How to Connect Your Brokerage Account to a Portfolio Tracker
Manually entering every trade into a portfolio tracker takes time and creates room for error. A direct broker connection solves this — your real positions sync automatically, your trade history imports on its own, and your P&L is always accurate. Here's exactly how broker connections work, which ones are available, and whether they're actually safe.
The problem with manual portfolio tracking
Manual entry works fine when you have a handful of positions and trade infrequently. But for anyone with an active account — placing multiple trades a week, running positions across different asset classes, or managing more than one account — keeping a portfolio tracker in sync manually is a constant drain. Every trade requires logging in, finding the position, and updating the details. Miss one and your P&L figures drift from reality.
Broker connections solve this by making the sync automatic. Once you authorize the connection, your portfolio tracker pulls positions and trade history directly from your broker's API. You never have to enter a trade manually again.
How OAuth 2.0 broker connections actually work
The standard secure method for connecting a portfolio tracker to a broker is OAuth 2.0 — the same authorization protocol used by "Sign in with Google" and bank-linked financial apps. Here's the flow:
- You click "Connect Broker" in the portfolio tracker and select your broker.
- You're redirected to your broker's website — not a third-party page. You log in with your normal broker credentials directly on your broker's domain.
- Your broker shows you what access is being requested — for example, "read portfolio positions and transaction history." You approve or deny.
- Your broker issues a time-limited access token — a string of characters that grants the portfolio tracker permission to read specific data from your account. Your password is never shared.
- The portfolio tracker stores this token securely and uses it to fetch your data on a regular interval.
The critical point: the portfolio tracker never sees your broker username or password at any stage. The OAuth flow happens entirely at your broker's domain. If you revoke access later — in the portfolio tracker or directly in your broker's settings — the token immediately stops working.
Read-only access: what it means and why it matters
Responsible broker integrations request only the minimum permissions needed — specifically, read-only access to positions and transaction history. This means:
- The portfolio tracker can see your holdings, balances, and completed trades.
- The portfolio tracker cannot place orders, cancel orders, transfer funds, or make any changes to your account.
- Even if the portfolio tracker's servers were somehow compromised, an attacker with your read-only token could not execute any trades or move any money.
PortfolioTrackr uses read-only scopes exclusively. Broker portfolios in PortfolioTrackr are labelled as managed by your broker and are locked against manual edits — the positions are your real live holdings, not something you can accidentally modify in the tracker.
Which brokers does PortfolioTrackr support?
Alpaca — Live now. Alpaca is a commission-free US stock and crypto broker with a well-documented API. If you have an Alpaca account, you can connect it to PortfolioTrackr in about 60 seconds. Your live positions sync automatically every 15 minutes.
Charles Schwab — Coming soon. Schwab has a developer API (via the TD Ameritrade merger infrastructure) that supports OAuth 2.0. PortfolioTrackr has applied for API access and is awaiting approval. Once live, this will be one of the most requested integrations given Schwab's US retail investor base.
Interactive Brokers — In development. IBKR covers more global markets than any other broker and has its own data-sharing program (IBRIT) for third-party integrations. PortfolioTrackr is in the process of setting up IBRIT access, which will enable end-of-day position sync for IBKR accounts across all markets.
Kraken — In development. Kraken is one of the most trusted global crypto exchanges. PortfolioTrackr has submitted an OAuth API application to Kraken and is awaiting approval. This will allow Kraken spot and staking balances to sync alongside your stock portfolios.
What if my broker isn't listed?
Not every broker has a public API available for third-party integrations — some major ones (like Robinhood) don't currently offer one. If your broker isn't supported yet, PortfolioTrackr's AI import tools fill the gap. You can import trades by pasting a broker confirmation message, describing a trade by voice, uploading a screenshot of a trade summary, or importing a CSV export from your broker.
The result isn't quite as seamless as an automatic sync, but it's significantly faster than manual entry and works for any broker worldwide.
How are tokens stored securely?
PortfolioTrackr encrypts every access token using AES-256-CBC before storing it in the database. The encryption key is stored separately from the database. This means that even in the theoretical scenario of a database breach, the access tokens would be unreadable without the key. Tokens are decrypted only in memory, only when needed to make an API call to your broker, and never logged or exposed in responses.
What happens when a token expires?
Access tokens have a limited lifespan — typically a few hours to a few days, depending on the broker. PortfolioTrackr handles short-lived tokens automatically by using refresh tokens to obtain new access tokens in the background, without any action required from you.
If a refresh fails (for example, if you revoked access at the broker, or if the token expired after a long period of inactivity), PortfolioTrackr shows a reconnect banner on your broker portfolio. One tap takes you back through the OAuth flow to re-authorize. Your portfolio history and settings are preserved — only the connection needs to be refreshed.
Broker portfolio vs manual portfolio
Once a broker is connected, the synced portfolio in PortfolioTrackr is read-only — you can see all your positions and P&L, but you can't add or delete positions manually. This is intentional: the portfolio reflects your real account, and manual edits would make it inaccurate.
You can still create separate manual portfolios alongside your broker portfolio. Many investors use a manual portfolio for tracking a watchlist, paper trading, or holdings in a broker that isn't yet supported. All portfolios appear in the same dashboard with a combined view available.
Connect Alpaca to PortfolioTrackr — free to try
Alpaca integration is live now. Connect in under 60 seconds and see your real portfolio syncing automatically.
View Broker Integrations Start free trial →Frequently asked questions
Is it safe to connect my brokerage account to a portfolio tracker?
Yes, when done via OAuth 2.0. You log in at your broker's own site — the tracker never sees your password. PortfolioTrackr receives only a read-only access token, encrypted at rest using AES-256. We cannot place trades, withdraw funds, or modify your account in any way.
Which brokers can I connect to PortfolioTrackr?
Alpaca is live now for US stocks and crypto. Charles Schwab, Interactive Brokers, and Kraken are in active development. For brokers not yet supported, AI import tools (text, voice, screenshot, CSV) cover the gap.
Can a connected portfolio tracker place trades for me?
No. PortfolioTrackr requests read-only permissions only. We can view your positions and history but cannot execute orders, cancel trades, or move funds. Connected portfolios are clearly labelled read-only in the app.
What happens to my data if I disconnect a broker?
You choose: keep the historical data or delete it entirely. Disconnecting removes the OAuth token immediately — PortfolioTrackr can no longer access your broker from that point. You can also revoke access directly in your broker's developer settings.