How to Access fileX
fileX supports four access methods:
 | SFTP: FINRA customers can upload or download files through Secure File Transfer Protocol (SFTP), a standard file transfer mechanism to securely transmit files between systems and machines. fileX supports the full security and authentication functionalities provided by SFTP. |
 | HTTPS: FINRA customers can upload or download files using REST APIs over HTTPS protocol. Customers can make standard REST API calls to the endpoint URL with valid credentials for authentication. REST API calls are encrypted through HTTPS. |
 | S3: FINRA customers can upload or download files natively through AWS S3 APIs. Customers who are already using Amazon AWS S3 can take advantage of this method to send/receive files directly to/from their S3 bucket. |
 | UI UPLOADS : FINRA customers can upload and download files, one at a time, through the FINRA Gateway Upload app. Customers can also use Upload app to manage their file history and view file feedback. |
Onboarding
Entitlement and Access Control
FINRA Entitlement Service controls access and privileges granted to customer accounts to access various services provided by FINRA. Customers have the option of creating multiple file transfer accounts with different access privileges. Types of user access includes, but is not limited to,
- read/download only
- submit only
- submit and download
This allows customers to support separation of duties within the firm across different departments. The Administrator (typically SAA) of the firm needs to contact FINRA Support at 800-321-6273 or visit the web page at https://tools.finra.org/cc_support/ to open a support request to onboard to fileX. Onboarding to fileX includes creating file transfer accounts and obtaining respective FINRA Application File Transfer entitlements.
fileX leverages FINRA provisioned entitlements to control access to specific upload/download directories or the respective HTTPS REST endpoints. Access to the upload and download capabilities will be controlled by specific FINRA entitlements.
On Behalf Of
Third parties can submit or download secure file transfers through fileX on behalf of (OBO) firms or organizations that have granted them permission. The OBO feature is currently only available through UI or SFTP transfer methods.
Pre-requisite
To submit or retrieve a file on behalf of another party, you must have a Prime account. See here for more information on how to create On Behalf Of (OBO) Relationship Requests.
fileX Basics
Authorization (API Basic)
The FINRA API Platform authentication and authorization scheme is based on OAuth 2.0., and there are two steps. The first call is made to FINRA Identity Platform (FIP) using credentials provided by FINRA Entitlement Service to get an OAUTH2 token. The second call is made to the fileX API endpoint with the "Authorization= Bearer" header and with the token generated in step 1.
To invoke FIP OAUTH2 API:
- Use any HTTP client, make a HTTPS POST call with FINRA Entitlement service provided credentials as Basic Auth header.
- Use the environment specific domain with the OAUTH URI: fip/rest/ews/oauth2/access_token 3. Use any standard library that supports OAUTH2 client credentials grant.
- The library should be configured with grant_type=client_credentials
Client id, Client secret will be the existing user account id and password provided by FINRA Entitlement services
FIP OAUTH2 API response will be in JSON format. Example of the response from https://ews.fip.finra.org/fip/rest/ews/oauth2/access_token :
{
"access_token": "*AAJTSQACMDIABHR5cGUAA0pXVAACUzEAAjAx*eyJ0eXAiOiJKV1QiLCJjdHkiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ZXlKMGVYQWlPaU pLVjFRaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJaXdpWVd4bklqb2laR2x5SW4wLi56RlNXS09XZklKX1FJT3htWEZtalpB LjF4LVVCMF9OdG85WmhkZlRvTW10dXNNZkxGMUN6MS0tVVVKYTYzYXBwdm8xWExVYzRLXy1raUVEOHFpRXpLZU14aUtLWDc1eTRwcVc4eVlDMs",
"scope": "any",
"token_type": "Bearer",
"expires_in":"43170"
}
Environment and Connectivity
FINRA recommends customers to first test their setup in lower environments before cutting it over to ‘Production’.
| PRODUCTION | CUSTOMER TEST | LOWER (QA) | |
|---|---|---|---|
| Environment description | Live/production environment | Production-like customer test environment | Non-Production environment for test purposes |
| Credentials | Production FINRA Enterprise Web Security (EWS) credentials | Production FINRA Enterprise Web Security (EWS) credentials | Contact the respective FINRA application to get credentials for this environment |
| Hostname /URL | filex.finra.org | filex.ct.finra.org | filex-int.qa.finra.org |
| Static IP Addresses for SFTP | 52.207.197.35 35.171.199.181 | 18.209.156.254 34.225.135.103 | 52.201.46.30 52.70.2.197 |
| Port for SFTP | 22 | 22 | 22 |
| Port for REST methods | 443 | 443 | 443 |
| FIP OAUTH2 URL | https://ews.fip.finra.org/fip/rest/ews/oauth2/access_token | https://ews.fip.finra.org/fip/rest/ews/oauth2/access_token | https://ews-qaint.fip.qa.finra.org/fip/rest/ews/oauth2/access_token |
TLS Certificates
FINRA Web applications/systems use TLS Certificates signed by following Certificate Authorities:
- Entrust CA
- DigiCert CA
- Amazon CA
Please ensure your applications/system trusts all the above listed Certificate Authorities when using fileX HTTPS REST APIs. FINRA APIs only support TLS version 1.2 encryption standards. See FAQs for supported ciphers.
Response Codes
The FIP API can return a range of standard HTTP response codes based on the request made to the service. Here is a list of common response codes:
| Response Code | Possible Reasons |
|---|---|
| 200 OK | Indicates a successful request |
| 400 Bad Request: error_message: “Invalid Credentials” | Either the username or password provided were incorrect or there is an issue with the user |
| 400 Bad Request: error_message: “Invalid credentials format” | The Basic Authorization header’s string is malformed |
| 400 Bad Request: error_message: “Grant type is required” | The “grant_type” parameter key was either malformed or not provided |
| 400 Bad Request: error_message: “Only client_credentials grant type is supported” | The value for the “grant_type” parameter was something other than “client_credentials” |
| 403 Forbidden | Indicates request to an invalid resource |
| 500 Internal Server Error | Indicates a possible problem with FIP |
fileX APIs return a range of standard HTTP response codes based on the request made to the service. Table below lists the response codes and possible reasons
| Response | Possible Reasons |
|---|---|
| 200 OK | Indicates a successful request |
| 400 Bad Request | Indicates the request was malformed |
| 401 Unauthorized | Indicates that either the account lacks sufficient entitlement to access requested resource or provided credentials are invalid |
| 403 Forbidden | Indicates request to an invalid resource |
| 404 Not Found | Indicates the file/directory is not found/available |
| 500 Internal Server Error | Indicates a possible problem with fileX service |
If you encounter issues or response code other than 200 (success), please check your request for errors/invalid content and retry. If you still encounter issues after fixing your request, please contact FINRA Support with the response code and the request details for further assistance
Request Headers
The following header parameters should be passed (as applicable) when making all the fileX REST API calls:
| Header | Required (Y/N) | Default | Example |
|---|---|---|---|
| Authorization | Y | N/A | Authorization: Bearer (OAUTH Token from FIP) |
| Accept | N | application/json | application/json, application/xml |
| Content-Type | N | application/json | application/json, application/xml |