Version: 1.0.5 True Markets CeFi WebSocket
Overview
This API allows clients to interact with the CeFi trading platform for real time instrument, market data and exchange transactions.
Authentication
Certain API requests must be authenticated using HMAC-SHA256 signature authentication.
Unauthenticated Endpoints
Many endpoints have an unauthenticated version which only requires the user to supply a valid timestamp (no older than 15 seconds and not in the future, relative to server UTC time). These endpoints batch updates and publish on an interval set by the exchange, typically 1 second.
Authenticated-Only Channels
Some channels require authentication and cannot be accessed without valid credentials:
- DROPCOPY: Order drop copy channel that provides real-time order state updates.
Links
- 📖 Full API Documentation: https://docs.truex.co/
- 📧 Support: [email protected]
Change Log
| Version | Date | Notes |
|---|---|---|
| v1.0.5 | 2026-04-09 | Added SNAPSHOT_COMPLETE update type with item field — sent per-item after snapshot delivery. |
| v1.0.4 | 2026-04-07 | Add text field to order reports. |
| v1.0.3 | 2026-02-23 | Added UNSUBSCRIBE_NO_AUTH and clarified no-auth request requirements on authenticated sessions. |
| v1.0.2 | 2026-02-10 | Clarified authentication/signature rules and subscription field requirements. |
| v1.0.1 | 2026-01-28 | Added DROPCOPY channel for order drop copy. |
| v1.0.0 | 2025-10-16 | Initial Release. |
/api/v1
channelsubscribe
sendMessage sent to server indicating what channels and data the user would like to subscribe to.
welcome
receiveMessage received when connecting to the server and establishing a websocket connection.
confirmation
receiveMessage sent from server containing channels and items the user is currently subscribed to.
instrument
receiveMessage sent from server with instrument data.
trade
receiveMessage sent from server containing the latest trade information for a subscribed instrument.
ebbo
receiveMessage sent from server containing the latest exchange best bid and offer information for a subscribed instrument.
depth
receiveMessage sent from server containing the latest market data change for a subscribed instrument.
dropcopy
receiveMessage sent from server containing order drop copy data for subscribed client IDs. Provides real-time order state updates including new orders, fills, cancellations, and modifications. Requires authentication - unauthenticated connections will be rejected.
Servers
| Server | Host | Description |
|---|---|---|
| uat | wss://api.uat.truex.co | UAT websocket sandbox server. |
| production | wss://api.truex.co | Production websocket server. |
Security
NONE
httpApiKey · x-no-auth
This security scheme documents message-level behavior. Authentication fields are carried in the subscription message payload, not as HTTP query parameters.
Clients may subscribe to endpoints without an API key or computing an HMAC signature. These endpoints are rate limited by the server, coalescing and only sending data at a predetermined rate. Non-authenticated connections can be upgraded by supplying an API key and computed HMAC signature on the next request sent to the server.
Unauthenticated requests must have type SUBSCRIBE_NO_AUTH or UNSUBSCRIBE_NO_AUTH and must not include the following fields in the request: organization_id, key, signature.
*_NO_AUTH requests are only valid on unauthenticated sessions. If a connection is already authenticated, no-auth requests are rejected and do not modify authenticated subscriptions.
Required members
timestamp: A UTC Unix epoch in seconds.
HMAC
httpApiKey · x-api-key
This security scheme documents message-level behavior. Authentication fields are carried in the subscription message payload, not as HTTP query parameters.
Clients must compute and send an HMAC signature in the signature member of the request structure.
Compute the payload exactly as:
timestamp + TRUEXWS + key + path
Then compute the signature as:
Base64( HMAC_SHA256(secret, payload) )
Rules:
timestampis a Unix epoch in seconds.TRUEXWSis the literal stringTRUEXWS.keyis the API key UUID string.pathis everything after the domain, including leading/(e.g./api/v1).- Timestamp must not be in the future and must be no older than 15 seconds relative to server time.
Example payload:
1700000000TRUEXWS11112222-3333-4444-8555-666677778888/api/v1
Example signature (shell):
printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" -binary | base64
Required members
signature: The signature generated from processing the payload with the HMAC key.key: The ID of the HMAC key being used.timestamp: A UTC Unix epoch in seconds.