Alpaca API
Auto-generated from
openapi-snapshot.json. Do not edit by hand — changes are overwritten byscripts/docs/generate_api_reference.py.
12 endpoints in this group.
GET /api/alpaca/activities
Alpaca Get Activities
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
activity_type | query | — | optional | |
after | query | — | optional | |
until | query | — | optional | |
page_size | query | integer | optional |
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |
GET /api/alpaca/auth-url
Alpaca Auth Url
Return the Alpaca OAuth authorization URL plus a CSRF state nonce.
Pentest C4: state is now a server-signed token pinned to this user + broker + tenant. /connect rejects unsigned, stale, or cross-user state values to prevent CSRF broker-bind attacks.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
GET /api/alpaca/connect
Alpaca Callback
OAuth callback: exchange code, persist encrypted tokens plus broker_account row.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
code | query | string | required | One-time OAuth authorization code |
state | query | — | optional | CSRF state nonce returned by Alpaca |
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |
POST /api/alpaca/connect
Alpaca Connect
JSON-bodied connect for SPA flows: {auth_code: ’…’, state: ’…’}.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
POST /api/alpaca/disconnect
Alpaca Disconnect
Revoke (best-effort) plus soft-archive the Alpaca broker_account row.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
GET /api/alpaca/health
Alpaca Health
Probe the Alpaca API connectivity. Never raises - returns {ok, …}.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
GET /api/alpaca/orders
Alpaca List Orders
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
status | query | string | optional | |
limit | query | integer | optional | |
after | query | — | optional | |
until | query | — | optional | |
direction | query | string | optional |
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |
POST /api/alpaca/orders
Alpaca Place Order
Place an Alpaca order. Decimal-strict — strings only on the wire.
Request body: application/json
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |
DELETE /api/alpaca/orders/{order_id}
Alpaca Cancel Order
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
order_id | path | string | required |
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |
GET /api/alpaca/positions
Alpaca Positions
Read-only positions sync via the AlpacaAdapter.
Wraps the fetch in sync_orchestrator.sync_attempt (Phase C #648)
so each user-initiated read writes a row to broker_sync_log. The
sync_kind is “manual” — this is a foreground request, not a
scheduled background sync.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
POST /api/alpaca/refresh
Alpaca Refresh
Force-refresh the Alpaca access token using the stored refresh token.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
GET /api/alpaca/status
Alpaca Status
Return whether Alpaca is connected for the current tenant.
Responses
| Code | Description |
|---|---|
200 | Successful Response |