How to generate a Kite Connect API key

From WebNotes, a public knowledge base. Last updated . Reading time ~7 min. Level: Beginner.

The Kite Connect API requires a valid api_key and api_secret pair to authenticate every session and API call. These credentials are issued by Zerodha’s developer console at kite.trade after you register an app and subscribe to the Kite Connect service. This guide walks through every step of that process.

Why Kite Connect requires an API key

Kite Connect authenticates API clients using a two-credential model: the api_key (an identifier, safe to share with users of your app) and the api_secret (a private signing credential that must never be exposed). Every authenticated session begins with the OAuth-style login flow that uses both credentials to produce a short-lived access_token. The api_key also governs which Zerodha client IDs your app is authorised to act for, and is the billing identifier that Zerodha uses to track subscription status and usage.

Understanding app types

The developer console offers two app types when you create an app.

Trading app. A Trading app has full read-write access: it can place orders, modify orders, cancel orders, read positions and holdings, and retrieve historical data. Almost all automated trading systems use a Trading app.

Connect app. A Connect app has read-only access to portfolio data, market data, and account information. It cannot place or modify orders. Connect apps are used for analytics dashboards, portfolio trackers, and research tools that need data without order-placement capability.

Choose the type that matches your intended use. You can create only one app per Zerodha client ID, so plan accordingly if you need both capabilities; a Trading app covers all read operations as well.

Step-by-step procedure

Log in to the Kite Connect developer console

Navigate to kite.trade in a web browser. Click Login in the top-right navigation bar. Enter your Zerodha client ID (format: AB1234) and password. Click Continue. On the two-factor authentication screen, open your TOTP authenticator app (Google Authenticator, Authy or similar) and enter the six-digit code shown for your Zerodha account. The code refreshes every thirty seconds; submit it before it expires.

After successful authentication you land on the developer console dashboard at kite.trade/developers/apps.

Subscribe to Kite Connect

If your Zerodha account does not have an active Kite Connect subscription, the console shows a subscription prompt before allowing app creation. The subscription fee is Rs 2,000 per month, billed as a monthly charge to your Zerodha client account. This charge is separate from brokerage and is non-refundable for the current month if you cancel mid-cycle.

Click Activate and follow the on-screen billing confirmation. Zerodha deducts the fee from your Zerodha balance or charges it via the linked payment method. Subscription status appears in your Zerodha account statement as “Kite Connect charges.”

Create a new app

On the developer console dashboard, click Create new app. A form appears with the following fields.

FieldNotes
App nameA human-readable name, visible to users during the OAuth consent step.
App typeTrading or Connect (see above).
Redirect URLThe URL Zerodha redirects to after user login, carrying the request_token.
DescriptionOptional but recommended for your own records.

Fill in all required fields and click Create. Zerodha creates the app and displays the credentials page.

Copy the api_key and api_secret

The credentials page shows two values.

  • api_key: A short alphanumeric string (for example, xxxxxxxxxxxxxxxx). This is the public identifier of your app.
  • api_secret: A longer alphanumeric string. This is shown in full only once immediately after creation. On subsequent visits to the console, the api_secret is partially masked.

Copy both values immediately. Paste them into your password manager or secrets store before leaving the page. If you lose the api_secret, you must regenerate it from the console (which invalidates all existing sessions relying on the old secret).

Configure the redirect URL

The redirect URL is where Zerodha sends the user after they complete the Zerodha login inside your app’s authorisation flow. The URL receives a request_token query parameter. Your application server must be listening at this URL to capture the token and exchange it for an access_token.

For local development and testing, http://127.0.0.1 is accepted. Zerodha does not enforce HTTPS for localhost URLs. For production apps serving real users, the redirect URL must be an HTTPS endpoint on your domain. You can update the redirect URL at any time from the app settings page in the console.

Store credentials securely

Never embed your api_key or api_secret directly in Python scripts, Jupyter notebooks, or any file that may be committed to a version-control system. Use environment variables or a secrets manager.

import os

API_KEY = os.environ["KITE_API_KEY"]
API_SECRET = os.environ["KITE_API_SECRET"]

Set the environment variables in your shell before running your script:

export KITE_API_KEY="your_api_key_here"
export KITE_API_SECRET="your_api_secret_here"

Or use a .env file with a library such as python-dotenv, ensuring .env is listed in your .gitignore.

Regenerating the api_secret

If you suspect your api_secret has been compromised, log in to the developer console, open your app settings, and click Regenerate secret. This immediately invalidates all active sessions that used the old secret. Any running scripts or services that store the old secret will fail on their next API call and must be updated with the new secret.

What can go wrong

  • Subscription not active. If your Zerodha account has insufficient balance or payment fails, the subscription lapses and all API calls return a 403 – TokenException with the message “Invalid API key or access token.” Renew the subscription from the console. See How to renew a Kite Connect subscription.
  • Lost api_secret. The console masks the api_secret after initial creation. If you did not save it, click Regenerate secret in app settings. All existing access_token sessions for this app are immediately invalidated.
  • One app per client ID. Zerodha allows only one Kite Connect app per client ID. If you need a second set of credentials, you must use a different Zerodha client ID and pay a separate subscription fee.
  • Redirect URL mismatch. During the token exchange step, Zerodha validates that the redirect URL in the authorisation request matches the URL registered in the console. A mismatch results in a login failure. Ensure the URLs match exactly, including protocol, host, and path.
  • TOTP failure at console login. The developer console enforces the same TOTP two-factor authentication as Kite. If your authenticator app clock is out of sync, TOTP codes will fail. Sync your device clock to an NTP server.

References

  1. Zerodha, Kite Connect developer documentation, kite.trade/docs/connect/, accessed 2024.
  2. Zerodha, Developer console, kite.trade/developers/apps, accessed 2024.
  3. kiteconnect Python SDK, GitHub repository, github.com/zerodha/pykiteconnect, accessed 2024.
  4. SEBI, Circular on algorithmic trading by retail investors, SEBI/HO/MRD/2021 series, sebi.gov.in.
  5. Zerodha Support, Kite Connect subscription and billing, support.zerodha.com.

Reviewed and published by

WebNotes Editorial Team

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed
Conflicts of interest
WebNotes is independent. No relationship with any broker, registrar or bank named in this article.