Quickstart

First signed call, first order, first webhook — in under five minutes. Worked examples in bash, Python, and Node.

Sign your first request, open your first order, verify your first webhook. Examples in bash, Python, and Node at every step.

No code needed? Your referral link earns revenue share with zero integration — grab it in your cabinet and start sending traffic. This guide is for the signed API. See Referral links.

Prerequisites

  • Your three credentials: apiKey, apiSecret, webhookSecret.
  • A public HTTPS endpoint for webhooks. For local development, ngrok or cloudflared work fine.
  • A shell with curl and openssl, or Python, or Node.

Step 1 — Sign your first request

POST /api/v1/price is the smallest signed call we have. The snippet quotes 0.01 BTC to USDT (Tron) and returns the rate the server will sign on a matching /api/v1/create.

# Sign your first request — a quote for 0.01 BTC -> USDT (Tron).
APIKEY="rWqZ...your-api-key...Rg"
APISECRET="G1JV...your-api-secret...n4"
BODY='{"type":"float","fromCcy":"btc","toCcy":"usdt_trc20","direction":"from","amount":"0.01"}'
SIGN=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$APISECRET" | sed 's/^.* //')
NONCE=$(openssl rand -hex 16)

curl -sS -X POST https://0trace.io/api/v1/price \
  -H "Content-Type: application/json" \
  -H "X-API-KEY: $APIKEY" \
  -H "X-API-SIGN: $SIGN" \
  -H "X-API-NONCE: $NONCE" \
  --data "$BODY"
# Expect 200 OK with { "code": 0, "data": { "from": ..., "to": ..., "markupBps": 0 } }

Expect HTTP 200 with { "code": 0, "data": { "from": …, "to": …, "markupBps": 0 } }. If you get code: 3 AUTH_INVALID, your signature was computed over different bytes than the body you sent. Re-read Authentication / Common mistakes.

Step 2 — Open an order

POST /api/v1/create reserves a pay-in address. Send an Idempotency-Key so retries are safe.

# Step 2 — open an order. The Idempotency-Key makes retries safe.
APIKEY="rWqZ...Rg"
APISECRET="G1JV...n4"
BODY='{"type":"float","fromCcy":"btc","toCcy":"usdt_trc20","direction":"from","amount":"0.01","toAddress":"TXyz...recipient","refundAddress":"bc1q...refund"}'
SIGN=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$APISECRET" | sed 's/^.* //')
NONCE=$(openssl rand -hex 16)
IDEMP=$(openssl rand -hex 12)

curl -sS -X POST https://0trace.io/api/v1/create \
  -H "Content-Type: application/json" \
  -H "X-API-KEY: $APIKEY" \
  -H "X-API-SIGN: $SIGN" \
  -H "X-API-NONCE: $NONCE" \
  -H "Idempotency-Key: $IDEMP" \
  --data "$BODY"
# Persist data.id and data.token from the response immediately.
# data.token is returned exactly once and is not recoverable.

Persist data.id and data.token from the response immediately. The token is returned once and cannot be recovered.

Step 3 — Poll order state

POST /api/v1/order returns the partner DTO. Poll once every 30–60 seconds, or rely on webhooks (Step 4).

# Step 3 — poll the order state.
APIKEY="rWqZ...Rg"
APISECRET="G1JV...n4"
ORDER_ID="<from /api/v1/create>"
ORDER_TOKEN="<from /api/v1/create>"
BODY="{\"id\":\"$ORDER_ID\",\"token\":\"$ORDER_TOKEN\"}"
SIGN=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$APISECRET" | sed 's/^.* //')
NONCE=$(openssl rand -hex 16)

curl -sS -X POST https://0trace.io/api/v1/order \
  -H "Content-Type: application/json" \
  -H "X-API-KEY: $APIKEY" \
  -H "X-API-SIGN: $SIGN" \
  -H "X-API-NONCE: $NONCE" \
  --data "$BODY"
# Status walks NEW -> PENDING -> EXCHANGE -> DONE.

Status walks NEW → PENDING → EXCHANGE → DONE. See Status mapping for the full vocabulary.

Step 4 — Verify your first webhook

Spin up a tiny receiver, point your partner record’s webhook URL at it (operator-mediated), and verify the inbound HMAC. Production-ready scaffolds in Node, Python, and Go: Webhook receiver scaffold.

Minimum checks every receiver must implement:

  1. Read the exact request body bytes before any middleware re-serialises.
  2. Recompute HMAC-SHA256(webhookSecret, rawBody) in hex.
  3. Compare with X-Partner-Webhook-Sign using a constant-time function.
  4. Reject events where X-Partner-Webhook-Timestamp is more than 5 minutes old or 1 minute in the future.
  5. Reply 2xx within 10 seconds. Anything else triggers the retry ladder.
  • Authentication — full HMAC recipe, replay window, common signing mistakes.
  • Errors and Errors cookbook — every numeric code with real-world remedies.
  • Referral links — the no-code path: your default link earns revenue share on every order.
  • Reference codes — per-channel API codes, each with its own markup.
  • /api/v1/create — full request and response schema for the create call.
  • Cabinet — self-serve dashboard: your keys, your referral link, your codes.

Partner API.
Same engine as 0trace.

A private partner integration surface. Signed quotes, server-side pricing, webhook delivery, multiple reference codes, and a self-serve cabinet — all backed by the production exchange engine.

Need help?

Questions? Answers.

A partner integration surface on top of the same exchange engine that powers 0trace.io. You connect with a signed REST contract, query quotes, open orders, and receive webhook notifications. Our liquidity, our pricing, our payouts. You focus on your product.
No. The API is private and invite-only, aligned with the privacy posture of 0trace itself. There is no KYC, no identity collection, and no source-of-funds reporting required of partners or their end users.
Submit a request through our partner application form at 0trace.io/api/contact-sales and we’ll reply within three business days.
Traffic is encrypted in transit (TLS). Every request is signed with HMAC-SHA256 over the exact request body bytes and gated by a nonce-based replay window. Pricing, fees, and payout amounts are computed server-side. Payouts run on an isolated service that re-verifies each transfer against the on-chain deposit before broadcasting.
A per-partner sliding-window weight budget, default 2500 wu/min (≈50 creates/minute). Endpoint weights: /api/v1/create is 50, /api/v1/qr is 5, every other endpoint is 1. XML feeds run on a separate public bucket. Exceeding the budget returns 429 with a Retry-After header. To raise your cap, send your projected per-endpoint call rate to your operator contact.
Two ways to earn. Revenue share: send us traffic with your referral link and earn a share of our service fee on every order — the visitor sees our live rate. Markup: integrate through the API and add your own margin on top of our rate, shown in your own interface. Use either, or both.
Yes. 0trace operates its own liquidity pool across every supported asset and network. Quotes are recomputed server-side at order creation against the live feed. Payouts are direct, with no third-party intermediary.
Bitcoin, Ethereum, BSC, Solana, Tron, Monero, and Arbitrum One — covering native coins plus the major stablecoins on each network (USDT, USDC, USDC.e).
Yes. We push signed events for order.status_changed and partner.paid_out; you subscribe to the ones you want in your cabinet.

Follow us on X for the latest updates.

Subscribe