For Personal or Institutional Investor Apps
Note: Personal and Institutional clients have a one-to-one relationship where a single client can only serve a single Prosper user. You cannot create a client for anyone other than the user associated with the account.
Step 1: Register your app with Prosper
If you have not already done so, register your app with Prosper. When your app is registered, you will receive a Client ID and Client Secret, which you will use to authorize your app with Prosper before making API calls.
App registration is done on your Prosper API settings page.
To open the API settings page:
- Select My Account > Settings
- Select Edit from the API settings section on the right side of the page.
To register your app and generate a Client ID and Client Secret, complete the registration form.
If you are registering a personal or institutional client you only need to provide a Company Name and a Phone Number. If you add an Email Address, it will only be used for communication purposes.
Note: You can enter your full name in the Company Name field if you are an individual investor.
All other fields are for third party agent clients only. You will use your Prosper login email address as your username when authenticating your app.
Step 2: Request an access/refresh token
If you are creating an app to make investments on your behalf or you are acting as an institutional investor, you can use your account username and password to authenticate with Prosper and start using our APIs.
You will authorize your app using the OAuth 2.0 password flow. The password flow results in Prosper issuing an access token for making API calls. We’ll also generate a refresh token for you.
Both the access and refresh tokens have an expiration time. Once the Access token has expired, you will use the Refresh token to gain a new Access token (see next section). Prosper Refresh tokens are currently set to expire in 10 hours.
Once the Refresh token has expired, you must make a new password flow request for a new Access/Refresh token for client sessions.
To make a token request:
You will make an HTTP urlencoded POST request to Prosper’s OAuth security token endpoint, passing the following parameters:
| Parameter name | Value |
|---|---|
| grant_type | password |
| client_id | The id Prosper provided to you when you registered your app |
| client_secret | The secret Prosper provided to you when you registered your app |
| username | Your username is the email address you use to login to your personal or institutional Prosper account.
Note: You may have used a different email address to register your app. Your client id is always tied to your Prosper account login email. |
| password | The password used to login to your Prosper personal or institutional account. |
Request:
POST https://api.prosper.com/v1/security/oauth/token Accept: application/json Content-type: application/x-www-form-urlencoded grant_type=password&client_id=<your_client_id>&client_secret=<your_client_secret>&username=<your_prosper_username>&password=<your_prosper_password>
View curl and python examples of the above request at the end of this section.
Response:
{
"access_token": "22a5aaaf-bb7b-4278",
"token_type": "bearer",
"refresh_token": "7fcb8a8a-e7dd-4fa9",
"expires_in": 3599
}
The following parameters are passed back in the response:
| Parameter name | Value |
|---|---|
| access_token | The new access token you will use when requesting resources from Prosper. |
| token_type | The token type to set in the HTTP header when making resource requests from Prosper. |
| refresh_token | The refresh token to use when the access token expires. |
| expires_in | The amount of time left, expressed in seconds, before the access token expires. You will need to refresh the token when this time has passed. |
Now that you have a user access token, you can make Prosper API calls to inspect resources. Use the access_token as bearer in every Authorization request header.
Step 3: Request a new Access token
You should make note of the expiration time for the Access token. When the Access token has expired, you must get a new one to resume making Prosper API calls.
To get a new Access token, your client will pass the Refresh token Prosper issued to your client in Step 2.
Note: If your refresh token has expired, you need to repeat Step 2 to retrieve a new Access and Refresh token.
To make a new Access token request:
You will make an HTTP urlencoded POST request to Prosper’s OAuth security token endpoint, passing the following parameters:
| Parameter name | Value |
|---|---|
| grant_type | refresh_token |
| client_id | The id Prosper provided to you when you registered your app |
| client_secret | The secret Prosper provided to you when you registered your app |
| refresh_token | The refresh token Prosper provided to you when you requested an access token. The refresh token expires in 10 hours. You can make multiple refresh token requests for a new access token with this refresh token throughout the day. |
Request:
POST https://api.prosper.com/v1/security/oauth/token Accept: application/json Content-type: application/x-www-form-urlencoded grant_type=refresh_token&client_id=<your_client_id>&client_secret=<your_client_secret>&refresh_token=<existing_refresh_token_from_user_token_request>
View curl and python examples of the above request at the end of this section.
Response:
{
"access_token": "5098afd7-f216",
"token_type": "bearer",
"refresh_token": "7fcb8a8a-e7dd",
"expires_in": 3599
}
The following parameters are passed back in the response:
| Parameter name | Value |
|---|---|
| access_token | The new access token you will use when requesting resources from Prosper. |
| token_type | The token type to set in the HTTP header when making resource requests from Prosper. |
| refresh_token | The refresh token to use when the access token expires. This value will be the same value you passed into the refresh token call request. |
| expires_in | The amount of time left, expressed in seconds, before the access token expires. You will need to refresh the token when this time has passed. |
Password Credentials Flow Errors
| Error Code | Error Reason(s) | HTTP Status code |
|---|---|---|
| invalid_grant | Not enough information supplied for the grant type Missing/Invalid username or password Bad credentials |
400 |
| password_reset_required | User needs to reset their password | 403 |
| All User Status Errors below | ||
| All Client Authority Errors below | ||
Access Token Errors
| Error Code | Error Reason(s) | HTTP Status code |
|---|---|---|
| invalid_grant | Not enough information supplied for the grant type Missing/Invalid username or password Bad credentials |
400 |
| invalid_token | The access token is invalid (expired, not provided etc) | 401 |
| invalid_request | Unsupported response types Missing response type No scopes provided Invalid scope(s) |
400 |
| All Client Authority Errors below | ||
Refresh Token Errors
| Error Code | Error Reason(s) | HTTP Status code |
|---|---|---|
| invalid_grant | Missing/Invalid refresh token | 400 |
| All Client Authority Errors below | ||
User Status Errors
| Error Code | Error Reason(s) | HTTP Status code |
|---|---|---|
| closed_account | User account is closed | 400 |
| duplicate_account | User has a duplicate account | 400 |
| expired_account | User account has expired | 400 |
| inactive_account | User account is inactive | 400 |
| account_on_hold | User account is put on hold | 400 |
| account_pending_activation | User account has not been activated | 400 |
| account_pending_approval | User account pending approval | 400 |
| account_incomplete_registration | User has not completed registration | 400 |
| suspended_account | User account is suspended | 400 |
| terminated_account | User account is terminated | 400 |
| unactivated_account | The account’s email address has not been validated | 400 |
| All Client Authority Errors below | ||
Client Authority Errors
| Error Code | Error Reason(s) | HTTP Status code |
|---|---|---|
| unauthorized | Invalid/Missing client Id No Authorization (header) information provided |
401 |
| invalid_client | Invalid/Missing credentials Unauthorized grants |
401 |
| invalid_request | Generic “Bad request” Invalid/Missing grant type |
400 |
| unsupported_grant_type | The grant type given is unsupported | 400 |
Password flow token requests: curl and python examples
curl password flow access token request
curl -X POST -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&client_id=<your_client-id>&client_secret=<your_client_secret>&username=<prosper_account_username>&password=<prosper_account_password>' 'https://api.prosper.com/v1/security/oauth/token'
curl refresh token request
curl -X POST -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=refresh_token&client_id=<your_client_id>&client_secret=<your_client_secret>&refresh_token=<existing_refresh_token_from_user_token_request>' 'https://api.prosper.com/v1/security/oauth/token'
python password flow access token request
import requests
url = "https://api.prosper.com/v1/security/oauth/token"
payload = "grant_type=password&client_id=<your_client_id>&client_secret=<your_client_secret>&username=<prosper_account_username>&password=<prosper_account_password>"
headers = { 'accept': "application/json", 'content-type': "application/x-www-form-urlencoded" }
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
python refresh token request
import requests
url = "https://api.prosper.com/v1/security/oauth/token"
payload = "grant_type=refresh_token&client_id=<your_client_id>&client_secret=<your_client_token>&refresh_token=<existing_refresh_token_from_user_token_request>"
headers = { 'accept': "application/json", 'content-type': "application/x-www-form-urlencoded" }
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)