Authentication
OAuth 2.0 PKCE flow for end-user apps and HMAC-signed key/secret for server-to-server. Sandbox keys are issued instantly; production keys after a short review.
Synthetic account balances, delayed market data, and simulated fills for development teams.
Requires IP allowlisting, key rotation policy, incident contact, and signed platform addendum.
Endpoints
| Endpoint | Method | Use |
|---|---|---|
| /v2/quotes | GET | Real-time L1 quotes batched up to 200 symbols |
| /v2/orders | POST | Submit equity, bond, ETF, and option orders |
| /v2/portfolio | GET | Positions, average cost, and unrealized P&L |
| /v2/stream | WS | Order-book deltas, fills, and trade prints |
Rate limits
120 REST requests / second per key, soft-burst to 240. WebSocket streams are unlimited on subscription count but capped at 5,000 messages / second per connection.
Operational controls
Every order request accepts an idempotency key so retries cannot create duplicate orders.
Signed request payloads, response codes, and user attribution are retained for compliance review.
Receive account-approved, order-filled, cash-posted, and document-ready events.
Partners can disable keys instantly from the dashboard or through the emergency support line.