Clarification on Multi-User Access, API Usage, and Algo Vendor Registration Requirements

Developer API
1

Hi Upstox Developer Team,

I need clarification on the following points regarding using the Upstox API with multiple end-users in a single application:

  1. Can a single application (with one redirect/callback domain) onboard and manage multiple Upstox user accounts via OAuth?

  2. Does each authorized user receive a unique access token, and can our backend store and use multiple user-specific tokens for order execution?

  3. Is placing orders for multiple users from a single backend server allowed, as long as the correct user-specific access token is used in each request?

  4. Are there any API rate limits or execution restrictions when placing programmatic orders for multiple users?

  5. Do we need Algo Vendor Registration to enable automated execution for multiple clients, and if so, what is the documentation and approval process?

We want to ensure full compliance with Upstox policies and SEBI guidelines before integrating this functionality.

Thanks.

2

Hi @RAJA_NAGA_5275531,

Excellent questions - these are fundamental architectural decisions. I’ll address each based on Upstox API design and SEBI compliance requirements.

QUESTION 1: Multi-User OAuth Onboarding

:white_check_mark: YES - Single app CAN manage multiple Upstox accounts

Upstox OAuth2.0 supports this model:

Architecture:

  • One app = One client_id + client_secret + One redirect URI
  • Multiple users = Multiple OAuth flows through the same redirect URI
  • Each user gets their own auth_code after consent
  • Each auth_code exchanges for that user’s unique access_token

Implementation Pattern:

User A → Redirect to Upstox OAuth → User A grants permission → auth_code_A → access_token_A
User B → Redirect to Upstox OAuth → User B grants permission → auth_code_B → access_token_B
User C → Redirect to Upstox OAuth → User C grants permission → auth_code_C → access_token_C

Your Redirect URI handles all three flows - Upstox passes state parameter to identify which user is completing OAuth.

Best Practice:

# Store state mapping
state_to_user_mapping = {
    "unique_state_123": "user_a_id",
    "unique_state_456": "user_b_id",
}

# In OAuth callback
user_id = state_to_user_mapping.get(request.args.get('state'))
auth_code = request.args.get('code')
access_token = upstox_client.exchange_code_for_token(auth_code)  # User-specific
save_user_token(user_id, access_token)  # Database

QUESTION 2: Unique Access Tokens Per User

:white_check_mark: YES - Each user gets unique token; backend can store multiple tokens

Token Architecture:

  • Each access_token is user-specific - bound to that Upstox account
  • Tokens are short-lived (typically 24 hours at Upstox)
  • Refresh tokens are long-lived (multiple months) - enable silent re-authentication

Storage Pattern (SECURE):

# Database schema
class UserTokens(db.Model):
    user_id = db.Column(db.String, primary_key=True)
    access_token = db.Column(db.String)  # Encrypted
    refresh_token = db.Column(db.String)  # Encrypted (AES-256)
    token_expiry = db.Column(db.DateTime)
    encrypted_at = db.Column(db.DateTime)
    
# Encryption in production
from cryptography.fernet import Fernet
cipher = Fernet(encryption_key)
encrypted_token = cipher.encrypt(access_token.encode())

# Store encrypted
user_token = UserTokens(
    user_id="user_123",
    access_token=encrypted_token,
    refresh_token=cipher.encrypt(refresh_token.encode()),
    token_expiry=datetime.utcnow() + timedelta(hours=24)
)
db.session.add(user_token)
db.session.commit()

Token Refresh Logic:

def get_valid_token(user_id):
    token_record = UserTokens.query.filter_by(user_id=user_id).first()
    
    # Check if expired
    if datetime.utcnow() > token_record.token_expiry:
        # Refresh using refresh_token
        new_token = upstox_client.refresh_access_token(
            refresh_token=cipher.decrypt(token_record.refresh_token.encode())
        )
        token_record.access_token = cipher.encrypt(new_token['access_token'].encode())
        token_record.token_expiry = datetime.utcnow() + timedelta(hours=24)
        db.session.commit()
    
    return cipher.decrypt(token_record.access_token.encode()).decode()

QUESTION 3: Multi-User Order Placement from Single Backend

:white_check_mark: YES - Allowed IF correct user’s token is used per request

How It Works:

  • Each order request requires: Authorization: Bearer <user_specific_token>
  • Upstox API validates token matches the order context
  • Order is placed in that user’s account only
  • Cannot place orders “for” another user (cross-trading prohibited)

Compliant Order Execution Pattern:

def place_order_for_user(user_id, order_params):
    # Get user's token
    access_token = get_valid_token(user_id)
    
    # Set correct authorization
    headers = {
        "Authorization": f"Bearer {access_token}",
        "Content-Type": "application/json"
    }
    
    # Place order - ONLY in user_id's account
    response = requests.post(
        "https://api.upstox.com/v2/order/place",
        headers=headers,
        json={
            "quantity": order_params['qty'],
            "price": order_params['price'],
            "instrument_token": order_params['token'],
            "order_type": order_params['type'],
            "validity": "DAY",
        }
    )
    
    if response.status_code == 200:
        order_id = response.json()['data']['order_id']
        log_order(user_id, order_id)  # Audit trail
        return order_id
    else:
        raise Exception(f"Order failed for {user_id}: {response.text}")

# Batch placement for multiple users
users_to_trade = ['user_1', 'user_2', 'user_3']
for user_id in users_to_trade:
    try:
        order_id = place_order_for_user(user_id, order_params)
        print(f"✓ Order {order_id} placed for {user_id}")
    except Exception as e:
        print(f"✗ Failed for {user_id}: {e}")
        # CRITICAL: Log failure for compliance audit

Critical Compliance Point:

  • Each order must have audit trail: who placed it, when, token used, outcome
  • SEBI requires this for algo trading platforms

QUESTION 4: API Rate Limits for Multi-User Orders

:warning: NEEDS OFFICIAL CONFIRMATION - This is critical

Likely Rate Limits (based on broker patterns):

  • Per-user: ~10 orders/second
  • Per-app: ~100 orders/second (aggregate)
  • Daily order volume limits: May apply

What You MUST Verify with Upstox:

  1. Are rate limits enforced per user-token or per app?
  2. What happens when rate limit exceeded? (Response code)
  3. Is there a burst allowance or strict enforcement?
  4. Any throttling for multi-user scenarios?

Recommended Rate Limiting Implementation:

from redis import Redis
from time import time

redis_client = Redis()

def check_rate_limit(user_id, max_orders_per_second=10):
    key = f"rate_limit:{user_id}"
    current_count = redis_client.incr(key)
    
    if current_count == 1:
        redis_client.expire(key, 1)  # Reset every second
    
    if current_count > max_orders_per_second:
        raise RateLimitError(f"User {user_id} exceeded {max_orders_per_second} orders/sec")
    
    return True

def place_order_rate_limited(user_id, order_params):
    check_rate_limit(user_id)
    return place_order_for_user(user_id, order_params)

ACTION REQUIRED: Contact Upstox support with your use case to get specific rate limits.

QUESTION 5: Algo Vendor Registration Requirement

:white_check_mark: LIKELY YES - Required for multi-client automated trading

When Algo Vendor Registration IS Required:

  • :white_check_mark: You’re building a platform for multiple external clients
  • :white_check_mark: Clients pay you for algorithmic trading services
  • :white_check_mark: You place orders programmatically for non-proprietary trading
  • :white_check_mark: You provide trading automation as a service

When Algo Vendor Registration IS NOT Required:

  • :cross_mark: Single individual managing own multiple accounts
  • :cross_mark: Proprietary trading (trading with your own capital only)
  • :cross_mark: Internal company algo (employees only, not external clients)

Your Use Case Analysis:
Based on “multiple clients” + “automated execution,” you likely need Algo Vendor Registration.

SEBI Compliance Framework for Algo Vendors:

  1. Entity Requirements:

    • Must be a registered entity (individual with DP code, or company)
    • Must have SEBI Algo Trader Registration (if applicable tier)
    • PAN + KYC verification required
    • Audited financials (for companies)

  2. Technical Controls Required:

    • Order execution audit trails (timestamp, price, qty, user)
    • Real-time risk monitoring
    • Kill switches for each client
    • Order rejection system for safety limits
    • Network security (SSL/TLS, IP whitelisting)

  3. Operational Controls:

    • Client segregation (no cross-trading)
    • Margin availability checks before order
    • Daily settlement reconciliation
    • Monthly compliance reports

Upstox Algo Vendor Registration Process (Typical - VERIFY):

Step 1: Entity Setup

- Register as Algo Trader with SEBI (if required tier)
- Open individual DP account or company trading account at Upstox
- Ensure PAN + KYC complete

Step 2: Application to Upstox

- Email: developer@upstox.com (or use developer portal)
- Subject: "Algo Vendor Registration Request"
- Include:
  * Business description
  * Number of clients you'll serve
  * Trading strategies (brief)
  * Technical architecture doc
  * SEBI registration documents (if applicable)
  * Risk management policies
  * Compliance officer contact

Step 3: Review & Approval

- Upstox reviews compliance requirements
- May request technical documentation
- May request live trading demo
- Approval or rejection within 15-30 days

Step 4: Activated Access

- Higher API rate limits
- Multi-user token support
- Batch order endpoints (if available)
- Direct support contact

Critical Actions BEFORE Integration:

  1. Contact Upstox Support:

    Subject: "Multi-client Algo Execution - Compliance Check"
Questions:
- Do we need Algo Vendor registration for multi-user automated trading?
- What are the current rate limits for multi-user scenarios?
- What documentation is required?
- What is the approval timeline?

  2. Consult SEBI Guidelines:

    • Reference: “SEBI Algo Trading Regulations”
    • Key: Client segregation + Audit trails
    • Review: Risk management framework requirements

  3. Legal Review:

    • Ensure TOS with your clients mention algo trading
    • Include disclaimers about execution risks
    • Document consent from clients for API integration

SUMMARY TABLE

Question Answer Action Required
Q1: Multi-user OAuth :white_check_mark: YES Implement state management
Q2: Unique tokens :white_check_mark: YES Secure encryption for storage
Q3: Multi-user orders :white_check_mark: YES* Contact Upstox for compliance
Q4: Rate limits :warning: UNKNOWN CRITICAL: Get official limits
Q5: Algo Vendor Reg :white_check_mark: LIKELY YES CRITICAL: Verify with Upstox

IMMEDIATE NEXT STEPS

  1. Email Upstox Support with:

    • Clarification on Q4 rate limits
    • Confirmation on Q5 Algo Vendor requirement
    • Your specific client count + order volume estimates

  2. Implement Secure Token Storage (don’t wait for approval)

    • AES-256 encryption for tokens
    • Separate key management (HSM if possible)
    • Access logs for all token usage

  3. Build Audit Trail System:

    • Log every order: timestamp, user_id, token_hash, order_params, result
    • Store in tamper-proof database
    • Monthly compliance reports

  4. Get Legal Clearance:

    • Review client agreements
    • Ensure compliance documentation
    • SEBI algo trading rules

Key Takeaway: Your architecture is fundamentally sound and OAuth + multi-token approach is the right pattern. The blockers are regulatory (Algo Vendor status + rate limits), not technical. Get official clarification on those two items before going live.

Happy to discuss implementation details for any of these questions.

-VENKATA

3

Hi @VENKATA_RA_1347175 / @RAJA_NAGA_5275531,

Thanks to @VENKATA_RA_1347175 for helping the community with the initial response.

I would like to provide some critical clarifications and corrections to the points raised, as there are specific compliance and technical nuances that need to be addressed:

QUESTION 1: Multi-User OAuth Onboarding

Clarification: While you mentioned an architecture where “One App” manages multiple users, I would clarify the distinction as follows:

1. Individual User (Coding their own Algo):

  • The Requirement: Every App must be unique for each client. That means One App = One Client ID + Client Secret + One Redirect URI per user.
  • Redirect URI: However, as you rightly mentioned, multiple apps across different users can share the same Redirect URL.

2. Algo Vendor Platform:

  • The Requirement: In this case, the Algo Vendor will have its own unique API Key linked to a specific redirect URL.
  • Usage: However, every user needs to log in individually (via OAuth) and place orders on their own (authorize the execution via their unique session).

QUESTION 2: Unique Access Tokens Per User

Clarification:

  • Access Token: Yes, each user gets a unique access_token bound to their Upstox account. This is correct.
  • Refresh Token: There is a correction needed here. The Refresh Token is NOT used for the Place Order API.
    • Refresh tokens are typically provided only to select fintech partners based on specific use cases.
    • For standard retail algo users, the refresh token flow is generally not applicable or used for maintaining order execution sessions.

QUESTION 3: Multi-User Order Placement from Single Backend

Clarification: YES, but ONLY if you are registered as an Empanelled Algo Vendor and the solution is hosted on the Broker’s premise.

  • Restriction: Subject to regulations, individual users must place orders from their own end.
  • Illegal Use Case: A use case where a vendor or third-party places orders on a user’s behalf (without being an empanelled vendor hosted at the broker) is not legal and is not supported by brokers or exchanges.

QUESTION 4: API Rate Limits for Multi-User Orders

Clarification: Here are the official details regarding rate limits:

  • Enforcement: The rate limit is enforced per API type on a per-user basis.
  • Error Code: If the rate limit is exceeded, you will receive the error code: UDAPI10005.
  • Note: Rate limits are strict, and handling this error gracefully in your code is essential.

QUESTION 5: Algo Vendor Registration Requirement

Clarification: You mentioned that an algo vendor can place orders programmatically for non-proprietary trading (i.e., on a user’s behalf). This is NOT allowed in the manner described.

  • Empanelment Process: We call this process Algo Vendor Empanelment.
  • The Workflow:
    1. Exchange Registration: You must first register with each Exchange (NSE/MCX) directly with exchanges and apply with multiple sets of documents and complete mandatory system audits.
    2. Broker Hosting: Once vendor empanelment is complete, only then can you approach brokers to get your platform hosted on the broker’s premise.
    3. Broker Discretion: The decision to host a vendor is subject to evaluation by each broker; it is not automatic.

Hope this helps clarify the landscape!

2 Likes
4

Hi @VINIT,

Thank you for the critical clarifications and corrections. Your guidance is essential for developers building compliant solutions on the Upstox platform. I appreciate the detailed breakdown as it addresses key architectural misconceptions in my previous response.

CORRECTIONS ACKNOWLEDGED

QUESTION 1: Multi-User OAuth Architecture

Correction Accepted:

:white_check_mark: Individual User Scenario: Each user requires a UNIQUE app

  • One App = One Client ID + One Client Secret + One Redirect URI per user
  • NOT “one app manages multiple users”

:white_check_mark: Algo Vendor Platform Scenario: Vendor has ONE unique API key

  • Vendor’s app links to specific redirect URL
  • Each user logs in individually (OAuth)
  • Each user authorizes their own session

Why This Matters:
My initial response created confusion by suggesting a single app could manage multiple OAuth flows. The correct architecture is:

  • User A = User A’s app (ClientID_A + Redirect_A)
  • User B = User B’s app (ClientID_B + Redirect_B)
  • Shared redirect URL is possible, but NOT shared client credentials

Thank you for this critical clarification.

QUESTION 2: Refresh Tokens

Correction Accepted:

:cross_mark: REMOVED: Incorrect code showing refresh token usage for Place Order API

  • Refresh tokens NOT used for order execution
  • Only provided to select fintech partners (specific use cases)
  • Retail algo users don’t have refresh token flow

:white_check_mark: Corrected Pattern:
Developers should NOT implement token refresh logic for order placement. Access tokens are sufficient for order execution. If developers need refresh token support, they should consult Upstox directly for their specific partnership tier.

Implementation Update:

# CORRECT - Access token only for Place Order
def place_order_for_user(user_id, order_params):
    access_token = get_current_access_token(user_id)  # Get valid token
    # Note: Do NOT attempt refresh token logic
    # If token expired, user must re-authenticate via OAuth
    
    headers = {"Authorization": f"Bearer {access_token}"}
    response = requests.post("https://api.upstox.com/v2/order/place", ...)

QUESTION 3: Multi-User Order Placement

Correction Accepted:

:warning: MAJOR CLARIFICATION:

:cross_mark: NOT ALLOWED (without empanelment): Vendor/third-party placing orders on user’s behalf

  • This is ILLEGAL and not supported by brokers/exchanges
  • My previous response suggested this was viable, which is incorrect

:white_check_mark: ONLY ALLOWED IF:

  1. Empanelled Algo Vendor Status - Officially registered with exchanges
  2. Hosted on Broker’s Premise - Platform physically hosted at broker’s infrastructure
  3. Legal Framework - Full compliance with exchange regulations

Corrected Workflow:

User logs in → Authorizes their session → Vendor algo places orders IN THAT SESSION
(NOT: Vendor places orders remotely on user's behalf without session)

This is a critical distinction for compliance. Single-backend order placement for multiple users is ONLY legal if vendor is empanelled and hosted at broker.

QUESTION 4: API Rate Limits

Confirmation Received:

:white_check_mark: Official Rate Limit Details:

  • Enforcement: Per-user, per API type basis
  • Error Code: UDAPI10005 (when exceeded)
  • Strictness: Rate limits are strict; graceful error handling required

Recommended Code Update:

from requests.exceptions import HTTPError

UPSTOX_RATE_LIMIT_ERROR = "UDAPI10005"

while def place_order_with_retry(user_id, order_params, max_retries=3):
    try:
        headers = {"Authorization": f"Bearer {access_token}"}
        response = requests.post(..., headers=headers, json=order_params)
        response.raise_for_status()
        return response.json()
    
    except HTTPError as e:
        if UDAPI10005 in str(e):
            logger.error(f"Rate limit exceeded for {user_id}. Error: {e}")
            # Implement exponential backoff, NOT immediate retry
            time.sleep(2 ** retry_attempt)
            continue
        else:
            raise

QUESTION 5: Algo Vendor Registration

Correction Accepted - Critical Process Update:

My Previous Error: Suggested contacting Upstox first, then exchanges

:white_check_mark: Correct Process (Algo Vendor Empanelment):

Step 1: Exchange Registration (NSE/MCX) - FIRST

  • Register directly with each exchange
  • Submit multiple compliance documents
  • Complete mandatory system audits
  • Obtain exchange approval

Step 2: Broker Hosting - AFTER Exchange Approval

  • Approach brokers (Upstox, others)
  • Request platform hosting at broker’s premise
  • Subject to broker’s evaluation
  • NOT automatic - discretionary approval

Timeline: Exchange registration + system audits → 3-6 months
Then: Broker hosting negotiation → Variable timeline

Critical Insight: The workflow is NSE/MCX → Brokers, NOT Upstox → Exchanges

Developers attempting multi-user order placement without exchange empanelment are operating in an illegal zone.

CORRECTED GUIDANCE FOR DEVELOPERS

Legitimate Use Cases:

  1. Individual User (Non-Vendor):

    • Each user needs own app (own credentials)
    • Each user logs in with their OAuth
    • Orders placed in their own account
    • :white_check_mark: LEGAL

  2. Empanelled Algo Vendor (Exchange-Registered):

    • Vendor has exchange empanelment
    • Platform hosted on broker’s premise
    • Users authorize within vendor’s platform
    • Orders placed via vendor’s approved mechanism
    • :white_check_mark: LEGAL

Illegal Use Cases:

  1. :cross_mark: Third-party vendor remotely placing orders on user’s behalf (non-empanelled)
  2. :cross_mark: Single backend ordering for multiple users (without empanelment + hosting)
  3. :cross_mark: Sharing credentials across users (violates Upstox TOS)
  4. :cross_mark: Attempting to bypass exchange regulations (strictly enforced)

ACTION ITEMS FOR DEVELOPERS

If Building Individual Algo (Personal Use):

  1. Create separate app per user (unique client credentials)
  2. Each user logs in via their own OAuth
  3. Use access_token only for order placement
  4. Implement UDAPI10005 error handling
  5. No refresh token logic needed

If Building Multi-User Vendor Platform:

  1. FIRST: Register with NSE/MCX for algo vendor empanelment
  2. Complete system audit requirements
  3. Obtain exchange approval (expect 3-6 months)
  4. THEN: Approach Upstox for broker hosting
  5. Once hosted at Upstox: Can place orders in compliant manner

If Unsure About Your Use Case:

  • Clarify with Upstox whether your scenario requires algo vendor empanelment
  • Don’t assume single-backend multi-user is allowed without empanelment
  • Review NSE/MCX algo trading regulations (SEBI framework)

KEY TAKEAWAY

The critical lesson from your clarifications: Architecture is not just technical, it’s regulatory. What’s technically possible (backend placing orders via tokens) may be legally prohibited without proper empanelment and hosting arrangements.

Thank you for setting the record straight. This guidance should significantly improve compliance awareness among developers building on Upstox.

CC: @RAJA_NAGA_5275531 - Ensure your use case aligns with one of the legal scenarios above before implementation.

-VENKATA

5

@VENKATA_RA_1347175 - I need to further clarify on your reply in regards to QUESTION 3: Multi-User Order Placement from Single Backend

Clarification: Even with an empanelled Algo Vendor hosted on the broker’s premises, the Algo Vendor cannot autonomously place orders on behalf of a user.

  • User Action Required: Each user must individually log in and authorize the specific trading conditions or strategies for their own account.
  • No Centralized Discretion: The vendor provides the technology/strategy logic, but the user must be the one to activate it. The vendor cannot autonomously trigger trades for a user without that user’s specific authorization or condition setting.

Thanks,
Vinit

1 Like
6

Thank you so much for detailed information,i making same platform now it seems its easy to make but hard to maintain

7

Dear @VINIT

Thank you once again for your detailed and valuable clarifications, especially the critical corrections regarding multi-user architecture, token handling, and the regulatory boundaries around order placement. Your guidance has been extremely helpful in ensuring we align our platform with Upstox’s policies and SEBI/NSE requirements.

To provide the most complete context on our use case and seek precise confirmation:

We are a SEBI-registered Research Analyst (RA) and have already completed empanelment with BSE as an algo provider. Our platform is a subscription-based algorithmic trading service offering multiple proprietary black-box strategies (e.g., RSI-based, momentum, mean-reversion, etc.).

Detailed Automated Mode Flow:

  • Users browse and select one (or more) strategy they wish to subscribe to and automate.

  • Upon selection, the user provides initial configuration inputs specific to their account (e.g., position sizing, lot size, multiplier/risk factor, max exposure, etc.).

  • These inputs can be changed or updated anytime by the user via the platform dashboard.

  • The user then completes OAuth authorization (login flow) to grant our platform permission to execute on their Upstox account.

  • After this initial setup (strategy selection + inputs + OAuth), the platform automatically generates signals from the selected strategy and places corresponding orders programmatically in the client’s own account using their specific access token.

  • Orders are fully client-specific — scaled/adjusted based on the user’s current inputs, available margins, and positions (no cross-trading).

  • There is no per-signal manual confirmation required from the user after initial authorization — execution is automated based on the pre-approved strategy and parameters.

  • All risk, margin, funds, and final execution remain entirely within the client’s Upstox account.

Important Note on Black-Box Nature:
Our strategies are implemented as black-box systems (proprietary logic, parameters, and decision rules are not disclosed to clients, brokers, or exchanges). Only trade outputs (signals/orders) are exposed. This structure is purely for intellectual property protection and does not alter compliance, auditability, or visibility into order flow/logs. Due to this black-box nature, we cannot host the entire algo logic on the broker’s infrastructure — the core decision engine must remain on our secure servers.

Specific Clarifications Needed (Post Your Latest Input):

  1. Given that we are already BSE-empaneled as an algo provider, does Upstox support this model where the backend uses client-specific access tokens to place orders automatically on their behalf (after explicit strategy selection, parameter input, and OAuth authorization), without requiring additional per-signal user confirmation?

  2. In your final note, you mentioned that even for empaneled vendors hosted on broker premises, the vendor cannot autonomously place orders without user action/authorization. Could you please confirm whether our described flow (user pre-authorizes strategy + parameters via OAuth → backend executes on signals using stored token) is compliant and supported, or if it still requires ongoing per-trade user intervention?

  3. Considering the black-box nature of our strategies (which prevents full hosting on broker infrastructure), is there a supported architecture for BSE-empaneled vendors to run the proprietary logic on our servers while using client tokens for execution?

  4. If the above flow is supported, what are the current API rate limits in a multi-user scenario (per api_key vs per user-token), especially for 50–150 concurrent clients triggering orders simultaneously?

  5. Are there any specific onboarding steps, documentation, or partnership arrangements for BSE-empaneled RAs/vendors to enable this compliant multi-strategy, multi-client execution on Upstox (without broker-hosted algo logic)?

We are fully committed to building this in a 100% compliant manner. Your insights have already helped us avoid potential compliance pitfalls, and we truly appreciate your time and expertise.

Thank you once again,
Looking forward to your guidance.

Warm regards,
Aditya