Overview

Private, invite-only. Small surface: every endpoint is one signed POST, every webhook is one signed event. A self-serve cabinet lives at /partner/login. /v1/create accepts an Idempotency-Key so retries are safe. See Authentication for the signing rules.

New here? Start at the Quickstart: first signed call, first order, first webhook in five minutes.

Two integration models

• Server-to-server API. Sign every request, control price quoting and idempotency, receive signed webhooks. Start at the Quickstart.
• Referral links. Send traffic at /r/{code} with the swap direction in the URL. No backend integration; earnings accrue automatically. See Referral links.

How it fits together

• Discovery. /v1/currencies and /v1/pairs. Unauthenticated; served from a 30-second cache.
• Quoting. /v1/price. Unauthenticated; recomputed per request against live rates.
• Order lifecycle. /v1/create to open, /v1/order to poll, /v1/emergency to resolve status = "EMERGENCY", /v1/qr for a pay-in QR.
• Credentials and reference codes. /v1/keys/rotate for self-service apiSecret / webhookSecret rotation. /v1/codes (POST / GET / DELETE) and /v1/codes/enable for multiple reference codes with per-code markup.
• Push contracts. Webhooks (three events, signed, per-partner subscription) and XML rate feeds (public, unauthenticated).
• Self-service portal. Partner cabinet at /partner/login: dashboard, orders, payout history, reference codes, key rotation.

Versioning

The wire contract is stable. Breaking changes are announced 30 days in advance to the contact email on your partner record. Backwards-compatible additions (new endpoints, new optional fields, new opt-in webhook events) land at any time and never break an existing integration.

Payout isolation

Partner credentials authorise discovery, quoting, and order creation. They cannot move funds. Payouts run on a separate service that re-verifies the on-chain deposit before broadcasting.