API
Stagingv2

Getting started

Authentication

Every request is authenticated with a secret API key, sent as a bearer token in the Authorization header. Keys are issued to your vendor account by NASD.

Authorization: Bearer <your-api-key>

Key types

Keys are prefixed by environment. A live key begins sk_live_; a test key begins sk_test_. Both are accepted by the API. Use test keys while integrating and live keys in production. Treat every key as a secret: never embed one in a browser, mobile app, or public repository.

Keys are shown onceA key's full secret is returned only at the moment it is created. NASD stores only a hashed reference, so if a key is lost it must be rotated, not recovered.

Permission scopes

Each key carries a set of permission scopes that gate which endpoints it can call, for example vwap, order.post, or market.snapshot.daily. A key granted the all scope can reach every endpoint. Each endpoint page lists the scope it requires. A key without the required scope receives 403 Forbidden.

Rate limits

Requests are limited to 100 per minute per API key on a rolling one-minute window. Exceeding the limit returns 429 Too Many Requests; back off and retry. Keep your key's subscription current; an expired subscription returns 402 Payment Required until it is renewed.

Usage logging

Every authenticated call is logged against your vendor account (method, path, status, IP, and response time) and is visible to NASD for support and reconciliation. Optionally send an x-api-username header to attribute a call to a specific operator on your side.

Authenticated request
curl "https://stagingmobile.nasdng.com/v2/vendor/sectors" \
  -H "Authorization: Bearer sk_test_xxxxxxxxxxxxxxxxxxxxxxxx"
Missing scope 403 Forbidden
{
  "success": false,
  "message": "This API key does not have permission to access this endpoint"
}