top | item 30363118

(no title)

We do sanctioned integrations with brokerages wherever OAuth integrations are available such that we don't have to collect credentials, but for the ones without public APIs we do need to collect credentials (though we never store them). Unfortunately, the industry is in a mode where brokerages will develop anti-screen-scraping technology and data aggregators will develop new and creative solutions to evade detection - the demand for access to retail accounts is too great for screen scrapers to stop what they're doing, and the regulatory and technical risks are too great for brokerages to lean back and allow screen scrapers to do what they do.

Many of the major brokerages are realizing that this isn't ideal and are starting to build out public APIs. We're working to develop relationships with the holdouts and convince them that exposing a public API is the only sustainable long-term solution to their screen scraping problem.

discuss

tehwebguy|4 years ago

Can you explain how you collect credentials but don’t store them?

timothygoltser|4 years ago

We collect a user's credentials (usernames + passwords) and exchange them immediately for access and refresh tokens. We use the term "credentials" as we've seen it used colloquially - access and refresh tokens certainly fall under the formal definition of credentials, but we usually call them "sensitive tokens" or something similar.

Additionally, in the case of an API like Webull's which accepts a salted MD5 hash of the user's password, the user's plaintext password will never touch our servers.