True Markets CeFi REST
Overview
This API allows clients to interact with the CeFi trading platform for order management, market data retrieval, and account information.
Base URLs
| Environment | Base URL |
|---|---|
| Production | https://api.truex.co/v1/cefi/ |
| UAT (sandbox) | https://api.uat.truex.co/v1/cefi/ |
UAT and Production require VPN / PrivateLink network access for institutional clients. Contact [email protected] for network onboarding.
The legacy
/api/v1/path prefix continues to accept requests for backwards compatibility, but is deprecated and will be removed on August 5, 2026 — the same sunset date as thev2024_01_01schema version. New integrations should use/v1/cefi/.
Authentication
Protected endpoints accept either of two authentication methods:
- Institutional clients — HMAC-SHA256 signed requests using an API key (
organization_id/key_id/secret). - Retail clients — a JWT bearer token in the
Authorizationheader, with no per-request signing.
Market data and service-health endpoints are public and require no authentication.
Institutional: obtaining API-key credentials
Direct CeFi REST/WS/FIX access for institutions requires KYB onboarding. Begin at https://www.truex.co/sign-up, or contact [email protected] for help. Approved organizations receive an organization_id, key_id, and HMAC secret.
Retail: JWT bearer token
Retail clients authenticate directly by presenting a True Markets-issued JWT access token in the Authorization: Bearer <token> header — no per-request HMAC signing. Obtain a token pair by registering an ES256 (EC P-256) API key and exchanging a signed challenge via the Auth API (POST /v1/auth/api-key/token); the same token is also issued by the standard sign-in flows.
The access token must carry a client_id claim, which scopes every request to your CeFi client. That claim is present only once your account is onboarded to CeFi — a JWT without a client_id claim is rejected with 401 Unauthorized.
Signature computation (HMAC-SHA256)
Each authenticated request must include the headers X-Truex-Organization-Id, X-Truex-Key-Id, X-Truex-Timestamp (UTC Unix seconds, within ±15s of server time), and X-Truex-Signature. Compute X-Truex-Signature as:
signature = base64( HMAC_SHA256( secret, METHOD + "\n" + PATH + "\n" + TIMESTAMP + "\n" + BODY ) )
where BODY is the exact serialized request body (empty string for GET/DELETE). See docs.truex.co for reference implementations in Python, Go, and shell.
API Versioning
The API uses date-based versioning via the X-Truex-Version header. To request a specific API version, include the header in your request:
X-Truex-Version: v2024_01_01
Supported Versions:
| Version | Status | Description |
|---|---|---|
v2024_01_01 | Deprecated (Default) — Sunset August 5, 2026 | Original API format - responses return raw data arrays/objects |
v2026_01_23 | Current | New envelope format - responses wrapped in { "data": [...], "pagination": {...} } |
If no version header is provided, the API defaults to v2024_01_01. Use the /v1/cefi/versions endpoint (or the legacy /api/v1/versions) to discover supported versions programmatically.
Response Format by Version:
- v2024_01_01:
[{...}, {...}](raw array) or{...}(raw object) - v2026_01_23:
{ "data": [...], "pagination": { "size": 10, "next_cursor": "..." } }
Error Response Format by Version:
- v2024_01_01: RFC 7807 Problem Details format
- v2026_01_23:
{ "error": { ...RFC 7807 Problem Details... } }
Deprecation Policy: When a version is deprecated, responses will include RFC 8594 headers:
Deprecation: Date when the version was deprecatedSunset: Date when the version will be removed
The legacy /api/v1/ path prefixes share the August 5, 2026 sunset date with the v2024_01_01 schema version. Migrate to /v1/cefi/ before that date.
Links
- 📖 Full API Documentation: https://docs.truex.co/
- 📧 Support: [email protected]
Authentication
- API Key: HMAC
- HTTP: Bearer Auth
Clients must compute and send an HMAC signature in x-truex-auth-signature.
Compute the payload exactly as:
timestamp + method + path + body
Then compute the signature as:
Base64( HMAC_SHA256(secret, payload) )
Rules:
timestampisx-truex-auth-timestampin seconds since Unix epoch.timestampmust be no older than 15 seconds and no more than 1 second in the future.methodis uppercase HTTP method (GET,POST,DELETE, etc.).pathis everything after the domain, including leading/(e.g./api/v1/order) and excludes query string parameters.bodyis the exact raw request body string. Use an empty string for requests with no body.
Example payload:
1700000000POST/api/v1/order{"client_id":"7","instrument_id":"1","qty":"1","price":"100"}
Example signature (shell):
printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" -binary | base64
Note, method is all upper case and path is everything after the domain name including the / (e.g. /api/v1/order). Required headers:
x-truex-auth-token: The ID of the HMAC key being used (API key).x-truex-auth-signature: The signature generated from processing the payload with the HMAC key.x-truex-auth-timestamp: Current time as seconds since epoch.x-truex-auth-userid: Client identifier.
Security Scheme Type: | apiKey |
|---|---|
Header parameter name: | x-truex-auth-token |
Retail authentication. Present a True Markets-issued JWT access token
as Authorization: Bearer <token> — no request signing required.
Obtain a token pair by exchanging a signed challenge for your
registered ES256 (EC P-256) API key at POST /v1/auth/api-key/token
(see the Auth API); the same token is issued by the standard sign-in
flows.
The token must carry a client_id claim, which scopes every request
to your CeFi client. The claim is present only once your account is
onboarded to CeFi; a JWT without a client_id claim is rejected with
401 Unauthorized.
Security Scheme Type: | http |
|---|---|
HTTP Authorization Scheme: | bearer |
Bearer format: | JWT |
Contact
Terms of Servicehttps://truex.co/tos