Skip to main content

Overview

The current Exchange API implementation does not require authentication for most endpoints. This is a simplified setup intended for development and testing.
In a production environment, you should implement proper authentication using JWT tokens, API keys, or session-based authentication.

User identification

Endpoints that require user identification accept a user_id parameter in the request body:
Example order request
{
  "market": "SOL_USDC",
  "price": "150.50",
  "quantity": "10.0",
  "side": "BUY",
  "user_id": "user-123"
}

User creation

The /api/v1/users endpoint generates a new user with a UUID: 
POST /api/v1/users
Response:
Response
{
  "user_id": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "balances": [
    {
      "asset": "USDC",
      "available": "10000.00",
      "locked": "0.00"
    },
    {
      "asset": "SOL",
      "available": "100.00",
      "locked": "0.00"
    }
  ]
}
The code comment in router/src/routes/user.rs:16 notes that the user ID would ideally be fetched from cookies or JWT in a production system.

Public endpoints

The following endpoints do not require user identification and are publicly accessible:

Health check

GET /api/v1/health

Market depth

GET /api/v1/depth

Trade history

GET /api/v1/trades

Klines data

GET /api/v1/klines

Ticker data

GET /api/v1/tickers

Authenticated endpoints

The following endpoints require a user_id in the request body:

Order management

Execute order: 
POST /api/v1/order


{
  "market": "SOL_USDC",
  "price": "150.50",
  "quantity": "10.0",
  "side": "BUY",
  "user_id": "user-123"
}
Get open order: 
GET /api/v1/order

{
  "user_id": "user-123",
  "order_id": "order-456",
  "market": "SOL_USDC"
}
Cancel order: 
DELETE /api/v1/order

{
  "order_id": "order-456",
  "user_id": "user-123",
  "price": "150.50",
  "side": "BUY",
  "market": "SOL_USDC"
}
Get all open orders: 
GET /api/v1/orders

{
  "user_id": "user-123",
  "market": "SOL_USDC"
}
Cancel all orders: 
DELETE /api/v1/orders

{
  "user_id": "user-123",
  "market": "SOL_USDC"
}

Error responses

Missing user ID

If you attempt to call an authenticated endpoint without providing a user_id, the request will fail during deserialization: 
{
  "error": "Bad Request"
}

Invalid user ID

If you provide a user_id that doesn’t exist in the system, the order processing service will reject the request: 
{
  "error": "User not found"
}

CORS configuration

The API is configured with permissive CORS settings allowing requests from any origin: 
Cors::default()
    .allow_any_origin()
    .allow_any_header()
    .allow_any_method()
    .max_age(3600)
This is suitable for development but should be restricted in production environments.

Future authentication

For production deployment, consider implementing:

JWT tokens

Issue tokens on login and validate on each request

API keys

Generate API keys for programmatic access

Session cookies

Use secure HTTP-only cookies for web clients

OAuth 2.0

Integrate with third-party identity providers

Security considerations

The current implementation is designed for development and testing. Before deploying to production:
  • Implement proper authentication and authorization
  • Restrict CORS to trusted origins
  • Use HTTPS for all API communication
  • Implement rate limiting per user
  • Add request signing for critical operations
  • Validate all user inputs thoroughly

Build docs developers (and LLMs) love

Get started for freeTalk to us