Skip to content

2. General Provisions

2.1. Key Rules

The API calls covered in this document follow the below general rules.

  • By using Spotware’s API, you automatically agree to the company’s terms of service.

  • All requests must be made to secure endpoints using the https protocol instead of http.

  • API calls 3.1-3.10 are made by the cTrader backend to a broker's client area. In turn, API calls 4.1.-4.4. are made by a broker's CRM system to the cTrader backend.

  • The content types accepted by the API calls defined in Section 3 differ according to the below table.

Endpoint Starting With Accepted Content Types
/ctid/ or /oauth2/ Text/JSON only
/webserv/ Text/JSON and text/XML
  • The endpoints in Section 3 are relative to the following URLs. The unique value of https://HOST:PORT is provided by Spotware Systems to each individual broker.
Endpoint Starting With Relative To
/ctid/ or /oauth2/ https://HOST:PORT/cid
/webserv/ https://HOST:PORT/v2
  • All API calls received by brokers (listed in Section 4) must be available at endpoints relative to one consistent URL. E.g., please, avoid establishing some endpoints at while hosting others at To avoid confusion, these endpoints are referenced as within the body of this documentation.

  • Several fields related to finances (balance, bonus, nonWithdrawableBonus, equity, usedMargin, and freeMargin) list their respective values in 10^moneyDigits, where moneyDigits is a separate JSON key taking integer values. As an illustration, an equity of 234512 with a moneyDigits value of 2 would equal 2345.12 currency units.

  • If the number of requests per hour exceeds a certain threshold, all new PUT/POST/DELETE-requests will be rejected. This constraint does not extend to GET-requests.

2.2. Authentication Provisions

The broker’s backend is authenticated under the same manager’s credentials used to login into the cBroker backend application. For the API calls made by the broker’s backend office to the cTrader backend, please, append an authentication token to each request by placing ?token={token} at the end of each request URL. Additional details about the manager authentication token are given in Section 3.1.

Spotware’s REST API also requires the cTrader backend to be authenticated when making requests to the broker’s client area. As specified in API call 4.1., the cTrader backend exchanges a pre-generated password to acquire a long-term authentication token that must be valid for at least one week. This token is added to each request made by the cTrader back office by appending ?token={token} to each request URL.

2.3. Broker-Specific JSON Keys Provided by Spotware

The API calls defined in Section 3 take several broker-specific request body keys the values of which are provided by Spotware Systems for each broker. To eliminate redundancies, these keys are summarized in the following table.

Parameter Data Type Description
brokerCrmName string A unique name designating a broker’s CRM system. If several brokers share the same CRM system, they will also have the same brokerCrmName values.
brokerName string A unique name denoting a specific broker (including White Labels).

Last update: February 6, 2023