Overview & authentication
Base URL, auth, access levels, and conventions.
Everything you can do in the app, you can do over the HTTP + WebSocket API — create simulations, place orders, read positions, build and save strategies with shared backtest results, and stream live data. This section is a practical reference; the full machine-readable specification lives at /openapi.yaml.
Base URL
https://api.0dtespx.com
A liveness probe is available at GET /health (no auth, returns 200).
Discovering the API
Three documents are served unauthenticated and are the canonical, always-current reference:
| Document | Contents |
|---|---|
/openapi.yaml |
Full HTTP + WebSocket spec (OpenAPI 3.0.3) |
| API walkthrough | End-to-end walkthrough with copy-pasteable curl |
/llms.txt |
An llmstxt.org index for AI agents |
Authentication
Authenticate with a bearer session token, obtained by logging in:
curl -s https://api.0dtespx.com/auth/sessions \
-H 'Content-Type: application/json' \
-d '{"email":"[email protected]","password":"…"}'
# → {"token":"8a4f3e21d6c94b0e9f2a1c5b7d8e4f60"}
Send the token as the bare value of the Authorization header — no Bearer prefix:
Authorization: 8a4f3e21d6c94b0e9f2a1c5b7d8e4f60
Registration uses a 6-digit email verification code (POST /auth/verify-email then POST /auth/register). Codes are single-use — registration consumes the code and returns the session token for your first session directly, so no separate login is needed (or possible with the same code). Log out with DELETE /auth/sessions. Your profile is at GET /user, including your effective fee schedule.
Conventions
- Content type — authenticated requests send
Content-Type: application/json; responses are JSON unless noted. - Decimals — monetary values are JSON strings (
"500000","1.45") to preserve precision. Parse them with a decimal library, not a float. - Times — request timestamps are RFC 3339 with a timezone (
2025-01-15T14:30:00Z); always include theZor an offset. Snapshot timestamps in URL paths useYYYY-MM-DDTHH:MM:SSin UTC. - Errors — non-2xx responses have a short plain-text body; the HTTP status carries the meaning.
Access levels
There are exactly two levels of access — registration is free and nothing is paid:
| Access | Market data | History | Notes |
|---|---|---|---|
| Visitor | 30-second | Most recent completed session only | Unauthenticated |
| Registered | 1-second | All dates | Free account; unlimited; custom fees |
Today's in-progress session returns 1-second data to everyone until it closes. See Access & accounts for details.
Status codes
| Status | When |
|---|---|
| 200 | OK with body |
| 201 | Resource created |
| 204 | OK, no body |
| 400 | Validation error (reason in the body) |
| 401 | Missing or invalid auth |
| 403 | Forbidden for this account |
| 404 | Not found (or not yours) |
| 429 | Rate limit hit |
| 500 | Server error |
Rate limiting
Market-data endpoints are rate-limited for all authenticated accounts via a credit budget; exceeding it returns 429. Visitor traffic isn't metered because it can only reach the most recent session at coarse resolution. See rate limits for the leaky-bucket mechanism and per-endpoint costs.
Where to go next
- Rate limits — the credit budget and per-endpoint costs.
- Simulations API — create and drive a historical simulation.
- Orders API — place, preview, and cancel orders.
- Positions & transactions — read computed state.
- Market data API — sessions, strikes, snapshots.
- Live trading API — trade today's session.
- WebSocket streams — real-time data and events.