Authentication
All requests to the XBTFX Trading API must be authenticated using an API key passed as a Bearer token in the Authorization header.
API Keys
Section titled “API Keys”Each API key is bound to a single trading account. Create and manage API keys at the XBTFX API Console:
https://console.xbtfx.comThe API Console uses the same login as your client portal at my.xbtfx.com. If you don’t have a trading account yet, register at my.xbtfx.com first, then generate your key at console.xbtfx.com.
When you create a key, it is associated with one trading account. All actions performed with that key operate on that specific account.
Authentication Header
Section titled “Authentication Header”Include your API key in every request using the Authorization header:
Authorization: Bearer <your-api-key>Example Request
Section titled “Example Request”curl -X GET https://interface.xbtfx.com/v1/auth/status \ -H "Authorization: Bearer your_api_key_here"Auth Status Endpoint
Section titled “Auth Status Endpoint”Use this endpoint to verify your API key is valid and inspect its permissions.
GET /v1/auth/status
Response
Section titled “Response”{ "login": 12345678, "tier": "standard", "status": "active", "permissions": ["trade", "read"], "margin_mode": "hedging"}Response Fields
Section titled “Response Fields”| Field | Type | Description |
|---|---|---|
login | integer | The MT5 account login number bound to this key |
tier | string | Account tier level |
status | string | Key status (e.g., active) |
permissions | array | List of permissions granted to this key |
margin_mode | string | Account margin mode: hedging or netting |
Best Practices
Section titled “Best Practices”- Store API keys securely. Never commit them to version control or expose them in client-side code.
- Use environment variables or a secrets manager to inject keys at runtime.
- Create separate keys for different applications or environments.
- Rotate keys periodically and revoke any that are no longer in use.