API for further information about how to log in.
General Headers
The Nordnet API uses the Authorization header with the Basic authorization scheme for all requests except the initial login procedure.
The username and password in this scheme are not any real username and password, instead they should both be the session key returned from the /api/2/login/verify request (see Logging in to the API).
In other words the authentication token to be used is created by appending the session key to itself with a colon (:) between and then base64-encoding the resulting string.
For instance, if the session key would be f9458a35aa you would first create the string f9458a35:f9458a35.
Base64-encoding this yields Zjk0NThhMzU6Zjk0NThhMzU= so the header value to send would be Authorization: Basic Zjk0NThhMzU6Zjk0NThhMzU=.
(Note that the actual session keys used are longer than the one in this example.)
The standard header Accept-Language can be used to set a language for the text in the response.
This will override the session wide language setting for a particular request.
Valid languages are da, en, fi, nb, nn, no and sv.
Note that nb and nn are equivalent to no.
All responses will be in JSON format, so you should supply an Accept header that allows for JSON.
For instance, Accept: application/json or Accept: */*.
Logging in to the API
The API uses public key authentication based on the Ed25519 digital signature scheme. A prerequisite for this is that you need to generate a key pair and upload the public key on the Nordnet Web. This needs to be done once. An uploaded key may be revoked at any time if you want to replace it or prevent login altogether. You may only have one active key at a time. Follow these steps to generate a key pair and upload the public key:
-
Open a terminal and run the following command to generate an SSH key pair using the
ed25519algorithm:ssh-keygen -t ed25519 -a 150This will generate a public key and a private key in your specified directory (default is a directory named
.sshin your home directory). -
Log in to Nordnet web, go to your profile page My pages -> Settings -> My profile, and find the API key setting under the Security section.
-
Click the "Edit" button.
The first time you do this, you will see the message "You don’t have any API keys yet. API keys are used to authenticate your requests to the API."
-
Click "Add a new API key".
-
Copy the contents of your public key file (e.g.,
id_ed25519.pub) and paste into the window where it says "Paste your public key here". Then click "Create".An API key (a UUID) is shown along with the date of uploading the public key.
-
Copy the API key and store it alongside your application code - it will be used as an identifier on every login.
Now you are ready to log in and establish a session with the API.
Follow the steps below to complete the login process.
Note that the Authorization header should not be provided with these requests.
Also note that you must use the domain of your country.
A Swedish user can only log in via public.nordnet.se, a Danish user only via public.nordnet.dk etc.
-
Do an HTTP POST request to the URI /api/2/login/start endpoint with body:
{"api_key":"<API key goes here>"}where the API key is obtained in the setup described above.
This request returns a response whose body contains a challenge string. For example:
{"challenge":"<challenge string>"} -
Sign the challenge string using your private key, and base64 encode the result. Note that you must use RAW signing with no namespace. See code examples for more details.
-
Do an HTTP POST request to the URI /api/2/login/verify endpoint with body
{ "service":"NEXTAPI", "api_key":"<API key goes here>", "signature":"<signed and base64 encoded challenge goes here>" }This request returns a response with a body similar to:
{ "expires_in": 1800, "private_feed": { "encrypted": true, "hostname": "priv.next.nordnet.se", "port": 443 }, "public_feed": { "encrypted": true, "hostname": "pub.next.nordnet.se", "port": 443 }, "session_key": "f9458a35aa" }
Keeping a Session Alive
A session that is not used in any requests for too long will expire and become invalid.
The expriy time is indicated in the response to the login request.
If an application needs to keep the session alive even though no requests are made for longer than the expiry time it can send an HTTP PUT request to the /api/2/login URI.
This request should include the normal Authorization header as described previously.
The effect of this is that the session expiry timer is reset.
Note that all other API requests made by the application have this effect as well, so the operation is only required when the application does not issue any other requests.
A Note on Account Identifiers and Account Numbers
When you need to specify an account in a call to the API there are two types that are applicable. For most endpoints either type can be used. The two types are account identifier (accid) and account number (accno). An accid is basically an index into the list of accounts available in a session while the accno is the unique identifier of a specific account. Thus, an accno will always refer to the same account while an accid can refer to different accounts in different sessions. However, the accid is guaranteed to always refer to the same account for the duration of a session.
Feeds
In addition to the session expiry time and the session key the response to the login request will include two fields named private_feed and public_feed.
These contain the information needed to get notifications from Nordnet.
The Private Feed provides information about trades and changes to orders related to the account used.
The Public Feed provides information to which the application subscribes explicitly.
The application connects to a feed by opening an SSL connection to the host and port indicated in the login response.
Before the feeds can start delivering information the application needs to perform a separate login procedure for each feed.
This is achieved by sending a JSON structure over the SSL connection providing the session key and service (NEXTAPI).
For Public Feed the application will also need to send subscription commands over the connection.
Detailed information about the feeds is available in the feed documentation.
Example Code
Code examples written in Python and Java which log in, connect to the Public Feed and set up a Public Feed subscription are available in the GitHub Nordnet API Examples repo.
Frequently Asked Questions
We have collected some frequently asked questions in the Nordnet API FAQ.
Disclaimer
There can be changes made to the structure and naming in the data provided, and this can happen at any time without any prior notice. For more information visit the product page.