REST endpoints
Market data, trading, account, and wallet operations over plain HTTPS JSON.
Streaming
Server-Sent Events for live order books, marks, fills, and positions.
Errors & limits
Status codes, error shapes, and rate-limit headers.
Base URL
Every endpoint documented here is served through the public gateway. Send all requests to your OCX API host:"68210.5", not 68210.5) to preserve
precision — parse them with a decimal-safe type, never a native float.
Authentication
OCX has three access tiers. Each endpoint in this reference is tagged with the tier it requires.Public
No credentials. All market-data reads — markets, order books, stats,
candles, the options board, and public streams.
Session
A signed-in session from Sign-In With Ethereum (SIWE). Required for placing
single orders and for your own account, wallet, and key management.
API key
An
x-api-key header for programmatic access. Accepted on high-throughput
trading endpoints (previews, bulk quoting, cancel-all, algo streams).Session (SIWE)
Sign in with your wallet to open a session. The full flow is covered in Authentication; in short, request a nonce, sign an EIP-4361 message, and exchange it for a session. The session is a signed JWT valid for 7 days, delivered as anhttpOnly cookie and accepted either way:
API key
Provision an API key from a signed-in session (see API key management), then send it on every automated request:read (market data and account reads) or trade
(adds order actions). A key can never create or revoke another key — key
management is session-only.
Grant least privilege: give a monitoring bot a
read key and an executing bot
a trade key. You can pin a key to source IPs and set an expiry when you
create it.Response shape
Successful responses return the resource directly as a JSON object or array. There is no envelope wrapper on REST responses — the body is the data.text/event-stream and wrap each message in
a small envelope — see Streaming.
Error shape
Errors use standard HTTP status codes with a JSON body describing what went wrong. Handle the status code first, then read the message for detail.400 (bad request or insufficient bucket balance), 401 (not
authenticated), 403 (wrong scope or forbidden), 404 (unknown resource),
422 (business rejection such as insufficient margin), and 429 (rate
limited). The full catalog is in Errors & rate limits.
Rate limits
Requests are rate-limited per client. Authenticated and API-key traffic receives a higher budget than anonymous traffic. Every response carries standard headers so you can pace yourself:| Header | Meaning |
|---|---|
X-RateLimit-Limit | Requests allowed in the current window |
X-RateLimit-Remaining | Requests left in the window |
X-RateLimit-Reset | When the window resets |
Idempotency
Order and quote endpoints accept aclientOrderId for idempotent client-side
tracking, and quoting endpoints accept a quoteId to group or replace a
market-maker’s quote set in one call. Use them so retries never double-submit.