POST /api/v1/codes

Manage multiple reference codes with per-code afftax.

Reference codes attach a per-code afftax override (and an optional free-form label) to your partner record. Callers select a code at request time via X-API-KEY: <prefix>.<code>. The auth layer looks it up, verifies ownership and enabled state, and feeds the per-code afftax into /api/v1/price and /api/v1/create.

Codes are optional — your default referral link already earns without one. Use codes to bill a different markup per channel, or rotate them per campaign to track conversion without issuing a new credential bundle. Default cap is 50 codes per partner. The operator can raise it on request.

Code format

  • Regex: ^[A-Za-z0-9_-]{4,32}$: URL-safe alphabet, length 4..32.
  • No dots: the auth-side parser splits X-API-KEY on the first . and assumes the suffix is a single segment.
  • Optional label is a free-form string up to 64 characters. Bookkeeping for you, never surfaced to end users.

POST /api/v1/codes — create

POST/api/v1/codesAuth required
Body
codestringrequired
The code value used in X-API-KEY suffix. Validated against the regex above; unique per partner.
labelstring | null
Bookkeeping note up to 64 characters. Empty / whitespace-only becomes null.
afftaxBpsinteger
Optional per-code afftax in basis points (0..2000). Defaults to 0 and falls through to the partner default. Out-of-range values return code 1 INVALID_REQUEST.
200 OK
{
  "code": 0,
  "msg": "",
  "data": {
    "id": "ckxq0...",
    "code": "main-site",
    "label": "Main site",
    "afftaxBps": 500,
    "enabled": true,
    "createdAt": "2026-05-13T08:42:11.000Z"
  }
}
# Create a new reference code with a per-code afftax (500 bps). Authenticate via
# the top-level apiKey + apiSecret bundle. Callers then use
# X-API-KEY: <prefix>.<code>  to attribute traffic to this code.
APIKEY="rWqZ...Rg"
APISECRET="G1JV...n4"
NONCE=$(openssl rand -hex 16)
BODY='{"code":"main-site","label":"Main site","afftaxBps":500}'
SIGN=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$APISECRET" | sed 's/^.* //')

curl -sS -X POST "https://0trace.io/api/v1/codes" \
  -H "Content-Type: application/json" \
  -H "X-API-KEY: $APIKEY" \
  -H "X-API-SIGN: $SIGN" \
  -H "X-API-NONCE: $NONCE" \
  --data "$BODY"

GET /api/v1/codes — list

GET/api/v1/codesAuth required

Returns every code owned by the partner (enabled + disabled), newest first, capped at 100 rows. Sign an empty body "" for the request signature.

200 OK
{
  "code": 0,
  "msg": "",
  "data": [
    {
      "id": "ckxq0...",
      "code": "main-site",
      "label": "Main site",
      "afftaxBps": 500,
      "enabled": true,
      "createdAt": "2026-05-13T08:42:11.000Z"
    },
    {
      "id": "ckxp9...",
      "code": "newsletter",
      "label": null,
      "afftaxBps": 200,
      "enabled": false,
      "createdAt": "2026-05-12T22:18:03.000Z"
    }
  ]
}

DELETE /api/v1/codes — soft-disable

DELETE/api/v1/codesAuth required
Body
codestringrequired
Code to soft-disable. Sets enabled=false but keeps the row so you can re-enable later. A miss returns code 6 NOT_FOUND.

Disabled codes are still listed by GET /api/v1/codes. They are rejected at authentication, so a caller using a disabled code receives code 3 AUTH_INVALID.

POST /api/v1/codes/enable — re-enable

POST/api/v1/codes/enableAuth required
Body
codestringrequired
Previously-disabled code to re-enable. No-op if already enabled.

Errors

codemsgHTTPDescription
1INVALID_REQUEST400Body fails validation: unsupported asset, disabled pair, unparseable amount, invalid address, FLOAT without refundAddress, malformed Idempotency-Key. The same code + HTTP 409 fires on Idempotency-Key reuse with a different payload.
2AUTH_REQUIRED401One of X-API-KEY / X-API-SIGN is missing on an endpoint that requires authentication.
3AUTH_INVALID401Unknown key, malformed signature, signature mismatch, expired or replayed nonce, decrypt failure. Generic body — never an oracle for "which" of those it was.
4AUTH_DISABLED401Partner record enabled = false. Reachable only with a valid signature, so the operator can distinguish a kill-switched partner from a stolen-and-revoked key.
5RATE_LIMIT429Per-partner weight budget exhausted within the 60-second sliding window. Response includes Retry-After: <seconds>.
6NOT_FOUND404Order does not exist OR exists but belongs to a different partner OR exists and the token is wrong. The three cases collapse to one envelope.
13LIMIT_EXCEEDED403Partner reached the per-partner ceiling on POST /api/v1/codes (default 50 reference codes).
99INTERNAL500Unexpected server-side condition. Already logged on our side; safe to retry.

Rate limit

Every verb (POST create, GET list, DELETE disable, POST codes/enable) charges 1 weight unit against the per-partner sliding-window budget.

Partner API.
Same engine as 0trace.

A private partner integration surface. Signed quotes, server-side pricing, webhook delivery, multiple reference codes, and a self-serve cabinet — all backed by the production exchange engine.

Need help?

Questions? Answers.

A partner integration surface on top of the same exchange engine that powers 0trace.io. You connect with a signed REST contract, query quotes, open orders, and receive webhook notifications. Our liquidity, our pricing, our payouts. You focus on your product.
No. The API is private and invite-only, aligned with the privacy posture of 0trace itself. There is no KYC, no identity collection, and no source-of-funds reporting required of partners or their end users.
Submit a request through our partner application form at 0trace.io/api/contact-sales and we’ll reply within three business days.
Traffic is encrypted in transit (TLS). Every request is signed with HMAC-SHA256 over the exact request body bytes and gated by a nonce-based replay window. Pricing, fees, and payout amounts are computed server-side. Payouts run on an isolated service that re-verifies each transfer against the on-chain deposit before broadcasting.
A per-partner sliding-window weight budget, default 2500 wu/min (≈50 creates/minute). Endpoint weights: /api/v1/create is 50, /api/v1/qr is 5, every other endpoint is 1. XML feeds run on a separate public bucket. Exceeding the budget returns 429 with a Retry-After header. To raise your cap, send your projected per-endpoint call rate to your operator contact.
Two ways to earn. Revenue share: send us traffic with your referral link and earn a share of our service fee on every order — the visitor sees our live rate. Markup: integrate through the API and add your own margin on top of our rate, shown in your own interface. Use either, or both.
Yes. 0trace operates its own liquidity pool across every supported asset and network. Quotes are recomputed server-side at order creation against the live feed. Payouts are direct, with no third-party intermediary.
Bitcoin, Ethereum, BSC, Solana, Tron, Monero, and Arbitrum One — covering native coins plus the major stablecoins on each network (USDT, USDC, USDC.e).
Yes. We push signed events for order.status_changed and partner.paid_out; you subscribe to the ones you want in your cabinet.

Follow us on X for the latest updates.

Subscribe