How to persist the 2FA for weekly use?

[Amir-Inbar]

Hi everyone 👋

I'm using the Docker image and everything is working well — except for 2FA persistence.

Each week I want to restart the container without manually re-approving 2FA again on my phone.
I'm mounting volumes and using CUSTOM_CONFIG=yes as well, but still I get prompted again after restart.

I’m wondering:

What's the correct way to persist the 2FA token across container restarts?

Is there a specific file or volume that needs to be mounted to achieve that?

Is CUSTOM_CONFIG required for this, or can it work with the default image setup?

Thanks so much in advance 🙏
Any guidance or working examples would be really appreciated!

[rlktradewright]

You cannot do 2FA persistence across a Sunday: it is IBKR's policy that there must be at least one full 2FA authentication each week: this is a hard-and-fast rule and there is no way around it.

When TWS/Gateway do an auto-restart, the credentials established by 2FA are persisted temporarily in a file called autorestart, and are used during the restart to bypass the need for another 2FA. As soon as the new instance of TWS/Gateway has used the credentials to re-establish the logon session, the autorestart file is deleted. The autorestart file thus only ever exists for a couple of seconds during the auto-restart process.

But those credentials are invalidated by IBKR on Sunday at 01:00 US/Eastern (see https://www.ibkrguides.com/traderworkstation/auto-restart-considerations.htm). Thus the first start of TWS/Gateway during the week will always require 2FA.

And therefore you will necessarily have to do a 2FA at least once a week.

Note that if you leave TWS/Gateway running without restarting on Sunday, the next autorestart does actually succeed, but the following one will fail. I don't know why IBKR allow this - it should fail at the first auto-restart - but I wish they wouldn't because it causes confusion.

If you close down TWS/Gateway during the week (for example by restarting your container), the autorestart file won't exist (because it's only created during an auto-restart exit), and full 2FA will be necessary.

[Amir-Inbar]

Hi all,

I'm running IB Gateway in Docker for automated trading. My setup spins up a new container per trade, which runs for 1–2 minutes, sends an order, and then shuts down.

I'm fine doing 2FA manually once a week, and I want to reuse that valid session in all containers launched during the same week (avoiding repeated 2FA prompts).

Current setup:
I perform 2FA once at the beginning of the week.

I mount a persistent volume:

volumes = {
    "~/.ib_gateway_sessions/myuser": {
        "bind": "/home/ibgateway/Jts",
        "mode": "rw"
    }
}

Question:
What exactly needs to be persisted to make this work reliably?

Is persisting /home/ibgateway/Jts enough?

Do I need to avoid CUSTOM_CONFIG=yes after the initial login?

Should I copy additional files after a successful 2FA?

Thanks in advance for your help!

[rlktradewright]

DId you read what I wrote?

This is not possible.

Reusing a previous session depends on the autorestart file existing. That file is only created when Gateway is doing an autorestart at the specified autorestart time, and is deleted as soon as autorestart has happened, within a few seconds.

Shutting down your container is not an autorestart situation, so the autorestart file is not created. So there's no wayto restart using those credentials.

Why start a new container for each trade? And if you really want to do that, why is tapping your phone to do the 2FA each time such a big deal?

[rlktradewright]

You have two options:

1. Keep the container running all week using autorestart, and do 2FA once a week when you start it up.

2. Run the container when you need to place an order, and do 2FA each time. Given that 2FA is such a trivial and straightforward procedure, I really don't see why you seem to feel that it's a burden.

[Amir-Inbar]

Thanks!
The challenge for me with 2FA is that I'm not near the computer when my algorithm sends the order. I don't trade manually, and many strategies run overnight, so I prefer to handle 2FA just once a week instead of dealing with it every time.

[rlktradewright]

Ok, thanks for giving me the full picture. Now I see where you're coming from.

As a result of some experiments I did a while back, I may possibly have a solution for you. This is not something I want to discuss publicly, so I won't say anything more about it here.

I'll need to do some further experimenting to convince myself that it will work. This will probably have to wait until the weekend, because I'll need to use my Ubuntu VM with my live account (which is in use on Windows during the week).

If you're interested in this and would like to discuss it further, email me here: temp at aultan.com, which is a temporary junk address. I'll then email you back from my proper address.

[skister]

I have a related question. Occasionally calls to my ibgateway will just hang and never get a response, but it is still running. Is it feasible for IBC or a future replacement to restart a running ibgateway without requiring 2fa again?

[rlktradewright]

@skister yes, you can do this by sending a RESTART command to IBC's command server. This causes the current Gateway instance to be shut down and restarted without needing re-authentication, exactly the same as auto-restart.

If you haven't already, you should read the Command Server section in the User Guide.

First, configure the command server port using the settings in section 10. IBC Command Server Settings of config.ini.

To send the RESTART command, you can:

• EITHER: manually use the provided script (RESTART.bat for WIndows, restart.sh on Linux). Note before using RESTART.bat for the first time, you must edit the SENDCOMMAND.bat scriptfile;, similarly to use restart.sh you must first edit commandsend.sh. This is to ensure the command is sent to the correct IBC instance. Note that it appears restart.sh is not included in the macOS IBC install (I don't recall why), But commandsend.sh is included (see below).

• OR: manually use the provided commandsend.sh script on Linux or macOS, like so:

  ./commandsend.sh RESTART

• OR: enhance your application to automatically send a RESTART command to the command server port when necessary, via a TCP socket. Your favourite AI will be able to generate the required code in seconds if you're not sure how to do this, with a prompt such as "please generate Python program code to connect a socket to a specified port at a specified IP address, then send the text "RESTART", then disconnect".

[code-hustler-ft3d]

@rlktradewright is right — IBKR requires a fresh 2FA each week and there's no persisting across it. But if the real pain is the manual phone approval, that part is avoidable: with the Mobile Authenticator (TOTP) method the weekly 2FA can run unattended — the code is computed and submitted automatically at (re)start, no tap. ibg-controller (https://github.com/code-hustler-ft3d/ibg-controller) does this on headless IB Gateway (set TWOFACTOR_CODE), and can seed Gateway's autorestart token via GATEWAY_WARM_STATE. It won't change the once-a-week rule, just removes the manual step. (Gateway only; IB Key push still needs a human.)