Skip to main content

Version: 1.0.5 True Markets CeFi WebSocket

Overview

This API allows clients to interact with the CeFi trading platform for real time instrument, market data and exchange transactions.

Authentication

Certain API requests must be authenticated using HMAC-SHA256 signature authentication.

Unauthenticated Endpoints

Many endpoints have an unauthenticated version which only requires the user to supply a valid timestamp (no older than 15 seconds and not in the future, relative to server UTC time). These endpoints batch updates and publish on an interval set by the exchange, typically 1 second.

Authenticated-Only Channels

Some channels require authentication and cannot be accessed without valid credentials:

  • DROPCOPY: Order drop copy channel that provides real-time order state updates.

Change Log

VersionDateNotes
v1.0.52026-04-09Added SNAPSHOT_COMPLETE update type with item field — sent per-item after snapshot delivery.
v1.0.42026-04-07Add text field to order reports.
v1.0.32026-02-23Added UNSUBSCRIBE_NO_AUTH and clarified no-auth request requirements on authenticated sessions.
v1.0.22026-02-10Clarified authentication/signature rules and subscription field requirements.
v1.0.12026-01-28Added DROPCOPY channel for order drop copy.
v1.0.02025-10-16Initial Release.

/api/v1

channel

subscribe

send

Message sent to server indicating what channels and data the user would like to subscribe to.

welcome

receive

Message received when connecting to the server and establishing a websocket connection.

confirmation

receive

Message sent from server containing channels and items the user is currently subscribed to.

instrument

receive

Message sent from server with instrument data.

trade

receive

Message sent from server containing the latest trade information for a subscribed instrument.

ebbo

receive

Message sent from server containing the latest exchange best bid and offer information for a subscribed instrument.

depth

receive

Message sent from server containing the latest market data change for a subscribed instrument.

dropcopy

receive

Message sent from server containing order drop copy data for subscribed client IDs. Provides real-time order state updates including new orders, fills, cancellations, and modifications. Requires authentication - unauthenticated connections will be rejected.

Servers

ServerHostDescription
uatwss://api.uat.truex.coUAT websocket sandbox server.
productionwss://api.truex.coProduction websocket server.

Security

NONE

httpApiKey · x-no-auth

This security scheme documents message-level behavior. Authentication fields are carried in the subscription message payload, not as HTTP query parameters.

Clients may subscribe to endpoints without an API key or computing an HMAC signature. These endpoints are rate limited by the server, coalescing and only sending data at a predetermined rate. Non-authenticated connections can be upgraded by supplying an API key and computed HMAC signature on the next request sent to the server.

Unauthenticated requests must have type SUBSCRIBE_NO_AUTH or UNSUBSCRIBE_NO_AUTH and must not include the following fields in the request: organization_id, key, signature.

*_NO_AUTH requests are only valid on unauthenticated sessions. If a connection is already authenticated, no-auth requests are rejected and do not modify authenticated subscriptions.

Required members

  • timestamp: A UTC Unix epoch in seconds.

HMAC

httpApiKey · x-api-key

This security scheme documents message-level behavior. Authentication fields are carried in the subscription message payload, not as HTTP query parameters.

Clients must compute and send an HMAC signature in the signature member of the request structure.

Compute the payload exactly as:

timestamp + TRUEXWS + key + path

Then compute the signature as:

Base64( HMAC_SHA256(secret, payload) )

Rules:

  • timestamp is a Unix epoch in seconds.
  • TRUEXWS is the literal string TRUEXWS.
  • key is the API key UUID string.
  • path is everything after the domain, including leading / (e.g. /api/v1).
  • Timestamp must not be in the future and must be no older than 15 seconds relative to server time.

Example payload:

  • 1700000000TRUEXWS11112222-3333-4444-8555-666677778888/api/v1

Example signature (shell):

  • printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" -binary | base64

Required members

  • signature: The signature generated from processing the payload with the HMAC key.
  • key: The ID of the HMAC key being used.
  • timestamp: A UTC Unix epoch in seconds.