Week 05 · Build Your Own Automated Options Trading System

Talking to your broker
through code.

An API is a polite way to ask your broker for things. But brokers only listen to whitelisted IPs — so before we ask, we set up a small cloud server with a fixed address.

Week 5 of 12

AWS Lightsail · static IP · whitelist

First real API call: fetch your funds

This week, in one glance

Same five beats. New topic.

1

The idea

An API is a polite request. Brokers only answer whitelisted IPs — so we set up a cloud server first.

2

The outcome

You can fetch funds and positions from a cloud server whose IP your broker has whitelisted.

3

Vocabulary

API endpoint · OAuth flow · access token · cloud instance (AWS Lightsail) · static IP

4

Hands-on

Provision Lightsail · attach a static IP · whitelist with Upstox · fetch funds from the server.

5

War story

A second broker had no quote API. Every later strategy was redesigned around that one missing feature.

1 · The idea

You · cloud server · broker. Three boxes.

Your laptop's IP changes every time you reconnect to wifi. The broker won't trust a moving target. The cloud server has a fixed address — once. Forever.

You

SSH into the cloud server from anywhere — coffee shop, home, train.

whatever IP

ssh

→

Cloud server

AWS Lightsail. Tiny Linux box. Static IP. Always the same address.

13.202.219.68

HTTPS

→

Broker API

Upstox. Whitelisted your server's IP once. Answers requests from that IP only.

api.upstox.com

"Talking to the broker" means HTTPS requests from a known address. No magic. No fragile setup. The address is the trust.

2 · By the end of this week

One server. One IP. Funds on screen.

You have an AWS Lightsail instance running Ubuntu 22.04 — costs about ₹400–600/month at the smallest tier.

A static IP is attached. curl ifconfig.me from the server returns the same number every time.

That IP is whitelisted in your Upstox developer app. You completed the OAuth flow once to get an access token.

Running python funds.py on the server prints your available margin. Same script on your laptop fails — by design.

The server costs less than a dinner per month and turns your bot from "runs sometimes" into "runs always."

3 · New vocabulary

Five words. Use them this week.

API endpoint

A specific URL on the broker that answers one question. /v2/user/get-funds-and-margin answers "what's my balance?"

/v2/user/get-funds-and-margin

OAuth flow

A handshake: you log in once on the broker's site, get redirected back with a code, exchange that code for a token.

login → code → token

access token

A long random string that proves you're you for the next few hours. Sent with every API call.

Authorization: Bearer eyJ…

cloud instance

A small Linux computer you rent from AWS / Vultr / DigitalOcean. Lives on the internet 24×7.

AWS Lightsail · Ubuntu 22.04

static IP

A fixed internet address attached to your instance. It doesn't change when you reboot or stop the box.

13.202.219.68

Whitelisting on most brokers requires a static IP. Without one, your bot would break every restart.

The OAuth dance, in four steps

Login once. Use the token all day.

1

Register the app

On Upstox developer console, create an app. Note the API key and API secret. Set the redirect URI to your server.

api_key, api_secret

2

Login in the browser

Open the Upstox login URL with your api_key. Log in with your trading credentials. You get redirected back with a one-time code.

?code=abcd1234

3

Exchange code for token

POST the code + secret to /v2/login/authorization/token. You receive an access_token.

access_token: eyJ…

4

Use the token

Every API call from now goes with Authorization: Bearer <token>. The token is valid until ~3:30 AM IST the next day.

Authorization: Bearer eyJ…

Tokens expire daily. Refreshing them is its own little ritual — Week 7 covers automating it.

4 · The first real API call

Funds, from the server.

ubuntu@lightsail — funds.py

$ ssh ubuntu@13.202.219.68
Welcome to Ubuntu 22.04 LTS

$ curl ifconfig.me
13.202.219.68   # static · matches whitelist

$ python3 funds.py
→ GET https://api.upstox.com/v2/user/get-funds-and-margin
  Authorization: Bearer eyJhbGc…

{
  "equity":    { "available_margin": 245137.50, "used_margin": 12350.00 },
  "commodity": { "available_margin": 0.00,      "used_margin": 0.00 }
}

# Same script run from your laptop:
{ "errors": [{ "code": "UDAPI100068",
                "message": "IP not whitelisted" }] }

The server's IP is the password. That's the whole reason the cloud step came first.

4 · The hands-on bit — your task

Provision. Whitelist. Fetch.

What to do this week (2–3 hours, once)

Create an AWS account if you don't have one. Add a payment method. (Lightsail's smallest tier is fine; you can scale up later.)
Launch a Lightsail instance. OS = Ubuntu 22.04. Plan = $5/mo. Region = Mumbai (ap-south-1) so latency to Indian brokers stays low.
Attach a static IP to the instance. Without this, the IP changes on reboot and your whitelist breaks.
SSH in from your laptop. Install Python and your venv. Copy over the nifty.py / funds.py scripts from Week 4.
Register a Upstox developer app. Add your static IP to the whitelist. Complete the OAuth flow. Save the access_token to .env on the server.
Run funds.py. See your available margin. Then run the same script on your laptop and watch it fail — confirms the whitelist is doing its job.

Pair with Claude for every step. Read each command before you run it. The cloud is forgiving, but billing is not — keep instances small until you know what you need.

5 · A real-money war story

A second broker had no quote API.

We added a second broker (Tradejini) to spread margin across two accounts. Halfway through integration: their REST API has no get-quote endpoint. You can place orders, see positions, get margins — but you cannot ask "what's the current price of NIFTY 24800 CE?" through the API.

Feature	Upstox	Tradejini	Consequence
Place / cancel / modify orders	✓	✓	Fine — primary need is covered.
Read positions & margin	✓	✓	Fine.
Live quotes via REST	✓	✗	Strategy has no way to know the current price before placing.
WebSocket tick stream	✓	✓ (different protocol)	Workable, but doubles the integration effort.

The shape of a broker's API is a constraint on your strategies. Discover it before you design around it.

The adaptation we shipped

Orders go to Tradejini. Quotes come from Upstox.

What we wanted

Each strategy uses one broker, end to end. Clean. Symmetric. Easy to reason about.

# the dream
strategy → tradejini (quotes)
         → tradejini (orders)
         → tradejini (positions)

What we built

Hybrid routing. New strategies (RSI Sniper, First Strike) read quotes via the shared Upstox token and place orders via Tradejini. One token, two purposes.

# the reality, encoded in code
strategy → upstox    (quotes only)
         → tradejini (orders)
         → tradejini (positions, margin)

2

brokers in the system today

3

strategies use hybrid quote routing

1

abstraction layer (BaseBroker) absorbs all of it

The lesson, pinned

Read the API before you choose the broker.

A broker's marketing page lists features. The API documentation lists realities. The two do not always match. Before integrating a new broker — or designing a strategy around one — read their REST docs, page by page, and write down what's missing.

The missing pieces are not blockers. They are design constraints. Plan for them up front, or pay for them later in rewrites.

"What can this broker do?" is not the right question. "What can it not do, and can we live with that?" is.

Week 5 — takeaway

A static IP is the cheapest piece of trust you'll ever buy.

For ~₹500/month you get an address the broker will answer, a machine that runs 24×7, and a place to discover — early — what your broker's API can and cannot do. The constraint is a feature: it forces your design to be honest.

End of Week 5

Next: Your first real strategy,
coded from scratch.

Week 6 — A rule becomes a function →

source: cowork/Course_Outline_12_Weeks · Week 5