Authentication¶
Nubra Auth Flow¶
API Endpoints¶
| Environment | Base URL |
|---|---|
| UAT | https://uatapi.nubra.io |
| Production | https://api.nubra.io |
Step 1: Generate Temporary Token¶
Initiates the login flow and returns a temp_token. This token is required for the OTP request in the next step.
Method: POST
Endpoint: /sendphoneotp
cURL¶
curl --location 'https://api.nubra.io/sendphoneotp' \
--header 'Content-Type: application/json' \
--data '{
"phone": "0000000000",
"skip_totp": false
}'
Payload¶
{
"phone": "0000000000",
"skip_totp": false
}
Response¶
{
"attempts_left": 4,
"email": "xyz@gmail.com",
"expiry": 30,
"flow": "LOGIN",
"message": "OTP sent",
"next": "VERIFY_MOBILE",
"phone": "0000000000",
"temp_token": "eyJh...zd0"
}
Save the
temp_tokenfrom this response. This token must be passed in thex-temp-tokenheader in Step 2. Also choose thex-device-idto be used for this login session, for example12345macorTS123.
Step 2: Send OTP¶
Uses the temp_token from Step 1 to generate and send the OTP required for login.
Method: POST
Endpoint: /sendphoneotp
cURL¶
curl --location 'https://api.nubra.io/sendphoneotp' \
--header 'x-temp-token: eyJh...zd0' \
--header 'Content-Type: application/json' \
--data '{
"phone": "0000000000",
"skip_totp": true
}'
Headers¶
x-temp-token:temp_tokenreturned in Step 1
Payload¶
{
"phone": "0000000000",
"skip_totp": true
}
Response¶
{
"attempts_left": 4,
"email": "xyz@gmail.com",
"expiry": 30,
"flow": "LOGIN",
"message": "OTP sent",
"next": "VERIFY_MOBILE",
"phone": "0000000000",
"temp_token": "eyJh...zd0"
}
Save the new
temp_tokenreturned in this response. This updated token must be used during OTP verification in Step 3.
Step 3: Verify OTP¶
Validates the OTP received on the registered mobile number. Use the latest temp_token and the same x-device-id selected for this login session.
Method: POST
Endpoint: /verifyphoneotp
cURL¶
curl --location 'https://api.nubra.io/verifyphoneotp' \
--header 'x-temp-token: eyJh...zd0' \
--header 'x-device-id: TS123' \
--header 'Content-Type: application/json' \
--data '{
"phone": "0000000000",
"otp": "341874"
}'
Headers¶
x-temp-token: Latesttemp_tokenreturned by the previous stepx-device-id: Device identifier selected for this login session, for exampleTS123
Payload¶
{
"phone": "0000000000",
"otp": "341874"
}
Response¶
{
"auth_token": "7a1171e6-790c-40fa-ae16-b71cfd19923f",
"flow": "LOGIN",
"message": "User Created Successfully",
"next": "ENTER_MPIN"
}
Save the
auth_token. This token is used as the Bearer token in Step 4.
Step 4: Verify PIN¶
Validates the user's MPIN and returns the final authenticated session.
Method: POST
Endpoint: /verifypin
cURL¶
curl --location 'https://api.nubra.io/verifypin' \
--header 'x-device-id: TS123' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer 7a1171e6-790c-40fa-ae16-b71cfd19923f' \
--data '{
"pin": "1234"
}'
Authorization¶
- Type: Bearer Token
- Token:
auth_tokenreturned in Step 3
Headers¶
x-device-id: Same device ID used in Step 3x-temp-token: Do not include this header in this request
Payload¶
{
"pin": "1234"
}
Response¶
{
"email": "xyz@gmail.com",
"message": "Login Successful",
"next": "DASHBOARD",
"phone": "0000000000",
"session_token": "eyJh...6Pno",
"userId": 224
}
The
session_tokenreturned in this response is the final login token. Use it as the Bearer token for authenticated REST APIs such as market data, trading, portfolio, and account endpoints.
TOTP Authentication¶
The TOTP login flow is a secondary authentication method that can be enabled or disabled after a client has logged in. Once logged in, the client receives a session token, which is used as a bearer token to initiate the TOTP login flow.
Step 1: Generate TOTP Secret¶
Method: POST
Endpoint: /totp/generate-secret
cURL¶
curl --location '<https://api.nubra.io/totp/generate-secret>' \\
--header 'Authorization: Bearer {{session_token}}' \\
--header 'x-device-id: {{device_id}}'
Headers
Authorization: Bearersession_token(from first-time login)x-device-id: Your device ID (e.g.,TS123)
Response¶
{
{
"data": {
"secret_key": "BTZYQ6WQ3XSHXOWEMIZC5FTDKB6ODQJP",
"qr_image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgAAAAIAAQMAAADOtka5AAAABlBMVEX///8AAABVwtN+R2mIrU++xzyRmap3jAAA4AlIkbD0EV8bHCc/0AsLCwsL5ErkJggg=="
},
"message": "Enable TOTP flow by verifying TOTP"
}}
This endpoint returns a TOTP secret.
The client must save this secret and add it to an Authenticator App (e.g., Google Authenticator or any other preferred TOTP-compatible app).
Step 2: Enable TOTP¶
Method: POST
Endpoint: /totp/enable
cURL¶
curl --location '<https://api.nubra.io/totp/enable/{{totp}}>' \\
--header 'Authorization: Bearer {{session_token}}' \\
--header 'x-device-id: {{device_id}}'
Payload¶
{
"mpin": "1234",
"totp": "1234"
}
Response¶
{
"message": "TOTP verified successfully"
}
Step 3: Login via TOTP¶
Method: POST
Endpoint: /totp/login
cURL¶
curl --location '<https://api.nubra.io/totp/login>' \\
--header 'x-device-id: {{device_id}}' \\
--header 'Content-Type: application/json' \\
--data '{
"email": "xyz@gmail.com",
"totp": 847851
}'
Payload¶
{
"email": "xyz@gmail.com",
// "phone": "0000000000",
"totp": 307215
}
Response¶
{
"auth_token": "40e10d2e-fe48-4651-becb-7a97261d63cc",
"flow": "LOGIN",
"message": "User Created Successfully",
"next": "ENTER_MPIN"
}
Step 4: Verify PIN¶
Method: POST
Endpoint: /verifypin
cURL¶
curl --location '<https://api.nubra.io/verifypin>' \
--header 'x-device-id: {{device_id}}' \
--header 'Authorization: Bearer 7a1171e6-790c-40fa-ae16-b71cfd19923f' \
--header 'Content-Type: application/json' \
--data '{
"pin": "1234"
}'
Payload¶
{
"pin": "1234"
}
Response¶
{
"email": "kavya@zanskar.xyz",
"message": "Login Successful",
"next": "DASHBOARD",
"phone": "000000000",
"session_token": "eyJhbGciOi...Dz5T5dMRgY",
"userId": 35
}
Use this session token for accessing all protected APIs.
Disable TOTP¶
Method: POST
Endpoint: /totp/disable
cURL¶
curl --location '<https://api.nubra.io/totp/disable>' \\
--header 'Authorization: Bearer {{session_token}}' \\
--header 'x-device-id: {{device_id}}'
--data '{
"mpin": "1234"
}'
Payload¶
{
"mpin": "1234"
}
Response¶
{
"message": "Disabled TOTP successfully"
}
