DhanHQ 2.2.0 → 2.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 51941a246763b26e7a08508c3bb5349079ed6312e1ef5bf7593dadb36808e13c
-  data.tar.gz: 12c7d276dbe39ee14df02feff9c61914ac91d049a10b644ac7e184778eea1a68
+  metadata.gz: '09510cd95013213714d5ba4878e87dfa6bd5968cb90ea4e0a539ddb0d05bc2b0'
+  data.tar.gz: 459c316d0f2c68ad8b0556518dfd70762e460e5c68ef063439e73f68ca33ba02
 SHA512:
-  metadata.gz: cfc4cfd03d5d722d4bc8451d71d7189404fc38f931d1ab8772bc796191934b72d82239d5096e272b9aa27aea1a974bb2c6a469cd670dbb7ba85f205d6c291ab8
-  data.tar.gz: f7a17fafd835d9ceb339b255f17f1e408692af094c2658ee9aedf13f013e8558a9170771a7acf2b03b35e39412d9dcaf308ac9e76db168cb39e7b1f745ee1a35
+  metadata.gz: d54cf0cc58e82d1566f525303ea25fddd051b1c838152da39f12509435a16e4005f55417d5516c52f6222b4ba6286c421202d0a148f743be7ca4127b7ef03bae
+  data.tar.gz: ea522dfeb54054d8162d00ead357efb4c444c3dd0c4c182c4d688a2bd9a484d44af7b2bab221476c93fded44511bfff7e8cf4b75d6e962fc8191486bee5440b1

data/CHANGELOG.md

@@ -1,5 +1,52 @@
 ## [Unreleased]
 
+## [2.2.2] - 2026-01-31
+
+### Contracts (date validation)
+
+- **from_date / to_date**: `from_date` must be strictly before `to_date` and must be a valid trading date (no weekend). `to_date` may be any date after `from_date` (format YYYY-MM-DD). Applied in `HistoricalDataContract`, `TradeHistoryContract`, and `ExpiredOptionsDataContract`.
+- **HistoricalDataContract**: Added trading-day check for `from_date` and `from_date < to_date`; inherits `BaseContract`.
+
+### Specs & tooling
+
+- **Specs**: Base model, expired options, trade, and historical data specs updated to use weekday dates and expect `from_date must be before to_date`; VCR cassette `trade_history.yml` updated for new date.
+- **RuboCop**: RSpec/ExampleLength in expired options contract spec fixed via `next_weekday` helper.
+
+---
+
+## [2.2.1] - 2026-01-31
+
+### Authentication
+
+- **RenewToken API**: Added `DhanHQ::Auth.renew_token(access_token, client_id, base_url: nil)` to refresh web-generated access tokens (24h validity). Calls GET `/v2/RenewToken` with `access-token` and `dhanClientId` headers; returns response hash with indifferent access (e.g. `accessToken`, `expiryTime`). Use in `access_token_provider` or `on_token_expired` to refresh and store the new token. Only valid for tokens generated from Dhan Web (not API key flow).
+- **Dhan auth scope**: Documented that the gem does **not** implement API key/secret consent or Partner consent flows; apps obtain tokens via Dhan Web, API key OAuth, or Partner flow and pass them to the gem. See [docs/AUTHENTICATION.md](docs/AUTHENTICATION.md).
+
+### Documentation
+
+- **docs/AUTHENTICATION.md**: Added “How you get the token (Dhan’s responsibility)” (Individual: Web token, RenewToken, API key; Partner: consent flow) and “RenewToken (web-generated tokens only)” with `DhanHQ::Auth.renew_token` usage and example. “See also” updated for GUIDE, rails_integration, TESTING_GUIDE, CHANGELOG 2.2.0/2.2.1.
+- **README.md**: Note under Dynamic access token for RenewToken via `DhanHQ::Auth.renew_token` and that API key/Partner flows are implemented in the app.
+- **GUIDE.md**: “Dynamic access token” section extended with RenewToken (`DhanHQ::Auth.renew_token`) and note that API key/Partner flows are in the app.
+- **docs/TESTING_GUIDE.md**: Optional config comment for RenewToken and pointer to AUTHENTICATION.md (API key/Partner in app).
+- **docs/rails_integration.md**: “Dynamic access token” section extended with RenewToken (web-generated tokens) and link to AUTHENTICATION.md.
+- **docs/websocket_integration.md**, **docs/live_order_updates.md**: Notes updated for dynamic token, RenewToken, and API key/Partner in app.
+- **docs/standalone_ruby_websocket_integration.md**, **docs/rails_websocket_integration.md**: Configuration section updated with RenewToken and AUTHENTICATION.md link.
+
+### CI / Release
+
+- **Release workflow**: Aligned with ollama-client: tag-based release (`on: push: tags: v*`), validate tag vs gem version, use `GEM_HOST_API_KEY` for RubyGems push (no credentials file), single retry with OTP. Removed GitHub Release step.
+- **RELEASING.md**, **docs/RELEASE_GUIDE.md**: Updated to describe tag-only publish and `GEM_HOST_API_KEY`; removed references to “Create GitHub Release” and “Run tests” in release job.
+
+### Fixes
+
+- **RuboCop**: Layout/EmptyLineAfterGuardClause — added blank line after guard clauses in Configuration, WS client, market depth client, orders connection. Style/NilLambda — `-> { nil }` → `-> {}` in configuration_spec. RSpec/InstanceVariable — replaced `@token_call_count` and `@hook_called`/`@hook_error` with `let(:token_call_count)`, `let(:token_provider)`, `let(:hook_state)` in client_spec auth-failure examples.
+- **CI**: Gemfile.lock updated for path gem version (DhanHQ 2.2.1) so `bundle install` in frozen mode succeeds.
+
+### Added
+
+- **lib/DhanHQ/auth.rb**: New module with `Auth.renew_token` for Dhan RenewToken API.
+
+---
+
 ## [2.2.0] - 2026-01-31
 
 ### Authentication & token handling

data/GUIDE.md

@@ -71,7 +71,11 @@ Set any of the following environment variables _before_ calling
 
 **Dynamic access token**
 
-For token rotation without restarting the app, set `access_token_provider` (Proc/lambda) so the token is resolved at request time. When the API returns 401 or token-expired (error code 807) and the provider is set, the client retries the request once with a fresh token. Optional `on_token_expired` is called before that retry. See [docs/AUTHENTICATION.md](docs/AUTHENTICATION.md) and README “Dynamic access token”.
+For token rotation without restarting the app, set `access_token_provider` (Proc/lambda) so the token is resolved at request time. When the API returns 401 or token-expired (error code 807) and the provider is set, the client retries the request once with a fresh token. Optional `on_token_expired` is called before that retry.
+
+**RenewToken (web-generated tokens):** If the token was generated from Dhan Web (24h validity), use `DhanHQ::Auth.renew_token(access_token, client_id)` to refresh it; use the returned token in your provider or store. The gem does **not** implement API key/secret or Partner consent flows—implement those in your app and pass the token to the gem.
+
+See [docs/AUTHENTICATION.md](docs/AUTHENTICATION.md) and README “Dynamic access token”.
 
 ---
 

data/README.md

@@ -114,6 +114,8 @@ end
 
 If the API returns **401** or error code **807** (token expired) and `access_token_provider` is set, the client retries the request **once** with a fresh token from the provider. Otherwise it raises `DhanHQ::InvalidAuthenticationError` or `DhanHQ::TokenExpiredError`. Missing or nil token from config raises `DhanHQ::AuthenticationError`.
 
+**RenewToken (web-generated tokens):** For tokens generated from Dhan Web (24h validity), use `DhanHQ::Auth.renew_token(access_token, client_id)` to refresh; use the returned token in your provider or store. The gem does **not** implement API key/secret or Partner consent flows—implement those in your app and pass the token to the gem. See [docs/AUTHENTICATION.md](docs/AUTHENTICATION.md).
+
 ### Logging
 
 ```ruby

data/docs/AUTHENTICATION.md

@@ -1,6 +1,20 @@
 # Authentication & token handling
 
-This document describes how the gem handles access tokens, including dynamic resolution, retry-on-401, and related errors.
+This document describes how the gem handles access tokens, dynamic resolution, retry-on-401, and how that fits with Dhan’s authentication methods.
+
+## How you get the token (Dhan’s responsibility)
+
+Dhan supports several ways to obtain an access token. **The gem does not implement these flows**; your app or the user obtains the token, and the gem uses it.
+
+| User type | Method | Where it happens |
+| --------- |--------|------------------|
+| **Individual** | **Access token from Dhan Web** | User logs in at web.dhan.co → My Profile → Access DhanHQ APIs → Generate token (24h). You can refresh it with **RenewToken** (see below); the gem can call that for you. |
+| **Individual** | **API key & secret (OAuth)** | User creates API key/secret at web.dhan.co. Your app does: (1) Generate consent, (2) Browser login, (3) Consume consent to get `accessToken` and `expiryTime`. Implement this flow in your app; then pass the token to the gem via `access_token` or `access_token_provider`. |
+| **Partner** | **Partner consent flow** | You have `partner_id` and `partner_secret`. Your app does: (1) Generate consent, (2) User logs in on browser, (3) Consume consent to get `accessToken`. Implement in your app; pass the token to the gem. |
+
+**What the gem provides:** It accepts a token (static or from a provider), sends it on every request, and can retry once on 401 when you use `access_token_provider`. It also provides **`DhanHQ::Auth.renew_token`** for refreshing **web-generated** tokens (RenewToken API). It does **not** implement API key/secret consent or Partner consent; use Dhan’s docs and your own HTTP client for those.
+
+For full details and curl examples, see [DhanHQ API docs](https://dhanhq.co/docs) (Authentication).
 
 ## Static token (default)
 
@@ -34,6 +48,37 @@ end
 
 REST and WebSocket clients both use `config.resolved_access_token`, which calls the provider when set or falls back to `access_token`.
 
+## RenewToken (web-generated tokens only)
+
+If the token was **generated from Dhan Web** (not API key flow), you can refresh it (24h validity) using Dhan’s RenewToken API. The gem provides a helper:
+
+```ruby
+# Returns a hash with API response (e.g. accessToken, expiryTime). Use the new token for subsequent requests.
+response = DhanHQ::Auth.renew_token(current_access_token, client_id)
+new_token = response["accessToken"] || response[:accessToken]
+# Optional: response may include "expiryTime"
+```
+
+Use this inside `access_token_provider` or in `on_token_expired` to refresh and then return the new token (e.g. store it and return it from the provider on the next request).
+
+Example: refresh in provider and cache the result until near expiry:
+
+```ruby
+# Pseudocode: store current token + expiry; in provider, refresh if expired or near expiry
+config.access_token_provider = lambda do
+  stored = YourTokenStore.current
+  if stored.nil? || stored.expired_soon?
+    response = DhanHQ::Auth.renew_token(stored&.access_token || ENV["ACCESS_TOKEN"], config.client_id)
+    YourTokenStore.update!(response["accessToken"], response["expiryTime"])
+    stored = YourTokenStore.current
+  end
+  raise "Token missing" unless stored
+  stored.access_token
+end
+```
+
+**Note:** RenewToken is only for tokens generated from Dhan Web. For API key or Partner flows, obtain a new token using Dhan’s consent APIs in your app.
+
 ## Retry-on-401
 
 When the API returns **401** or a token-expired error (e.g. error code **807**), and `access_token_provider` is set:
@@ -59,5 +104,7 @@ Rescue `AuthenticationError` for local config/token resolution failures; rescue
 ## See also
 
 - [README.md](../README.md) — Configuration and “Dynamic access token”
-- [rails_integration.md](rails_integration.md) — Rails initializer with optional `access_token_provider`
-- [CHANGELOG.md](../CHANGELOG.md) — 2.2.0 auth and token changes
+- [GUIDE.md](../GUIDE.md) — Dynamic access token and RenewToken
+- [rails_integration.md](rails_integration.md) — Rails initializer with optional `access_token_provider` and RenewToken
+- [TESTING_GUIDE.md](TESTING_GUIDE.md) — Config examples and RenewToken
+- [CHANGELOG.md](../CHANGELOG.md) — 2.2.0 and 2.2.1 auth and token changes

data/docs/TESTING_GUIDE.md

@@ -56,6 +56,8 @@ end
 #   config.access_token_provider = -> { YourTokenStore.active_token }
 #   config.on_token_expired = ->(err) { YourTokenStore.refresh! }
 # end
+# Optional: refresh web-generated tokens with DhanHQ::Auth.renew_token(current_token, client_id)
+# See docs/AUTHENTICATION.md (API key/Partner flows are implemented in your app, not in the gem)
 
 # Set log level for debugging
 DhanHQ.logger.level = Logger::DEBUG

data/docs/live_order_updates.md

@@ -18,7 +18,7 @@ The DhanHQ Ruby client provides comprehensive real-time order update functionali
 ```ruby
 require 'dhan_hq'
 
-# Configure credentials (or use config.access_token_provider for dynamic token; see docs/AUTHENTICATION.md)
+# Configure credentials. For dynamic token use config.access_token_provider; for web tokens refresh with DhanHQ::Auth.renew_token. API key/Partner: implement in app. See docs/AUTHENTICATION.md.
 DhanHQ.configure do |config|
   config.client_id = "your_client_id"
   config.access_token = "your_access_token"

data/docs/rails_integration.md

@@ -122,6 +122,8 @@ end
 
 When the API returns 401 or token-expired (error code 807) and `access_token_provider` is set, the client retries the request **once** with a fresh token from the provider. `on_token_expired` is called before that retry so you can refresh your store if needed.
 
+**RenewToken (web-generated tokens only):** If the token was generated from Dhan Web (24h validity), you can refresh it with `DhanHQ::Auth.renew_token(access_token, client_id)` and store the result; use it in your provider or call it from `on_token_expired`. The gem does **not** implement API key/secret or Partner consent flows—implement those in your app and pass the token to the gem. See [docs/AUTHENTICATION.md](AUTHENTICATION.md).
+
 ## 3. Build service objects for REST flows
 
 Wrap trading actions in plain-old Ruby objects so controllers and jobs stay thin:

data/docs/rails_websocket_integration.md

@@ -99,6 +99,8 @@ end
 
 ## Configuration
 
+For dynamic token use `config.access_token_provider`. For web-generated tokens refresh with `DhanHQ::Auth.renew_token(access_token, client_id)`. API key/Partner flows: implement in your app. See [AUTHENTICATION.md](AUTHENTICATION.md).
+
 ### Environment-Specific Configuration
 
 ```ruby

data/docs/standalone_ruby_websocket_integration.md

@@ -68,6 +68,8 @@ ruby market_feed_script.rb
 
 ## Configuration
 
+For dynamic token at request time use `config.access_token_provider`. For web-generated tokens (24h) refresh with `DhanHQ::Auth.renew_token(access_token, client_id)`. API key/Partner flows: implement in your app and pass the token to the gem. See [AUTHENTICATION.md](AUTHENTICATION.md).
+
 ### Environment Variables
 
 ```bash

data/docs/websocket_integration.md

@@ -32,7 +32,7 @@ DhanHQ.configure do |config|
   config.access_token = ENV["ACCESS_TOKEN"] || "your_access_token"
   config.ws_user_type = ENV["DHAN_WS_USER_TYPE"] || "SELF"
 end
-# For dynamic token at request time (REST + WebSocket), use config.access_token_provider; see docs/AUTHENTICATION.md
+# For dynamic token: use config.access_token_provider. For web-generated tokens, refresh with DhanHQ::Auth.renew_token. API key/Partner flows: implement in your app. See docs/AUTHENTICATION.md.
 ```
 
 ### 2. Market Feed WebSocket (Recommended for Beginners)

data/lib/DhanHQ/auth.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "json"
+
+module DhanHQ
+  # Helpers for Dhan authentication APIs.
+  # The gem does not implement API key/secret consent flows or Partner consent;
+  # use Dhan Web or your own OAuth flow to obtain tokens, then pass them via
+  # configuration. This module supports refreshing web-generated tokens only.
+  module Auth
+    # Refreshes a web-generated access token (24h validity).
+    # Calls POST /v2/RenewToken; expires the current token and returns a new one.
+    # Only valid for tokens generated from Dhan Web (not API key flow).
+    #
+    # @param access_token [String] Current JWT from Dhan Web
+    # @param client_id [String] Dhan client ID (dhanClientId)
+    # @param base_url [String, nil] API base URL (default: DhanHQ.configuration.base_url)
+    # @return [HashWithIndifferentAccess] Response with :access_token and :expiry_time (if present)
+    # @raise [DhanHQ::Error] On HTTP or API error
+    def self.renew_token(access_token, client_id, base_url: nil)
+      base_url ||= DhanHQ.configuration&.base_url || Configuration::BASE_URL
+      url = "#{base_url.chomp("/")}/RenewToken"
+
+      conn = Faraday.new(url: url) do |c|
+        c.request :json
+        c.response :json, content_type: /\bjson$/
+        c.adapter Faraday.default_adapter
+      end
+
+      response = conn.get("") do |req|
+        req.headers["access-token"] = access_token
+        req.headers["dhanClientId"] = client_id
+        req.headers["Accept"] = "application/json"
+      end
+
+      unless response.success?
+        body = begin
+          JSON.parse(response.body.to_s)
+        rescue JSON::ParserError
+          {}
+        end
+        error_message = body["errorMessage"] || body["message"] || response.body.to_s
+        raise DhanHQ::InvalidAuthenticationError, "RenewToken failed: #{response.status} #{error_message}"
+      end
+
+      data = response.body
+      data = JSON.parse(data) if data.is_a?(String)
+      result = data.is_a?(Hash) ? data : {}
+      result.with_indifferent_access
+    end
+  end
+end

data/lib/DhanHQ/configuration.rb

@@ -84,6 +84,7 @@ module DhanHQ
       if access_token_provider
         token = access_token_provider.call
         raise DhanHQ::AuthenticationError, "access_token_provider returned nil or empty" if token.nil? || token.to_s.empty?
+
         token.to_s
       else
         access_token

data/lib/DhanHQ/contracts/expired_options_data_contract.rb

@@ -69,7 +69,8 @@ module DhanHQ
             from_date = Date.parse(values[:from_date])
             to_date = Date.parse(values[:to_date])
 
-            key.failure("from_date must be on or before to_date") if from_date > to_date
+            key.failure("from_date must be before to_date") if from_date >= to_date
+            key.failure("from_date must be a valid trading date (no weekend dates)") unless trading_day?(from_date)
 
             # Check if date range is not too large (max 31 days; to_date is non-inclusive)
             key.failure("date range cannot exceed 31 days") if (to_date - from_date).to_i > 31
@@ -98,6 +99,13 @@ module DhanHQ
           false
         end
       end
+
+      def trading_day?(date)
+        return false unless date.is_a?(Date)
+
+        # Sunday = 0, Saturday = 6; trading days are Monday (1) through Friday (5)
+        (1..5).cover?(date.wday)
+      end
     end
   end
 end

data/lib/DhanHQ/contracts/historical_data_contract.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
+require "date"
+
 module DhanHQ
   module Contracts
     # Validates payloads for the historical data endpoints.
-    class HistoricalDataContract < Dry::Validation::Contract
-      include DhanHQ::Constants
-
+    class HistoricalDataContract < BaseContract
       params do
         # Common required fields
         required(:security_id).filled(:string)
@@ -23,6 +23,33 @@ module DhanHQ
         # (valid: 1, 5, 15, 25, 60)
         optional(:interval).maybe(:string, included_in?: %w[1 5 15 25 60])
       end
+
+      rule(:from_date) do
+        next unless value.is_a?(String) && value.match?(/\A\d{4}-\d{2}-\d{2}\z/)
+
+        d = Date.parse(value)
+        key.failure("must be a valid trading date (no weekend dates)") unless trading_day?(d)
+      rescue Date::Error
+        key.failure("invalid date format")
+      end
+
+      rule(:from_date, :to_date) do
+        next unless values[:from_date].match?(/\A\d{4}-\d{2}-\d{2}\z/) && values[:to_date].match?(/\A\d{4}-\d{2}-\d{2}\z/)
+
+        from_date = Date.parse(values[:from_date])
+        to_date = Date.parse(values[:to_date])
+        key.failure("from_date must be before to_date") if from_date >= to_date
+      rescue Date::Error
+        key.failure("invalid date format")
+      end
+
+      private
+
+      def trading_day?(date)
+        return false unless date.is_a?(Date)
+
+        (1..5).cover?(date.wday)
+      end
     end
   end
 end

data/lib/DhanHQ/contracts/trade_contract.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "date"
+
 module DhanHQ
   module Contracts
     ##
@@ -20,6 +22,7 @@ module DhanHQ
 
       rule(:from_date) do
         key.failure("must be in YYYY-MM-DD format (e.g., 2024-01-15)") unless valid_date_format?(value)
+        key.failure("must be a valid trading date (no weekend dates)") if valid_date_format?(value) && !trading_day?(Date.parse(value))
       end
 
       rule(:to_date) do
@@ -35,9 +38,8 @@ module DhanHQ
             from_date = Date.parse(values[:from_date])
             to_date = Date.parse(values[:to_date])
 
-            key.failure("from_date must be before or equal to to_date") if from_date > to_date
+            key.failure("from_date must be before to_date") if from_date >= to_date
           rescue Date::Error
-            # This shouldn't happen since we already validated format, but just in case
             key.failure("invalid date format")
           end
         end
@@ -49,7 +51,6 @@ module DhanHQ
         return false unless date_string.is_a?(String)
         return false unless date_string.match?(/\A\d{4}-\d{2}-\d{2}\z/)
 
-        # Additional check to ensure it's a valid date
         begin
           Date.parse(date_string)
           true
@@ -57,6 +58,12 @@ module DhanHQ
           false
         end
       end
+
+      def trading_day?(date)
+        return false unless date.is_a?(Date)
+
+        (1..5).cover?(date.wday)
+      end
     end
 
     ##

data/lib/DhanHQ/errors.rb

@@ -21,6 +21,8 @@ module DhanHQ
   class InvalidTokenError < Error; end
   # DH-810
   class InvalidClientIDError < Error; end
+  # Raised when fetching credentials from a token endpoint fails (HTTP error or invalid response).
+  class TokenEndpointError < Error; end
 
   # Rate limits and input validation errors
   # DH-904, 805

data/lib/DhanHQ/version.rb

@@ -2,5 +2,5 @@
 
 module DhanHQ
   # Semantic version of the DhanHQ client gem.
-  VERSION = "2.2.0"
+  VERSION = "2.2.2"
 end

data/lib/DhanHQ/ws/client.rb

@@ -29,6 +29,7 @@ module DhanHQ
 
         token = DhanHQ.configuration.resolved_access_token
         raise DhanHQ::AuthenticationError, "Missing access token" if token.nil? || token.empty?
+
         cid   = DhanHQ.configuration.client_id or raise "DhanHQ.client_id not set"
         ver   = (DhanHQ.configuration.respond_to?(:ws_version) && DhanHQ.configuration.ws_version) || 2
         @url  = url || "wss://api-feed.dhan.co?version=#{ver}&token=#{token}&clientId=#{cid}&authType=2"

data/lib/DhanHQ/ws/market_depth/client.rb

@@ -82,6 +82,7 @@ module DhanHQ
         def build_market_depth_url(config)
           token = config.resolved_access_token
           raise DhanHQ::AuthenticationError, "Missing access token" if token.nil? || token.empty?
+
           cid = config.client_id or raise "DhanHQ.client_id not set"
           depth_level = config.market_depth_level || 20 # Default to 20 level depth
 

data/lib/DhanHQ/ws/orders/connection.rb

@@ -88,6 +88,7 @@ module DhanHQ
           else
             token = cfg.resolved_access_token
             raise DhanHQ::AuthenticationError, "Missing access token" if token.nil? || token.empty?
+
             cid = cfg.client_id or raise "DhanHQ.client_id not set"
             payload = {
               LoginReq: { MsgCode: 42, ClientId: cid, Token: token },

data/lib/dhan_hq.rb

@@ -23,6 +23,7 @@ require_relative "DhanHQ/error_object"
 require_relative "DhanHQ/client"
 require_relative "DhanHQ/configuration"
 require_relative "DhanHQ/rate_limiter"
+require_relative "DhanHQ/auth"
 
 # Contracts
 require_relative "DhanHQ/contracts/base_contract"
@@ -144,5 +145,75 @@ module DhanHQ
       configuration.partner_id = ENV.fetch("DHAN_PARTNER_ID", configuration.partner_id)
       configuration.partner_secret = ENV.fetch("DHAN_PARTNER_SECRET", configuration.partner_secret)
     end
+
+    # Configures the DhanHQ client by fetching credentials from a token endpoint.
+    #
+    # Performs GET <base_url>/auth/dhan/token with Authorization: Bearer <bearer_token>.
+    # Expects JSON with at least +access_token+ and +client_id+. Optional +base_url+ in
+    # the response overrides the Dhan API base URL.
+    #
+    # @param base_url [String, nil] Base URL of your app (e.g. https://myapp.com). If nil, uses ENV["DHAN_TOKEN_ENDPOINT_BASE_URL"].
+    # @param bearer_token [String, nil] Secret token for the endpoint. If nil, uses ENV["DHAN_TOKEN_ENDPOINT_BEARER"].
+    # @return [DhanHQ::Configuration] The configured configuration.
+    # @raise [DhanHQ::TokenEndpointError] On HTTP error or when response lacks access_token/client_id.
+    #
+    # @example Explicit
+    #   DhanHQ.configure_from_token_endpoint(base_url: "https://myapp.com", bearer_token: "secret-token")
+    #
+    # @example From ENV (DHAN_TOKEN_ENDPOINT_BASE_URL and DHAN_TOKEN_ENDPOINT_BEARER set)
+    #   DhanHQ.configure_from_token_endpoint
+    def configure_from_token_endpoint(base_url: nil, bearer_token: nil)
+      base_url ||= ENV.fetch("DHAN_TOKEN_ENDPOINT_BASE_URL", nil)
+      bearer_token ||= ENV.fetch("DHAN_TOKEN_ENDPOINT_BEARER", nil)
+
+      raise TokenEndpointError, "base_url and bearer_token (or ENV DHAN_TOKEN_ENDPOINT_*) are required" if base_url.to_s.empty? || bearer_token.to_s.empty?
+
+      url = "#{base_url.to_s.chomp("/")}/auth/dhan/token"
+      conn = Faraday.new(url: url) do |c|
+        c.response :json, content_type: /\bjson$/
+        c.adapter Faraday.default_adapter
+      end
+
+      response = conn.get("") do |req|
+        req.headers["Authorization"] = "Bearer #{bearer_token}"
+        req.headers["Accept"] = "application/json"
+      end
+
+      unless response.success?
+        body = if response.body.is_a?(Hash)
+                 response.body
+               else
+                 begin
+                   JSON.parse(response.body.to_s)
+                 rescue StandardError
+                   {}
+                 end
+               end
+        msg = body["error"] || body["message"] || body["errorMessage"] || response.body.to_s
+        raise TokenEndpointError, "Token endpoint returned #{response.status}: #{msg}"
+      end
+
+      data = if response.body.is_a?(Hash)
+               response.body
+             else
+               begin
+                 JSON.parse(response.body.to_s)
+               rescue StandardError
+                 {}
+               end
+             end
+      data = data.transform_keys(&:to_s) if data.is_a?(Hash)
+
+      access_token = data["access_token"] || data[:access_token]
+      client_id = data["client_id"] || data[:client_id]
+      raise TokenEndpointError, "Token endpoint response missing access_token or client_id" if access_token.to_s.empty? || client_id.to_s.empty?
+
+      self.configuration ||= Configuration.new
+      configuration.access_token = access_token.to_s
+      configuration.client_id = client_id.to_s
+      dhan_base = data["base_url"] || data[:base_url]
+      configuration.base_url = dhan_base.to_s if dhan_base.to_s != ""
+      configuration
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: DhanHQ
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.2.2
 platform: ruby
 authors:
 - Shubham Taywade
@@ -202,6 +202,7 @@ files:
 - examples/order_update_example.rb
 - examples/trading_fields_example.rb
 - exe/DhanHQ
+- lib/DhanHQ/auth.rb
 - lib/DhanHQ/client.rb
 - lib/DhanHQ/config.rb
 - lib/DhanHQ/configuration.rb