• Base URL: https://api-capital.backend-capital.com/
• Base demo URL: https://demo-api-capital.backend-capital.com/
• In order to use the endpoints a session should be launched. This can be done using the POST ​​/session endpoint.
• Session is active for 10 minutes. In case your inactivity is longer than this period then an error will occur upon next request.
• The API covers the full range of available instruments, licences and trading functionality.

To use the API the following simple steps should be taken:

• Create a trading account
  Note that a demo account can be used.
• Turn on Two-Factor Authentication (2FA)
  2FA should be turned on prior to API key generation. Instruction for 2FA enabling.
• Generate an API key
  To generate the API key, go to Settings > API integrations > Generate new key. There you will need to enter the label of the key, set the custom password for it and an optional expiration date, enter the 2FA code and that’s it.
• You are all set!

Market data

• Receive real-time prices for the whole range of available assets with the REST and WebSocket API.
• Get the price history for the whole range of assets.

Trading functionality

• Open positions, set stop and limit orders, set stop loss and take profit levels.
• Review and change financial account settings (trading modes, leverage sizes).
• Review trades and orders history.

• Postman collection: https://github.com/capital-com-sv/capital-api-postman
• Trading bot based on the RSI indicator values: https://github.com/capital-com-sv/api-java-samples

November 28, 2023

• Added an opportunity to adjust the balance of the Demo account using the POST /accounts/topUp endpoint

October 05, 2023

• Limit of 1 request per second is set for the POST /session endpoint.

August 04, 2023

• Added an opportunity to view the whole list of available markets using the GET /markets endpoint

July 04, 2023

• Set maximum date range for parameters from, to, lastPeriod to 1 day for the GET /history/activity

March 23, 2022

• Limit of 1000 requests per hour is set for the POST /positions and POST /workingorders in Demo.

March 16, 2022

• WebSocket API endpoints added to Swagger documentation.

February 10, 2022

• Release of the first version of the REST and WebSocket API.

There are 2 ways to start the session:

• Using your API key, login and password details.
• Using your API key, login and encrypted password details.

Using your API key, login and password details

Here you should simply use the POST /session endpoint and mention the received in the platform’s Settings API key in the X-CAP-API-KEY header, login and API key password info in the identifier and password parameters. The value of the encryptedPassword parameter should be false.

Using your API key, login and encrypted password details

• First of all you should use the GET ​/session​/encryptionKey and mention the generated in the platform’s Settings API key in the X-CAP-API-KEY header. As a response you will receive the encryptionKey and timeStamp parameters;
• Using the received encryptionKey and timeStamp parameters you should encrypt your API key password using the AES encryption method.

Encryption request example:

public static String encryptPassword(String encryptionKey, Long timestamp, String password) {
    try {
        byte[] input = stringToBytes(password + "|" + timestamp);
        input = Base64.encodeBase64(input);
        KeyFactory keyFactory = KeyFactory.getInstance(RSA_ALGORITHM);
        PublicKey publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(Base64.decodeBase64(stringToBytes(encryptionKey))));
        Cipher cipher = Cipher.getInstance(PKCS1_PADDING_TRANSFORMATION);
        cipher.init(Cipher.ENCRYPT_MODE, publicKey);
        byte[] output = cipher.doFinal(input);
        output = Base64.encodeBase64(output);
        return bytesToString(output);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}

Encrypted password example:

encryptionKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dOujgcFh/9n4JLJMY4VMWZ7aRrynwKXUC9RuoC8Qu5UOeskxgZ1q5DmAXjkes77KrLfFZYEKtrp2g1TB0MBkSALiyrG+Fl52vhET9/AWRhvHuFyskWI7tEtcGIaOB1FwR0EDO9bnylTaZ+Y9sPbLVA7loAtfaX3HW/TI9JDpdmgzXZ0KrwIxdMRzPxVqQXcA8yJL1m33pvo9mOJ0AsQ8FFuy+ctjI8l/8xUhe2Hk01rpMBXDwI1lSjnvuUUDvAtacxyYVlNsnRvbrMZYp7hyimm27RtvCUXhTX2A94tDB0MFLApURrki+tvTvw5ImDPN8qOdTUzbs8hNtVwTpSxPwIDAQAB";
timestamp = 1647440528194;
password = "1111qqqq";
// Result of password encryption with the encryptionKey
encryptedPassword = "hUxWlqKRhH6thdjJnR7DvdlGE7ABkcKHrzKDGeE7kQ7nKg91sw7BpYsLDqtxihnlHN2IEmFPZ/ZmOKBAwEAw9/vjELmAZDeKsu3Q6s+Koj4wt8giE1Sxv76JjjOB/667dEeL22IFO1rwTMZ1NS5DrfeYbTfOdQgA0v5eIOS3fH8Pp/mFHodibY28X+zIaNwk6Rcb49l6aiXwM1CAtDl359qK633a+sEB9TR0/C3EaRkuGg8wAQyQ0JERaSYOZ58Dx7pw//cmvk/U5dkQlgli2l6Ts2cMhqYXCD1ZlTDA/rLfl52lgnarfari3n0uh6LicmNeWXJBF5oxj3LCruVwMA==";

• Go to the POST ​/session endpoint, set true value for the encryptedPassword parameter and mention the received in the platform’s Settings API key in the X-CAP-API-KEY header, login and prior encrypted API key password info in the identifier and password parameters

On starting the session you will receive the CST and X-SECURITY-TOKEN parameters in the response headers. CST is an authorization token, X-SECURITY-TOKEN shows which financial account is used for the trades. These headers should be passed on subsequent requests to the API. Both tokens are valid for 10 minutes after the last use.

• Financial accounts
  accountId is the ID of your financial account. Each financial account has its unique ID. To view the full list of the available financial accounts, use the GET ​​/accounts endpoint. To find out which financial account is used for trading operations in the API please go to the GET ​/session endpoint. To change the financial account use: PUT ​/session.
• Epic
  Epic is the name of the market pair. You can use the GET /markets{?searchTerm} endpoint to find the market pairs you are interested in. A simple market name like ‘Bitcoin’ or ‘BTC’ can be requested with the searchTerm parameter and you will receive the full list of the market pairs associated with it. The GET ​/marketnavigation endpoint can be used to obtain asset group names. These names can be used with the GET ​​/marketnavigation​/{nodeId} endpoint to view the list of assets under the corresponding group.
• Watchlists
  The Watchlist is the list of assets which can be seen and created on the platform. The GET /watchlists endpoint returns the existing watchlists on your account. Each watchlist has an id parameter which can be used to obtain the corresponding list of assets: GET ​/watchlists​/{watchlistId}

• When opening a position using the POST /positions endpoint a dealReference parameter is included in the response. However, a successful response does not always mean that the position has been successfully opened. The status of the position can be confirmed using GET ​/confirms​/{dealReference}. This will produce the status of the position together with the affectedDeals array. Note that several positions can be opened at a time: this info will be shown in the affectedDeals array.
• It is important to ensure that the correct trading mode is in use with the API. To find out which trading mode is set on your financial account use the GET ​/accounts​/preferences method. The hedgingMode parameter value shows whether the hedging mode is engaged. This value can be altered using endpoint: PUT ​/accounts​/preferences.
• The leverages set for trades can be obtained using the GET ​​/accounts​/preferences endpoint. To change leverages, use PUT ​​/accounts​/preferences.
• Note: Stop loss and take profit values cannot be set when conducting trades with real stocks.

On Capital.com we suggest both REST and WebSocket API. In case of WebSocket API real-time prices updates for max 40 instruments at a time.

Yes, we do have several limitations in our Capital.com API. Here is the list:

• You have max 100 attempts per 24hrs to successfully generate API keys.
• The maximum request rate is 10 per second per user.
• The maximum request rate is 1 per 0.1 seconds per user when opening positions or creating orders. Otherwise the position/order requests are going to be rejected.
• WebSocket session duration is 10 minutes. In order to keep the session live use the ping endpoint.
• REST session is also active for 10 minutes. In case your inactivity is longer than this period then an error will occur upon next request.
• POST /session endpoint limit is 1 request per second per API key.
• POST /positions and POST /workingorders endpoint limit is 1000 requests per hour in the Demo account.
• POST /accounts/topUp endpoint limits: 10 requests per second and 100 requests per account per day.
• The balance of the Demo account cannot exceed 100000.
• The WebSocket API allows subscription to a maximum of 40 instruments.
• WebSocket streaming falls off when the financial account is changed with the help of the PUT​ /session endpoint.

Yes, Capital.com API supports all of the instruments which you can find on the platform.

In order to start using our Capital.com API you should first of all generate an API key in the Settings > API integrations section on the platform. Upon doing so you will be able to use this key and your account credentials to authorise for the API usage with the POST /session method.

Sure. In order to use your Demo account with our API you should mention the following service as Base URL: https://demo-api-capital.backend-capital.com/

In order to generate an API Key you should log in to your account, go to the Settings > API integrations section and click on the Generate API key button.

In case your 2FA is turned off you will be asked to switch on this function to ensure safe and secure keys usage.

Next you will be presented with the Generate new key window where you will be able to name your API Key, add an API key password and set an expiration date (if needed). By default the validity of the API key is 1 year.

After that you should enter your 2FA code and wait for an API Key to be generated. Once an API Key is generated you will see an API Key itself. Please, make sure to save this data as it is shown only once.

Congratulations. You should have successfully managed to integrate our API functionality. In case you have any questions - feel free to contact us (support@capital.com). We will be glad to help you.

Currently we have only 1 type of the API Keys privileges which allows trading. No Read Only API Keys can be generated.

A Custom password field allows you to generate a separate password for your API key. You should use this Custom password for the API key in order to start the session.

In order to pause or launch an API key you can click on the Pause or Play icons next to the API key in the Settings > API integrations section. This functionality allows you to either disable or enable a key when you need to do it without deleting a key itself and re-generating a new one.

In order to view more information about the API key you have generated please click on an Eye icon next to the key in the Settings > API integrations section.

There are 2 reasons for your API Key to be deleted:

• your account status has changed to either SUSPENDED or BLOCKED;
• your API Key has reached an expiration date.

In all other cases your API Keys should work as expected.

According to the existing procedure the only moment you can see your API Key is during its creation. After that it will always be masked.

In case you have lost your API Key or didn't record it, you will have to create a new one and make sure that you store a new key in a secure place.

In order to start using WebSocket connect to wss://api-streaming-capital.backend-capital.com/connect.

In order to keep the connection alive, ping service at least once every 10 minutes.

More information regarding the WebSocket API requests and responses parameters can be found in the table below:

Destination: marketData.subscribe

Subscribe to the price updates by mentioning the epics
The maximum number of epics: 40

Request message example:

{
    "destination": "marketData.subscribe",
    "correlationId": "1",
    "cst": "zvkT26****nsHKk",
    "securityToken": "g6K90****QKvCS7",
    "payload": {
        "epics": [
            "OIL_CRUDE"
        ]
    }
}

Example of the response message about successful subscription:

{
    "status": "OK",
    "destination": "marketData.subscribe",
    "correlationId": "1",
    "payload": {
        "subscriptions": {
            "OIL_CRUDE": "PROCESSED"
        }
    }
}

Example of the response message with market data updates:

{
    "status": "OK",
    "destination": "quote",
    "payload": {
        "epic": "OIL_CRUDE",
        "product": "CFD",
        "bid": 93.87,
        "bidQty": 4976.0,
        "ofr": 93.9,
        "ofrQty": 5000.0,
        "timestamp": 1660297190627
    }
}

Destination: marketData.unsubscribe

Unsubscribe from the prices updates

Request message example:

{
    "destination": "marketData.unsubscribe",
    "correlationId": "2",
    "cst": "zvkT26****nsHKk",
    "securityToken": "g6K90****QKvCS7",
    "payload": {
        "epics": [
            "OIL_CRUDE"
        ]
    }
}

Example of the response message about successful unsubscription:

{
    "status": "OK",
    "destination": "marketData.unsubscribe",
    "correlationId": "2",
    "payload": {
        "subscriptions": {
            "OIL_CRUDE": "PROCESSED"
        }
    }
}

Destination: OHLCMarketData.subscribe

Subscribe to the candlestick bars updates by mentioning the epics, resolutions and bar type

List of request payload parameters:

Request message example:

{
    "destination": "OHLCMarketData.subscribe",
    "correlationId": "3",
    "cst": "zvkT26****nsHKk",
    "securityToken": "g6K90****QKvCS7",
    "payload": {
        "epics": [
            "OIL_CRUDE",
            "AAPL"
        ],
        "resolutions": [
            "MINUTE_5"
        ],
        "type": "classic"
    }
}

Example of the response message about successful subscription:

{
    "status": "OK",
    "destination": "OHLCMarketData.subscribe",
    "correlationId": "3",
    "payload": {
        "subscriptions": {
            "OIL_CRUDE:MINUTE_5:classic": "PROCESSED",
            "AAPL:MINUTE_5:classic": "PROCESSED"
        }
    }
}

Example of the response message with market data updates:

{
    "status": "OK",
    "destination": "ohlc.event",
    "payload": {
        "resolution": "MINUTE_5",
        "epic": "AAPL",
        "type": "classic",
        "priceType": "bid",
        "t": 1671714000000,
        "h": 134.95,
        "l": 134.85,
        "o": 134.86,
        "c": 134.88
    }
}

Destination: OHLCMarketData.unsubscribe

Unsubscribe from candlestick bars updates for specific epics, resolutions and bar types.

The general principle is as follows: you unsubscribe from the parameter you mention in the request. In case you mention epic you unsubscribe from all of the corresponding bar types and resolutions.

List of request payload parameters:

Request message example:

// Unsubscribe from candlestick bars updates of OIL_CRUDE epic with MINUTE and MINUTE_5 resolutions and heikin-ashi candlestick type
{
    "destination": "OHLCMarketData.unsubscribe",
    "correlationId": "4",
    "cst": "zvkT26****nsHKk",
    "securityToken": "g6K90****QKvCS7",
    "payload": {
        "epics": [
            "OIL_CRUDE"
        ],
        "resolutions": [
            "MINUTE",
            "MINUTE_5"
        ],
        "types": [
            "heikin-ashi"
        ]
    }
}

Example of the response message about successful unsubscription:

{
    "status": "OK",
    "destination": "OHLCMarketData.unsubscribe",
    "correlationId": "4",
    "payload": {
        "subscriptions": {
            "OIL_CRUDE:MINUTE_5:heikin-ashi": "PROCESSED",
            "OIL_CRUDE:MINUTE:heikin-ashi": "PROCESSED"
        }
    }
}

Destination: ping

Ping the service for keeping the connection alive

Request message example:

{
    "destination": "ping",
    "correlationId": "5",
    "cst": "zvkT26****nsHKk",
    "securityToken": "g6K90****QKvCS7"
}

Response message example:

{
    "status": "OK",
    "destination": "ping",
    "correlationId": "5",
    "payload": {}
}

Find below the list of all available REST API endpoints