Skip to content

Login returns 401 Unauthorized - access-token header appears to be expired/rotated #85

Description

@poiuy547379

Problem

POST /sess/login returns 401 even with correct credentials (web login at firstrade.com works fine).

Debug Output

POST https://api3x.firstrade.com/sess/login
<<< Status: 401
<<< JSON body:
{
"statusCode": 401,
"error": "Unauthorized",
"message": "Authentication failed"
}
Request headers sent:
access-token: 833w3XuIFycv18ybi
Content-Type: application/x-www-form-urlencoded

Steps to reproduce

  1. Install latest version from GitHub (pip install git+https://github.com/MaxxRK/firstrade-api.git)
  2. Call FTSession(username=..., password=..., mfa_secret=..., debug=True).login()
  3. Always returns 401

What I verified

  • ✅ Credentials are correct (manual login at firstrade.com succeeds)
  • ✅ TOTP secret is correct (code matches Google Authenticator)
  • ✅ No PIN required on this account
  • ✅ Tested with US VPN — still 401 (not a geo-block issue)
  • ✅ Tested with both PyPI 0.0.38 and latest GitHub version

Hypothesis

The access-token: 833w3XuIFycv18ybi hardcoded in urls.py may have been rotated by Firstrade. The server rejects it with 401 before even validating the username/password.
Could you check if this token needs to be updated? Thank you!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions