The end of BlueVestment?

[rawraw]

Yea, you 3rd party guys should pressure LC into having API specific passwords as part of this process.  Then it limits the liability of LC and the API guys in case of problems.

As of the latest release of the API (version 1.4) - this is the case. There is an API specific credential for just this purpose.

Yeah but without the cash balance in API it's not useful

First, see my comment above regarding this functionality coming soon. Second, you do not need to know the cash balance to submit an order through the API; if you submit an order and there is not sufficient funds - you get an INSUFFICIENT_CASH response. This is all in the API developer documentation from Lending Club...

Cool deal man. Appreciate it

[BruiserB]

Yeah but without the cash balance in API it's not useful

First, see my comment above regarding this functionality coming soon. Second, you do not need to know the cash balance to submit an order through the API; if you submit an order and there is not sufficient funds - you get an INSUFFICIENT_CASH response. This is all in the API developer documentation from Lending Club...

It seems to me the cash balance would be needed, unless the API will allow a partial filling of an order when there is "insufficient cash."

For instance, if 15 notes pass my filters and an order is filed via the API, and I only have enough cash for 10 of them, will it buy 10 for me?  If so, which 10?  My highest priority ones?  I have been under the impression that the cash balance was needed so that the third party site knows before placing my order that I have enough cash for 10 notes, then it can pick the first 10 that meet my highest priority filters and file the order.  I guess an alternative would be to have the third party sites file orders for 1 note at a time until the cash is gone, but I would think that wouldn't be efficient for either the 3rd parties or for Lending Club.

I'm really happy to hear a new API is being tested and hope it is available for use soon.  Lending Club needs to continue to push to get this out as it would make the risk to credential compromise moot.  Lending Club should then implement some additional security....perhaps text message authentication or something similar if a customer logs in from an unfamiliar computer or tries to change e-mail address or bank account info.  As of now, to change bank account info you would have to wait for and confirm small deposits, so it's not like someone could clear your account out all that quickly even if they had access to your credentials....but extra measures could be put in place to make it even more difficult.

[lascott]

Yea, you 3rd party guys should pressure LC into having API specific passwords as part of this process.  Then it limits the liability of LC and the API guys in case of problems.

As of the latest release of the API (version 1.4) - this is the case. There is an API specific credential for just this purpose.

Yeah but without the cash balance in API it's not useful

First, see my comment above regarding this functionality coming soon. Second, you do not need to know the cash balance to submit an order through the API; if you submit an order and there is not sufficient funds - you get an INSUFFICIENT_CASH response. This is all in the API developer documentation from Lending Club...

As well as the points made above it that doesn't give us the functionality that we users want.  We want to have a cash limit/cap.  So  tell the "3rd-party-tool" (BlueVestment, LendingRobot) do not submit note orders that take our cash below our "$1,000" cash limit because in a week or two I need to take that money out for something (as just one example).   With chunks of payments almost random coming one some days of the week and with only a portion of notes invested in going through and the other portion being canceled the cash balance bounces all over the place in an unpredictable manner.

I get these emails daily where the resulting y money value pops into my account at differing times.

x Note(s) issued and $xxx.xx was invested.
y Note(s) did not issue.

[rawraw]

I suggested two factor authentication recently and they forwarded it up. It'd be nice for things like Folio and changing bank

[thinkfastsuit]

Yeah but without the cash balance in API it's not useful

First, see my comment above regarding this functionality coming soon. Second, you do not need to know the cash balance to submit an order through the API; if you submit an order and there is not sufficient funds - you get an INSUFFICIENT_CASH response. This is all in the API developer documentation from Lending Club...

It seems to me the cash balance would be needed, unless the API will allow a partial filling of an order when there is "insufficient cash."

For instance, if 15 notes pass my filters and an order is filed via the API, and I only have enough cash for 10 of them, will it buy 10 for me?  If so, which 10?  My highest priority ones?  I have been under the impression that the cash balance was needed so that the third party site knows before placing my order that I have enough cash for 10 notes, then it can pick the first 10 that meet my highest priority filters and file the order.  I guess an alternative would be to have the third party sites file orders for 1 note at a time until the cash is gone, but I would think that wouldn't be efficient for either the 3rd parties or for Lending Club.

I'm really happy to hear a new API is being tested and hope it is available for use soon.  Lending Club needs to continue to push to get this out as it would make the risk to credential compromise moot.  Lending Club should then implement some additional security....perhaps text message authentication or something similar if a customer logs in from an unfamiliar computer or tries to change e-mail address or bank account info.  As of now, to change bank account info you would have to wait for and confirm small deposits, so it's not like someone could clear your account out all that quickly even if they had access to your credentials....but extra measures could be put in place to make it even more difficult.

The API is designed to fulfill partial orders per the documentation. The last time I tested this (albeit this was many months ago), it did not work as described so I simply handled this in code (censoring proprietary order execution method here). It is advantageous for third party sites to know your cash balance so that we don't waste cycles (and time) evaluating rules and submitting orders for accounts that don't have funds available to invest. Again, there is a lot of opportunity for optimization in your rule and order processing via code - and this is again a proprietary differentiator for third party sites.

[AnilG]

Two factor authentication has its own weakness but it is still a better option for user security. But none of these solutions solve the "insecurity" with third party access to your account. With current username/password or API Key, your security is as good as third party claims, not much IMO. I doubt any of the third party sites will meet PCI compliance audit with storing your credentials typically required for financial transactions and by financial institutions.

What platforms need is a secure way to allow third party to access your account and perform transactions on your behalf. Anything short of token-based system and your authentication information never hitting and stored on third party site, similar to the systems used by Credit Card processors, is opening up Lending Club and third party sites for lot of pain if there were to be a security breach. That has been my recommendation to platforms like Lending Club. If they are interested in having a third-party ecosystem, implement a PCI compliant token based authentication system and share the cost with third party sites. With the early stage of most platforms, I don't see anyone implementing it yet. But LC is in the best position now to set the standard assuming they want a third-party order execution based ecosystem.

I suggested two factor authentication recently and they forwarded it up. It'd be nice for things like Folio and changing bank

[AnilG]

Did you just break your NDA with Lending Club by disclosing this information publicly? If I understood the T&C to participate in REST API program correctly, you were bound by NDA and not to disclose any information related to the program publicly. 

About a month and a half ago lending club announced to developers they would be migrating toward REST API and asked for volunteers in the Beta program. If you requested to participate, you should've gotten more information a couple weeks ago regarding the Beta program and enhanced functionality including cash balance available through the API. This cannot be used in production as of yet, per the specific terms of the testing program - but it's coming.

[refinerr]

I was reading through the legal documents LC sent over earlier this week to me when I requested an API for a TPA.  Within the agreement it states you agree to not provide your log in credentials to any third party. What are the consequences of this to the everyday end user like myself?

[brycemason]

You don't provide the username/password, you provide your authorization token.

[BruiserB]

You don't provide the username/password, you provide your authorization token.

Actually you provide both.  Both automated platforms I've used request the username/password so they can get cash on hand info prior to loan release. My understanding is that if/when LC provides cash on hand in the API, this won't be necessary.


Sent from my iPad using Tapatalk

[BruiserB]

I was reading through the legal documents LC sent over earlier this week to me when I requested an API for a TPA.  Within the agreement it states you agree to not provide your log in credentials to any third party. What are the consequences of this to the everyday end user like myself?

So far there haven't been consequences.....


Sent from my iPad using Tapatalk

[brycemason]

You don't provide the username/password, you provide your authorization token.

Actually you provide both.  Both automated platforms I've used request the username/password so they can get cash on hand info prior to loan release. My understanding is that if/when LC provides cash on hand in the API, this won't be necessary.


Sent from my iPad using Tapatalk

Fair. Soon you won't have to.

[refinerr]

Thank you Bruiser and Bryce!