Skip to end of metadata
Go to start of metadata

Login

The Betfair API offers three login flows for developers, depending on the use case of your application:.

Non-Interactive login

if you are building an application which will run autonomously, there is a separate login flow to follow to ensure your account remains secure.

Interactive login

if you are building an application which will be used interactively, then this is the flow for you. This flow has two variants:

Interactive login - Desktop Application

This login flow makes use of Betfair's login pages and allows your app to gracefully handle  all errors and re-directions in the same way as the Betfair website 

Interactive login - API method

This flow makes use of a JSON API Endpoint and is the simplest way to get started if you are looking to create your own login form.

If you're looking for the quickest way to get started, try the curl example in the Interactive login - API Method.

Login Request Limits

Successful login requests are restricted to 100 request per minute.. In the event of a breach of the login limit the account will be prevented from creating new login session for a 20 minute period. The error TEMPORARY_BAN_TOO_MANY_REQUESTS will be returned in these circumstances. All existing sessions will continue to be valid.

Login FAQ's

When should I use the non-interactive login?

 You should use the non-interactive login when the user will not be present to log into the application themselves. An example of this is an automated bot that might need to login without the user triggering a login. 3rd Party interfaces to Betfair, used by multiple users, and which act as a direct proxy of a user request should use the interactive login instead.

Why is the redirect URL required for the interactive login?

 The redirect URL is required in order to post the session token to the application at the end of the login process. For further details of how to handle the session token please see Interactive Login from a Desktop

Why isn’t there a non-interactive endpoint that accepts only a username and a password?

Betfair take user security very seriously and have made many enhancements to the login process alongside additional changes which have been made at the request of some of our regulators. This means that you cannot rely upon a username and password being the only pieces of information that may be required at login. Some examples of workflows currently in use are 2 factor authorisation codes, additional National Identifiers for a region or requests for additional account information or account migration.

Why does my session time out, even though I’ve been retrieving prices?

For security reasons, we require that the application using the API explicitly calls the Keep Alive operation no more than once within every 24 hours in a response to user activity. In the case of non-interactive applications, these should call the keep-alive operation every 24 hours whilst they are active.

Why is my interactive login/logout request failing with errorCode=FORBIDDEN?

Your Application Key App Key is not using the correct redirect URL.  By default only https://www.betfair.com will be allowed as the redirect URL.

Keep Alive

You can use Keep Alive to extend the session timeout period. The minimum session time is currently 20 minutes (Italian Exchange). On the international (.com) Exchange the current session time is 12 hours. Therefore, you should request Keep Alive within this time to prevent session expiry. If you don't call Keep Alive within the specified timeout period, the session will expire. Please note:  Session times aren't determined or extended based on API activity.

Please note: You can configure the timeout via My Account > Logout Preferences if required

Headers

Name
Description
Sample
Accept (mandatory)Header that signals that the response should be returned as JSONapplication/json
X-Authentication (mandatory)Header that represents the session token that needs to be keep aliveSession Token
X-Application (optional)Header the Application Key used by the customer to identify the product.App Key

 
The presence of the "Accept: application/json" header will signal that the service should respond with JSON and not an HTML page


URL Definition (Global)

https://identitysso.betfair.com/api/keepAlive

Other Jurisdictions

Please use the below if your country of residence is in one of the list jurisdictions.

Jurisdiction

Endpoint

Australia

https://identitysso.betfair.au/api/keepAlive

Italy

https://identitysso.betfair.it/api/keepAlive

Spainhttps://identitysso.betfair.es/api/keepAlive
Romaniahttps://identitysso.betfair.ro/api/keepAlive

Sweden

https://identitysso.betfair.se/api/keepAlive

Parameters

 The Keep Alive operation requires no parameters.

Response structure


{
  "token":"<token_passed_as_header>",
  "product":"product_passed_as_header",
  "status":"<status>",
  "error":"<error>"
}

Status values


SUCCESS
FAIL

Error values


INPUT_VALIDATION_ERROR
INTERNAL_ERROR
NO_SESSION

Call sample


# full request
curl -k -i -H "Accept: application/json" -H "X-Application: AppKey" -H "X-Authentication: <token>" https://identitysso.betfair.com/api/keepAlive
 
You can use Keep Alive to extend the session timeout period. The minimum session time is currently 20 minutes (Italian Exchange). On the international (.com) Exchange the current session time is 24 hours. Therefore, you should request Keep Alive within this time to prevent session expiry. If you don't call Keep Alive within the specified timeout period, the session will expire. Session times aren't determined or extended based on API activity.

Keep Alive success


curl -k -i -H "Accept: application/json" -H "X-Application: AppKey" -H "X-Authentication: SESSIONTOKEN" https://identitysso.betfair.com/api/keepAlive
  
{
  "token":"SESSIONTOKEN",
  "product":"AppKey",
  "status":"SUCCESS",
  "error":""
}

Logout

You can use Logout to terminate your existing session.

URL Definition

https://identitysso.betfair.com/api/logout

The presence of the "Accept: application/json" header will signal that the service should respond with JSON and not an HTML page

Headers


Name
Description
Sample
Accept (mandatory)Header that signals that the response should be returned as JSONapplication/json
X-Authentication (mandatory)Header that represents the session token created at login.Session Token
X-Application (optional)Header the Application Key used by the customer to identify the product.App Key

Response structure


{
  "token":"<token_passed_as_header>",
  "product":"product_passed_as_header",
  "status":"<status>",
  "error":"<error>"
}

Status values


SUCCESS
FAIL

Error values


INPUT_VALIDATION_ERROR
INTERNAL_ERROR
NO_SESSION

Call sample


# full request
curl -k -i -H "Accept: application/json" -H "X-Application: AppKey" -H "X-Authentication: <token>" https://identitysso.betfair.com/api/logout