Reminder - FINRA API Reference Data Multi Factor Authentication (MFA) Production Access
Beginning Monday, September 30, 2024, FINRA will require Multi Factor Authentication (MFA) for access to all production API reference data files. To access the API via MFA, users will need to be entitled to use the product, have an assigned user name (Email address) and password, answer security questions and enroll in one or more additional authentication methods. To gain access, users are required to enroll in MFA in the production environment. Member firms who wish to establish new API users must do so via PDM.
A dedicated TRAQS/API Multi Factor Authentication User Guide and MFA Web Help Page are available for reference to the new process and signup and usage of access methods. Questions about this process are detailed on the FAQ page in the documents.
FINRA has been addressing common inquiries regarding API programmatic access. Please refer to each product facility API specification to assist with programmatic downloads.
Can I have more than one Access Token at a time for the Programmatic API download?
| Yes. You can download the file from more than one machine as long as the Refresh Token and Access Token are still valid.
|
How long do Refresh Tokens and Access Tokens for Programmatic API downloads remain valid?
| A Refresh Token remains valid for 60 days after the date of issue. The account owner will receive an email 15 days prior reminding the user of expiration.
The Access Token expires every sixty (60) minutes. Systems will need to be programmed to detect an expired Access Token and request a new one programmatically after expiration.
|
Can I automate the process to get a Refresh Token?
| No, the user must login every six months to TRAQS, and confirm their identity using their second authentication method to obtain a new Refresh Token
|
What if the Refresh Token is expiring and the primary account owner is unavailable and cannot obtain a new Refresh Token?
| FINRA recommends that multiple users at your firm have API access for resilience. In this instance another user with API access can login to TRAQS, confirm their identity using their second authentication method to obtain a new Refresh Token.
|
The account we use to programmatically pull API files is a generic account. What MFA method should we use to enroll?
| FINRA recommends enrolling in voice call authentication using a general phone number. FINRA also encourages phone authentication as a backup authentication method. Note: the same type of authentication method can be set up multiple times. I.e., in this instance the account can have multiple landlines set up.
|
| I received a 400 Error = 400 (400 = Bad request). | The API request is most likely incomplete. Please follow the details outlined in the relevant API Specification in the Access Token request section to ensure the request includes all necessary data. |
FINRA will discontinue the use of digital certificates to access the Reference data API after the close of business on Friday, September 27, 2024. Firms should test and transition to MFA as soon as possible.
Process | Dates |
|---|---|
| Test MFA to reach API files in the NTF region | Currently supported |
| Use MFA to reach API files in the production region | Currently supported |
| Use Digital certificates to reach API files in the NTF region | **Supported through September 27, 2024 |
| Use Digital certificates to reach API files in the production region | **Supported through September 27, 2024 |
** As of July 15, 2024, any new user wishing to access the API files in NTF or production must use MFA.
Please contact FINRA Client and System Management with questions regarding this notice.