Perdagangan
Autentikasi
Endpoint publik terbuka. Endpoint perdagangan dan akun memerlukan bearer token. Halaman ini menjelaskan dari mana token berasal dan cakupan apa yang dibawanya.
Bearer token, bukan tanda tangan dompet
How to obtain a token (Day-1 integration)
The shortest path to authenticate a bot: register a SatoriEx account from the web UI, complete Tier-1 KYC (email + phone), and exchange your password for an access token via the /auth/login endpoint. The example below uses curl so it's language-agnostic.
1. Create a SatoriEx account + complete Tier-1 KYC
Open https://staging.satoriex.io, sign up with email + password, verify your email, and complete the phone verification. Tier-1 KYC is required before any trading endpoint will accept your token. Tier-2 (government ID) is required for withdrawals.
2. Exchange credentials for an access token
POST your email and password to /api/v1/auth/login. The response carries an access_token (the JWT bearer you'll use on every authenticated call) and a refresh_token (use to mint a new access_token without re-entering the password).
curl -sX POST https://staging.satoriex.io/api/v1/auth/login \ -H "Content-Type: application/json" \ -d '{"email":"[email protected]","password":"โฆ"}' # Response: # { # "code": 0, # "data": { # "access_token": "eyJhbGciOiJSUzI1NiIโฆ", # the bearer JWT # "refresh_token": "โฆ", # use to refresh access_token # "user": { โฆ } # } # }3. Use the access token on every authenticated call
Send the token in the Authorization header. The same header works on /me/balance, /orders, /me/positions, and every other authenticated endpoint. The /ws WebSocket accepts the token in the URL ?token=โฆ parameter โ see the WebSocket events page.
# Use the access_token as a bearer curl -s https://staging.satoriex.io/api/v1/me/balance \ -H "Authorization: Bearer $ACCESS_TOKEN"4. Refresh the token before it expires
Access tokens are short-lived. When you get a 401 with code 2002 (token expired), POST the refresh_token to /api/v1/auth/refresh to mint a new access_token. The refresh_token itself rotates โ store the new one each time.
curl -sX POST https://staging.satoriex.io/api/v1/auth/refresh \ -H "Content-Type: application/json" \ -d '{"refresh_token":"โฆ"}'
OAuth-style third-party flows (for clients acting on behalf of another SatoriEx user) use the /oauth/authorize authorization-code flow instead โ see the OAuth-access row in the table below.
POST /orders response โ 202 Accepted
When you place an order, the server responds with 202 Accepted (not 200 OK). The response includes your order object with trades set to an empty array โ the order is queued for matching, not instantly filled. Fill notifications arrive asynchronously via WebSocket (order.updated events).
Dua cara mendapatkan token
Kedua jenis token adalah bearer token. Perbedaannya pada cara penerbitannya dan cakupan yang dapat dibawanya.
| Jenis token | Cara mendapatkan | Kapan digunakan |
|---|---|---|
| Sesi | Email/password or social SSO. Providers: Google (global), Apple (global), LINE (Japan + Southeast Asia), KakaoTalk (Korea). Returned by /api/v1/auth/login. Availability of specific providers varies by jurisdiction. | Klien web dan mobile pihak pertama milik Anda. |
| Akses OAuth | Alur kode otorisasi OAuth 2.0 terhadap /oauth/authorize. | Klien pihak ketiga yang bertindak atas nama pengguna SatoriEx. |
| PAT | Created at /me/personal-access-tokens via the dashboard or API. Scoped to a named set of permissions. | Automated bots, CI pipelines, or any script that needs a credential that survives session rotation. |
PAT holders earn 10 BPS maker rebate on limit fills (vs 5 BPS standard).
Personal Access Tokens (PAT)
PATs are long-lived credentials you create from your account settings at /me/personal-access-tokens. They are passed in the same Authorization: Bearer header as session tokens. PAT holders earn an enhanced maker rebate of 10 BPS (0.10%) on limit-order fills โ double the 5 BPS standard rate.
# Create a PAT
curl -sX POST https://staging.satoriex.io/api/v1/me/personal-access-tokens \
-H "Authorization: Bearer $SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"my-bot","scopes":["orders:write","portfolio:read"]}'
# List PATs
curl -s https://staging.satoriex.io/api/v1/me/personal-access-tokens \
-H "Authorization: Bearer $SESSION_TOKEN"Revoking tokens
Three paths to revoke access, depending on what you want to invalidate:
- 1.Session JWT โ POST /api/v1/auth/logout. Invalidates the current session immediately.
- 2.Single PAT โ DELETE /api/v1/me/personal-access-tokens/:id. Revokes one token by its ID.
- 3.OAuth grant โ DELETE /api/v1/me/oauth-grants/:id. Revokes all access for a third-party client that was granted OAuth access.
Header yang diperlukan setiap panggilan perdagangan
Semua panggilan terautentikasi mengirim bearer token. Tambahkan header kode builder saat Anda ingin panggilan dikreditkan ke integrasi Anda.
Authorization: Bearer eyJhbGciOiJSUzI1NiI... # RS256-signed JWT โ session or OAuth access token Content-Type: application/json # Session tokens are RS256-signed JWTs. Public key available at /.well-known/jwks.json
Cakupan
Token membawa satu atau lebih cakupan. Server memeriksa cakupan per endpoint dan menolak panggilan yang melebihi izin token.
markets:readโ view market data, prices, and order books.markets:proposeโ submit new market proposals.orders:writeโ place, cancel, and manage orders.portfolio:readโ view your positions, balances, and trade history.
KYC dan perdagangan
Pemegang token berdagang hingga batas tingkat KYC mereka saat ini. Tingkat 0 tidak dapat memasang order. Tingkat 1 memungkinkan aktivitas harian hingga 100 USDC; Tingkat 2 meningkatkannya menjadi 10.000 USDC.
Jangan pernah hardcode token