5.1. Key Rules

Section 5 outlines the key OAauth and InApp flows. Along with its summary in flowchart form, each flow is provided with a detailed description of its stages. When applicable, the flowcharts also list the relevant API calls in brackets.

All user flows described in this section are fully compliant with the OAuth 2 standard (RFC8252) to maximize security and improve the UX.

Upon successful user creation/authorization or interaction with InApp controls, users should be automatically redirected to a dedicated success URL. This URL is provided by Spotware Systems on a per-broker basis. For ensuring correct work, the success URL has to be embedded into the config files of the cTrader applications used by brokers.

When deploying the proposed OAuth and InApp flows, brokers are given the freedom to use whatever code format they deem suitable. Additionally, please, note that brokers’ CRM systems are fully responsible for issuing both the OT token and the long-term access token. Subsequently, this also means that brokers’ client areas can revoke these tokens at any time, automatically failing any attempts to verify or exchange them. To account for this, it is recommended to show the user authorization screen inside a related iframe within the success URL (defined above).

The OAuth flows also mean that, upon a user changing their email address in the broker’s CRM system, a request must be sent to the cTrader backend to reflect this change (API call 3.10.). On a related note, users should also receive a notification to their email address upon successful user creation unless this feature is turned off.

Spotware Systems strongly recommends brokers shorten the time required for users to complete the authorization process. Short user creation flows maximize the time retail clients could spend on trading, improving conversion rates and maximizing revenues. Nevertheless, if they so choose, brokers can also integrate a range of additional processes into their user creation flows including KYC checks or questionnaires.

The above rules apply to all cTrader applications including cTrader web, desktop, and mobile.


Last update: September 26, 2022

Comments