Restricting open APIs and allowing access only through a unique vendor-specific API key and a static IP whitelisted by the broker for identification and traceability of the algo provider and the end user (i.e., investor).
Implementing OAuth 2.0 authentication as the only allowed authentication method, discontinuing all other mechanisms.
Enforcing two-factor authentication (2FA) for API access.
Then, after these updates, you will likely need to modify your existing Dhan Python code 2.0 to comply with these new SEBI regulations. The required changes may include updating authentication methods, integrating OAuth 2.0, implementing 2FA, and ensuring API access is restricted to whitelisted IPs ?
You can find the official link to the circular about “Safer participation of retail investors in Algorithmic trading” here:
They plan to put the guidelines from this circular into action by August 2025.
Considering all the suggestions they’ve made, it looks like it will take more time and resources to tackle the challenges of putting them into practice.
I’m not even sure if it will be doable in many situations.
It seems that stock brokers will now bear the responsibility for any unusual trades made by their clients. I’m unsure if following these guidelines will even be practical.
Roles and responsibilities of Stock Brokers: Brokers providing the facility of algotrading to investors shall continue to abide by the extant provisions related to algotrading including (but not limited to) the following –
a)The facility of algotrading shall be provided by the broker only after obtaining requisite permission of the stock exchange for each algo.
b)All algoorders shall be tagged with a unique identifier provided by the Exchange in order to establish audit trail and the broker shall seek approval from the Exchange for any modification or change to the approved algos.
c)Brokers shall be solely responsible for handling investor grievances related to algotrading and the monitoring of APIs for prohibited activities.
I’ve read through the circular and this is my interpretation for individual traders using the API:
There will be per second order rate limits prescribed by the exchanges, likely to be >= what Dhan already offers. No changes here
Dhan already has a client specific API key in place, this key can be created only through the web portal after 2FA based authentication. No changes here
Orders must come only from static IPs registered with the broker, only here is there a requirement for Dhan web interface to add one or more (for redundancy) static IPs per client and to verify orders for this client originate from these static IPs
For algo providers, the rules appear to be much more stricter.
Do you know If there is any clarity of how this affects algorithm aggregators based outside the country?
A few years ago, when SEBI introduced guidelines to manage retail algorithm trading, some well-known Indian algorithm aggregators moved their operations overseas, which means SEBI can no longer oversee them.
I imagine the static IP requirement is part of this, maybe not at first but I can see them gradually tightening the noose on connections made from outside India.
The circular as it is, does not differentiate b/w algo providers based within or outside India. If you want to offer products to Indian users, the rules must be followed.
Almost all of them should, contact your ISP. You could also get a managed hosting provider to set this up for you, the infrastructure and peering would be much better provided they’re colocated at a Tier 1/2 datacenter.
For instance, if A, B, and C all sign up to a cloud-based algotrading aggregator and give permission for their trading account details to be linked to it, then my understanding is that A, B, and C will be using the same static IP address from the cloud-based trading aggregator, right?
Yes, unless the algo provider assigns a static IP for each client. IPv6 is inexpensive though!
The circular itself does not prohibit multiple clients sharing the same static IP, more clarification is needed from the exchanges.
While we all await exchange guidelines and SOPs on this, most individual API orders will not be considered as Algos. We already do have checks in place for almost all of the points mentioned in the circular.
Coming to Static IP, that remains a point for clarification, primarily because IP can be spoofed as well. We will design something in accordance to exchange guidelines.
Would love to know what should be the threshold per second for your algos? And if you run it for your family accounts as well?
I haven’t begun using algorithmic trading yet. Maybe it’s because I’m relying on my own analysis for short-term investing instead of sticking to a set strategy.
