Introduction
The GlowBack REST API provides programmatic access to quantitative backtesting and parameter optimization. The API is built with FastAPI and follows REST conventions. Base URL:http://127.0.0.1:8000 (development)
API version: 0.2.0
Getting started
All API requests require authentication via API key. Include your API key in the request headers:Core concepts
Backtests
Backtests simulate trading strategies against historical market data. Each backtest:- Executes asynchronously and returns a
run_idimmediately - Progresses through states:
queued→running→completedorfailed - Produces results including equity curves, trades, and performance metrics
- Supports real-time streaming via WebSocket
Optimizations
Optimizations perform parameter searches to find optimal strategy configurations. Each optimization:- Runs multiple backtests with different parameter combinations
- Uses grid search or other optimization algorithms
- Tracks progress and can be cancelled mid-run
- Returns ranked results sorted by objective metric
API resources
Backtests
- POST /backtests - Create a new backtest
- GET /backtests - List all backtests
- GET /backtests/:run_id - Get backtest status
- GET /backtests/:run_id/results - Get backtest results
- WS /backtests/:run_id/stream - Stream real-time events
Optimizations
- POST /optimizations - Create a new optimization
- GET /optimizations - List all optimizations
- GET /optimizations/:opt_id - Get optimization status
- GET /optimizations/:opt_id/results - Get optimization results
- POST /optimizations/:opt_id/cancel - Cancel running optimization
Rate limiting
API requests are subject to rate limiting to ensure fair usage. Rate limit headers are included in responses:X-RateLimit-Limit- Total requests allowed per windowX-RateLimit-Remaining- Requests remaining in current windowX-RateLimit-Reset- Unix timestamp when the limit resets
429 Too Many Requests response.
Request tracking
All responses include anX-Request-ID header for log correlation and debugging. You can optionally provide your own request ID:
Error handling
The API uses standard HTTP status codes:200 OK- Successful request201 Created- Resource created successfully400 Bad Request- Invalid request parameters401 Unauthorized- Missing or invalid API key404 Not Found- Resource not found409 Conflict- Resource not ready or operation conflict413 Request Entity Too Large- Request body exceeds size limit (1 MiB default)429 Too Many Requests- Rate limit exceeded500 Internal Server Error- Server error
detail field with a human-readable message:
CORS
Cross-origin resource sharing (CORS) is configurable via theGLOWBACK_CORS_ORIGINS environment variable. Allowed headers:
AuthorizationX-API-KeyX-Request-IDContent-Type
GET, POST
Security headers
All responses include security headers:X-Content-Type-Options: nosniffX-Frame-Options: DENYReferrer-Policy: no-referrerStrict-Transport-Security: max-age=63072000; includeSubDomains; preloadContent-Security-Policy: default-src 'none'; frame-ancestors 'none'Cache-Control: no-store
Health check
The/healthz endpoint provides a liveness probe without authentication:
Next steps
- Review Authentication methods
- Explore Backtest endpoints
- Check out example requests in the interactive docs at
/docs