Back to home

MetaAPI Docs

Auth Token

The auth token is the user-facing credential for one terminal. Put the same token into the EA and the external client so they both point to the same local API.

Recommended Model

  • Create one auth_token for one MT4 or MT5 terminal instance.
  • Set an expiry when you want the token to stop working automatically.
  • Do not use email and password inside the EA or the external client.
  • Use the same token in both places: the EA configuration and the app calling local /rpc or /ws.

Why The Same Token Must Be Used

The goal is not just convenience. The goal is to make the local gateway answer only the requests that belong to the terminal the user intentionally exposed.

If the DLL accepted every local request on the machine, any process that can reach the port could try to read account data or send orders. Requiring the same auth_tokenon both the terminal side and the external client side narrows that access.

In practical terms: the EA proves which terminal is online, and the external client proves it is talking to that exact terminal by presenting the matching token.

How It Works

The auth_token is the stable credential you create in the web console for one terminal. The terminal keeps local API access active while it remains online and authorized.

  • Put the token into the EA settings for that terminal.
  • Use the same token in your external client when calling local /rpc or /ws.
  • Keep the terminal online so the local API remains available.

When Access Stops Working

Local API access can stop if the token is no longer valid or if the terminal is no longer allowed to stay connected.

  • Revoking a device stops that machine from using the local API.
  • Deleting or replacing a token stops the old token from working.
  • If the account is expired or disabled, local API access stops.
  • After that, reconnect with a valid token and an approved device.

User Flow

  1. Open the web console and create a new auth_token.
  2. Name it for the terminal, for example MT5-Live-A or MT4-Demo-2.
  3. Optionally set an expiry time.
  4. Paste that token into the EA input fields.
  5. Use the same token in your Python, Node.js or other client when sending requests.

Example

POST /rpc HTTP/1.1
Host: 127.0.0.1:6000
Authorization: Bearer <auth_token>
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "id": "account-1",
  "method": "get_account_info",
  "params": {}
}

What Not To Use

  • Do not put the dashboard login password into the EA.
  • Do not make third-party clients log in with the user email and password.
  • Do not share one token across many unrelated terminals if you want clean isolation and easy revocation.