Documentation
HomeGithubDiscordBlog
  • What is OpenAlgo?
  • OpenAlgo Architecture
  • Mini FOSS Universe
  • Community Support
  • OpenAlgo GPT
  • New Features
    • Fast Scalper
    • API Analyzer
    • Traffic/Latency Monitor
    • Chartink Integration
  • Monetization
  • Connect Brokers
    • Brokers
      • 5Paisa
      • 5paisa (XTS)
      • AliceBlue
      • AngelOne
      • Compositedge
      • Dhan
      • Dhan(Sandbox)
      • Firstock
      • FlatTrade
      • Fyers
      • Groww
      • IIFL (XTS)
      • Jainam Retail (XTS)
      • Jainam Dealer (XTS)
      • Kotak Securities
      • Paytm
      • Pocketful
      • Shoonya
      • Tradejini
      • Upstox
      • Wisdom Capital
      • Zebu
      • Zerodha
  • Installation Guidelines
  • Getting Started
    • Windows Installation
      • Pre-Requesites
      • Setup
      • Install Dependencies
      • Ngrok Config
      • Environmental Variables
      • Start OpenAlgo
      • SSL Verification Failed
      • Accessing OpenAlgo
    • Windows Server Installation
    • Mac OS Installation
      • Pre-Requesties
      • Setup
      • Install Dependencies
      • Ngrok Config
      • Environmental Variables
      • Start OpenAlgo
      • Install certifi
      • Accessing OpenAlgo
    • Amazon Elastic Beanstalk
    • Ubuntu Server Installation
    • Docker Development
    • Testing OpenAlgo in Cloud
    • Upgrade
  • Latency
  • API Documentation
    • V1
      • Accounts API
        • Funds
        • Orderbook
        • Tradebook
        • PositionBook
        • Holdings
      • Orders API
        • Placeorder
        • PlaceSmartOrder
        • BasketOrder
        • SplitOrder
        • ModifyOrder
        • CancelOrder
        • CancelAllOrder
        • ClosePosition
        • OrderStatus
        • OpenPosition
      • Data API
        • Quotes
        • Depth
        • History
        • Intervals
        • Symbol
        • Ticker
      • Order Constants
      • HTTP Status Codes
      • Rate Limiting
      • API Collections
  • Symbol Format
  • MCP
  • Trading Platform
    • Amibroker
      • AmiQuotes
      • Button Trading Module
      • Button Trading with Split Orders
      • Button Trading with Stoploss
      • SmartOrder Chart Module
      • Trailing Stoploss Execution Module
      • Line Trading Module
      • Equity Exploration Module
      • CSV Exploration Module
      • Options Button Trading Module
      • Spot/Futures to Options Module (Single Leg)
      • Spot/Futures to Options Module (Two Leg)
      • Time Based Execution
    • Tradingview
    • ChartInk
    • Python
      • Strategy Management
      • EMA Crossover Strategy
      • Supertrend Strategy
      • Supertrend Strategy with yfinance data
      • Voice Based Orders
    • NodeJS
    • Metatrader 5
      • Download & Install Library
      • OpenAlgo MQL5 Functions
      • Include the Header File
      • Sample Expert Advisor
    • Excel
    • Google Spreadsheets
    • N8N
    • Chrome Extension
  • Strategy Management
  • Developers
    • Design Documentation
      • Architecture
      • API Layer
      • Broker Integerations
      • Database Layer
      • Authentication Platforms
      • Configuration
      • Utilities
      • Broker Integration Checklist
  • Change Log
    • Version 1.0.0.24 Launched
    • Version 1.0.0.23 Launched
    • Version 1.0.0.22 Launched
    • Version 1.0.0.21 Launched
    • Version 1.0.0.20 Launched
    • Version 1.0.0.19 Launched
    • Version 1.0.0.18 Launched
    • Version 1.0.0.17 Launched
    • Version 1.0.0.16 Launched
    • Version 1.0.0.15 Launched
    • Version 1.0.0.14 Launched
    • Version 1.0.0.13 Launched
    • Version 1.0.0.12 Launched
    • Version 1.0.0.11 Launched
    • Version 1.0.0.10 Launched
    • Version 1.0.0.9 Launched
    • Version 1.0.0.8 Launched
    • Version 1.0.0.7 Launched
    • Version 1.0.0.6 Launched
    • Version 1.0.0.5 Launched
    • Version 1.0.0.4 Launched
    • Version 1.0.0.3 Launched
    • Version 1.0.0.2 Launched
    • Version 1.0.0.1 Launched
    • Version 1.0.0.0 Launched
Powered by GitBook
On this page
  • Sample Environmental File
  • โœ… OpenAlgo .env Configuration Explained
  • ๐ŸŒ CORS Configuration (Cross-Origin Resource Sharing)
  • ๐Ÿ” CSP Configuration (Content Security Policy)
  • ๐Ÿงช Recommended Defaults for Local Testing
  1. Getting Started
  2. Windows Installation

Environmental Variables

Rename the .sample.env file located in openalgo folder to .env

Update the .env with your specific configurations as shown in the provided template.

Sample Environmental File

# Broker Configuration
BROKER_API_KEY = 'YOUR_BROKER_API_KEY'
BROKER_API_SECRET = 'YOUR_BROKER_API_SECRET'

# Market Data Configuration (Optional and Required only for XTS API Supported Brokers)

BROKER_API_KEY_MARKET = 'YOUR_BROKER_MARKET_API_KEY'
BROKER_API_SECRET_MARKET = 'YOUR_BROKER_MARKET_API_SECRET'

REDIRECT_URL = 'http://127.0.0.1:5000/<broker>/callback'  # Change if different

# Valid Brokers Configuration
VALID_BROKERS = 'fivepaisa,fivepaisaxts,aliceblue,angel,compositedge,dhan,firstock,flattrade,fyers,groww,iifl,kotak,jainam,jainampro,paytm,pocketful,shoonya,upstox,wisdom,zebu,zerodha'

# Security Configuration
# IMPORTANT: Generate new random values for both keys during setup!

# OpenAlgo Application Key
APP_KEY = '3daa0403ce2501ee7432b75bf100048e3cf510d63d2754f952e93d88bf07ea84'

# Security Pepper - Used for hashing/encryption of sensitive data
# This is used for:
# 1. API key hashing
# 2. User password hashing
# 3. Broker auth token encryption
# Generate a new random string during setup using: python -c "import secrets; print(secrets.token_hex(32))"
API_KEY_PEPPER = 'a25d94718479b170c16278e321ea6c989358bf499a658fd20c90033cef8ce772'

# OpenAlgo Database Configuration
DATABASE_URL = 'sqlite:///db/openalgo.db' 

# OpenAlgo Ngrok Configuration
NGROK_ALLOW = 'FALSE' 

# OpenAlgo Hosted Server (Custom Domain Name) or Ngrok Domain Configuration
# Change to your custom domain or Ngrok domain
HOST_SERVER = 'http://127.0.0.1:5000'  

# OpenAlgo Flask App Host and Port Configuration
# For 0.0.0.0 (accessible from other devices on the network)
# Flask Environment - development or production
FLASK_HOST_IP='127.0.0.1'  
FLASK_PORT='5000'  
FLASK_DEBUG='False' 
FLASK_ENV='development'

# OpenAlgo Rate Limit Settings
LOGIN_RATE_LIMIT_MIN = "5 per minute" 
LOGIN_RATE_LIMIT_HOUR = "25 per hour"
API_RATE_LIMIT="10 per second"

# OpenAlgo API Configuration

# Required to give 0.5 second to 1 second delay between multi-legged option strategies
# Single legged orders are not affected by this setting.
SMART_ORDER_DELAY = '0.5'

# Session Expiry Time (24-hour format, IST)
# All user sessions will automatically expire at this time daily
SESSION_EXPIRY_TIME = '03:00'

# OpenAlgo CORS (Cross-Origin Resource Sharing) Configuration
# Set to TRUE to enable CORS support, FALSE to disable
CORS_ENABLED = 'TRUE'

# Comma-separated list of allowed origins (domains)
# Example: http://localhost:3000,https://example.com
# Use '*' to allow all origins (not recommended for production)
CORS_ALLOWED_ORIGINS = 'http://127.0.0.1:5000'

# Comma-separated list of allowed HTTP methods
# Default: GET,POST
CORS_ALLOWED_METHODS = 'GET,POST'

# Comma-separated list of allowed headers
# Default Flask-CORS values will be used if not specified
CORS_ALLOWED_HEADERS = 'Content-Type,Authorization,X-Requested-With'

# Comma-separated list of headers exposed to the browser
CORS_EXPOSED_HEADERS = ''

# Whether to allow credentials (cookies, authorization headers)
# Set to TRUE only if you need to support credentials
CORS_ALLOW_CREDENTIALS = 'FALSE'

# Max age (in seconds) for browser to cache preflight requests
# Default: 86400 (24 hours)
CORS_MAX_AGE = '86400'

# OpenAlgo Content Security Policy (CSP) Configuration
# Set to TRUE to enable CSP, FALSE to disable
CSP_ENABLED = 'TRUE'

# Set to TRUE to use Content-Security-Policy-Report-Only mode (testing without blocking)
# This will report violations but not block content
CSP_REPORT_ONLY = 'FALSE'

# Default source directive - restricts all resource types by default
CSP_DEFAULT_SRC = "'self'"

# Script source directive - controls where scripts can be loaded from
# Includes Socket.IO CDN which is required by the application
# 'unsafe-inline' is needed for Socket.IO to function properly
# Cloudflare Insights is used for analytics
CSP_SCRIPT_SRC = "'self' 'unsafe-inline' https://cdn.socket.io https://static.cloudflareinsights.com"

# Style source directive - controls where styles can be loaded from
# 'unsafe-inline' is needed for some inline styles in the application
CSP_STYLE_SRC = "'self' 'unsafe-inline'"

# Image source directive - controls where images can be loaded from
# 'data:' allows base64 encoded images
CSP_IMG_SRC = "'self' data:"

# Connect source directive - controls what network connections are allowed
# Includes WebSocket connections needed for real-time updates
CSP_CONNECT_SRC = "'self' wss: ws:"

# Font source directive - controls where fonts can be loaded from
CSP_FONT_SRC = "'self'"

# Object source directive - controls where plugins can be loaded from
# 'none' disables all object, embed, and applet elements
CSP_OBJECT_SRC = "'none'"

# Media source directive - controls where audio and video can be loaded from
# Allows audio alerts from your domain and potentially CDN sources in the future
CSP_MEDIA_SRC = "'self' data: https://*.amazonaws.com https://*.cloudfront.net"

# Frame source directive - controls where iframes can be loaded from
# If you integrate with TradingView or other platforms, you may need to add their domains
CSP_FRAME_SRC = "'self'"

# Form action directive - restricts where forms can be submitted to
CSP_FORM_ACTION = "'self'"

# Frame ancestors directive - controls which sites can embed your site in frames
# This helps prevent clickjacking attacks
CSP_FRAME_ANCESTORS = "'self'"

# Base URI directive - restricts what base URIs can be used
CSP_BASE_URI = "'self'"

# Set to TRUE to upgrade insecure (HTTP) requests to HTTPS
# Recommended for production environments
CSP_UPGRADE_INSECURE_REQUESTS = 'FALSE'

# URI to report CSP violations to (optional)
# Example: /csp-report
CSP_REPORT_URI = ''

Hereโ€™s a clear and professional documentation update for your .sample.env, suitable for inclusion at:


โœ… OpenAlgo .env Configuration Explained

This file controls OpenAlgo's broker credentials, security options, server settings, and key platform behaviors like rate limits, API access, CORS, and CSP.


๐Ÿ” Broker Configuration

BROKER_API_KEY = 'YOUR_BROKER_API_KEY'
BROKER_API_SECRET = 'YOUR_BROKER_API_SECRET'

# Market Data Configuration (Optional and Required only for XTS API Supported Brokers)

BROKER_API_KEY_MARKET = 'YOUR_BROKER_MARKET_API_KEY'
BROKER_API_SECRET_MARKET = 'YOUR_BROKER_MARKET_API_SECRET'

Set your broker credentials here. Required for placing live orders. For XTS-supported brokers, market keys can be optionally configured.


๐Ÿ”„ Redirect URLs

REDIRECT_URL=http://127.0.0.1:5000/<broker>/callback

Used in OAuth-based brokers (like Fyers). Update if you're using a custom domain or ngrok.


โœ… Valid Brokers

VALID_BROKERS=fivepaisa,fyers,zerodha,...

Comma-separated list of supported broker plugins enabled in your OpenAlgo deployment.


๐Ÿ”’ Application Keys

APP_KEY=...
API_KEY_PEPPER=...
  • APP_KEY: Internal application identifier.

  • API_KEY_PEPPER: Random 64-character hex string used for API key hashing, password hashing, and broker token encryption. ๐Ÿ” Generate it with:

    python -c "import secrets; print(secrets.token_hex(32))"

๐Ÿ—ƒ๏ธ Database

DATABASE_URL=sqlite:///db/openalgo.db

Use SQLite locally. You can point to PostgreSQL or MySQL if needed.


๐ŸŒ Server Configuration

FLASK_HOST_IP=127.0.0.1
FLASK_PORT=5000
FLASK_ENV=development

Control local Flask server binding and environment behavior. Set FLASK_HOST_IP=0.0.0.0 if you want OpenAlgo accessible from other devices on your LAN.


๐Ÿšฆ Rate Limiting

LOGIN_RATE_LIMIT_MIN="5 per minute"
LOGIN_RATE_LIMIT_HOUR="25 per hour"
API_RATE_LIMIT="10 per second"

Protects API and login endpoints from brute-force or abuse.


โฑ๏ธ Strategy Execution Delay

SMART_ORDER_DELAY=0.5

Delay in seconds between multi-legged order execution. Useful for options or basket strategies.


๐Ÿ•’ Session Expiry

SESSION_EXPIRY_TIME=03:00

Automatically expires all user sessions daily at this time (IST). Format: HH:MM


๐ŸŒ CORS Configuration (Cross-Origin Resource Sharing)

CORS_ENABLED=TRUE
CORS_ALLOWED_ORIGINS=http://127.0.0.1:5000
CORS_ALLOWED_METHODS=GET,POST
CORS_ALLOWED_HEADERS=Content-Type,Authorization,X-Requested-With
CORS_ALLOW_CREDENTIALS=FALSE
CORS_MAX_AGE=86400
  • CORS is only required for browser-based apps (like React/Vue UIs) calling the OpenAlgo API.

  • By default, only requests from the same origin are allowed (http://127.0.0.1:5000).

  • To support external frontends (e.g., http://localhost:3000 or https://data.openalgo.in), you must add those domains to CORS_ALLOWED_ORIGINS.

๐Ÿง  CORS does not affect Postman, curl, TradingView, or server-side requests. It's enforced only by browsers.


๐Ÿ” CSP Configuration (Content Security Policy)

CSP_ENABLED=TRUE
CSP_REPORT_ONLY=FALSE
CSP_DEFAULT_SRC='self'
...
CSP_SCRIPT_SRC='self' https://cdn.socket.io
CSP_STYLE_SRC='self' 'unsafe-inline'
CSP_IMG_SRC='self' data:
CSP_CONNECT_SRC='self' wss: ws:
...
  • Adds a security header to prevent XSS, data injection, or loading of untrusted resources.

  • By default, only your own domain ('self') and essential WebSocket/Socket.IO scripts are allowed.

  • Set CSP_REPORT_ONLY=TRUE to test without breaking your app (recommended for dev).

  • Add CSP rules cautiously when embedding iframes (e.g., TradingView), custom fonts, or CDNs.


Optional CSP Reporting

CSP_REPORT_URI=/csp-report

If set, violations are reported here. You can use this to monitor violations via tools like Sentry or self-logging.


๐Ÿงช Recommended Defaults for Local Testing

Variable
Suggested Value

CORS_ENABLED

TRUE

CORS_ALLOWED_ORIGINS

http://127.0.0.1:5001

CSP_ENABLED

TRUE

CSP_REPORT_ONLY

TRUE


PreviousNgrok ConfigNextStart OpenAlgo

Last updated 13 days ago

๐Ÿ“„

https://docs.openalgo.in/getting-started/windows-installation/environmental-variables