Read-Only vs Full-Access Broker Integrations: What Changes for Your Account

Tradovate's OAuth flow exposes a set of scopes that a third-party app can request. Read-only scopes give the app permission to fetch account balances, positions, and completed trade history. Trading scopes grant the ability to place, modify, or cancel orders.

An app that needs only journaling and analytics should request only the read-only scopes — typically `read_account` and `read_history`. If an app asks for `trade` or `order` scopes during authorisation, it is requesting the ability to execute trades on your behalf. That should be a conscious choice, not an accident.

Prop firms care a great deal about who is trading the account. The standard trader agreement requires that you are the sole person executing trades. Granting full-access OAuth to a third-party tool — even one you trust — can be interpreted as letting someone else trade the account, which is a violation.

Some firms have explicitly stated that automated tools placing orders on a prop account is grounds for termination. Other firms haven't made a clear ruling but are likely to interpret it the same way if a payout is contested.

Imagine the third-party tool's servers get compromised. With read-only access, the attacker can see your trade history — annoying, but not destructive. With trading access, the attacker can place orders, intentionally bust your accounts, or run wash trades that get you flagged.

The compounded risk: if you connect multiple accounts to the same tool with trading access, a single compromise can take out every account at once. Read-only inverts this — even a worst-case compromise reveals data, not capital.

Three questions. (1) What OAuth scopes does it request during connection? Watch the authorisation screen carefully. (2) What scopes does it claim it needs, and does the use case actually require them? Journaling does not require trading scopes. (3) Where is the data stored, and is the tool clear about it?

If the tool can demonstrate it works in read-only mode, you have no reason to grant it more. If it insists on full access, ask what it does that requires write permission. The honest answer for most journaling and analytics tools is: nothing.

TradeRR's Tradovate integration is read-only at the OAuth scope level. The authorisation flow requests only the scopes needed to fetch account balances, positions, and trade history. The app cannot place, modify, or cancel orders — the permissions simply aren't present.

This is enforced at the OAuth grant layer, not as a TradeRR-side policy. Even if TradeRR's servers were compromised, the access tokens would not include trading permission. The blast radius is bounded to data, not capital.