Brokers
↳ Pro Setup (OAuth)

Pro Setup — OAuth 1.0a

This method uses IBKR's OAuth 1.0a Self-Service integration. You register as your own OAuth consumer in the IBKR Self-Service Portal, generate an RSA key pair, and store the credentials in Ordertune. All order execution happens server-to-server between Ordertune and IBKR — no software runs on your machine, no browser sessions to maintain.

What this means in practice:

  • No software to install locally
  • No daily re-authentication
  • Orders execute whether your computer is on or off
  • Works from a VPS, cloud server, or any environment without local IBKR software

OAuth 1.0a Self-Service is available for all IBKR Pro individual accounts — no institutional account required. You register your own consumer key directly through the IBKR Self-Service Portal.

How it works

Ordertune uses the IBKR OAuth 1.0a Extended protocol:

  1. Ordertune signs a request with your RSA private key → IBKR returns a Live Session Token (LST)
  2. The LST is valid for ~24 hours and is refreshed automatically
  3. All subsequent API calls (account queries, order placement) are signed with an HMAC key derived from the LST

Your private key never leaves Ordertune's servers. IBKR only ever sees the RSA-signed handshake and the resulting HMAC-signed requests.

Prerequisites

  • An IBKR Pro individual account (Lite accounts do not have API access)
  • Access to the IBKR Self-Service Portal (opens in a new tab)
  • A way to generate an RSA-2048 key pair (OpenSSL, shown below)
  • An active Ordertune subscription with 2FA enabled

Step 1 — Generate an RSA-2048 key pair

You need a 2048-bit RSA key pair. Generate it with OpenSSL:

# Generate private key
openssl genrsa -out ordertune_private.pem 2048
 
# Extract public key
openssl rsa -in ordertune_private.pem -pubout -out ordertune_public.pem

Keep ordertune_private.pem secure — you will paste it into Ordertune. You will upload ordertune_public.pem to IBKR.

⚠️

Never share your private key. Ordertune encrypts it with AES-256 before storage. Do not commit it to version control or send it over unencrypted channels.

Step 2 — Register as an OAuth consumer in IBKR

Log in to the Self-Service Portal

Go to selfservice.interactivebrokers.com (opens in a new tab) and log in with your IBKR credentials.

Navigate to API Access

Find the section for API Access or OAuth Consumer Registration (the exact path depends on IBKR's current portal version — look under Account Settings or API Management).

Create a new consumer

Click Create Consumer or Register New Application. You will be prompted for:

  • Consumer Name — enter anything (e.g., Ordertune)
  • Redirect URI — not required for self-service OAuth; enter https://platform.ordertune.com as a placeholder if required

Upload your public key

Upload the ordertune_public.pem file you generated in Step 1.

Note your Consumer Key

After registration, IBKR will display a Consumer Key — a 9-character alphanumeric string (e.g., TESTCONS0). Copy this — you will need it in Ordertune.

The Consumer Key is not a secret. It identifies your OAuth consumer registration but does not grant access on its own. Access requires the corresponding RSA private key.

Step 3 — Find your Account ID

Your IBKR Account ID looks like U1234567 (a capital U followed by 7 digits). You can find it:

  • In the IBKR Account Management portal (top-right corner of most pages)
  • In TWS or IB Gateway under Account Information
  • On your IBKR statements

For paper trading, use your paper account ID. IBKR paper accounts have a separate account ID from your live account (check under Account Management → Paper Trading Account).

Step 4 — Connect in Ordertune Settings

Open Settings

In Ordertune, go to Settings → Broker.

Select Interactive Brokers — Pro Setup

In the broker selector, choose Interactive Brokers and then select the Pro Setup (OAuth) option.

Enter your credentials

Fill in the three fields:

  • Consumer Key — the 9-character key from IBKR (e.g., TESTCONS0)

  • RSA Private Key — paste the full contents of ordertune_private.pem, including the header and footer lines:

    -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA...
-----END RSA PRIVATE KEY-----

  • Account ID — your IBKR account ID (e.g., U1234567)

Toggle Paper Trading (optional)

Enable the Paper Trading toggle to use your IBKR paper account. Use your paper account ID and paper trading consumer key (if you registered a separate consumer for paper — otherwise the same consumer key works for both).

Test and save

Click Test Connection. Ordertune will perform the OAuth handshake, obtain a Live Session Token, and verify API access to your account. If successful, click Connect Broker.

Paper trading

IBKR's OAuth API supports paper trading accounts. To use paper trading:

  1. Use your paper account ID (not your live account ID) in the Account ID field
  2. Enable the Paper Trading toggle in Ordertune Settings

Note: IBKR may require you to register separate OAuth consumers for live and paper accounts in the Self-Service Portal. Check your portal to confirm whether your consumer key is valid for both, or register a second consumer for paper.

How order execution works

When you click Confirm Buy or Confirm Sell:

  1. Ordertune's server checks if a valid Live Session Token (LST) is cached
  2. If not (or if expired), it performs the RSA-signed OAuth handshake to get a new LST from IBKR
  3. Ordertune resolves the IBKR contract ID for the ticker
  4. Ordertune places the order directly via POST https://api.ibkr.com/v1/api/iserver/account/.../orders
  5. The order ID and status are written to your signal confirmation log

All calls are signed with HMAC-SHA256 using a key derived from your consumer key and the LST. The LST is cached in memory and reused for subsequent requests within its validity window (~24 hours).

Security model

ItemHow it's protected
RSA private keyEncrypted with AES-256-GCM before storage. Decrypted in memory only during signing.
Consumer keyNot a secret; identifies your registration but does not grant access alone.
Live Session TokenHeld in server memory only. Never written to the database. Expires every ~24 hours.
Account IDStored encrypted. Used only for API routing to your account.

Troubleshooting

"OAuth handshake failed — invalid signature" → The consumer key or private key is incorrect. Re-check that the consumer key matches what IBKR assigned in the Self-Service Portal, and that the private key is complete (including -----BEGIN RSA PRIVATE KEY----- lines).

"Live session token expired" → Ordertune automatically refreshes the LST. If this error persists, your IBKR session may have been invalidated (e.g., IBKR maintenance). Wait a few minutes and retry.

"Account not found" or "No permission" → Confirm your account ID is correct and that your IBKR account has permissions to trade the relevant security type (US Stocks for NASDAQ-100 signals).

Test connection succeeds but orders fail with "Order rejected" → This is an IBKR-side rejection, not an authentication issue. Check the order parameters: your account may have restrictions on order size, pattern day trader limits, or missing market data subscriptions.

"Consumer key not recognized" → The consumer registration may not have completed in the IBKR portal. Verify it is shown as active in Self-Service Portal → API Management. New registrations can take up to a few hours to become active.

↳ Recommended (Local Agent)Tradier