Customer Authentication¶
Customer auth is separate from trading account auth.
- Customer login uses
email + password. - Successful login creates a
SESSION_CUSTOMERtoken. - If OTP is enabled for the customer,
otp_codeis required during login. - Trading actions still require choosing an account context from linked accounts.
POST /customer/auth/login¶
Authenticates a customer and returns customer profile, linked accounts, and __token.
Request¶
{
"email": "[email protected]",
"password": "strong-password",
"otp_code": "123456"
}
otp_code is required only when otp_enabled = 1.
Success Response¶
{
"customer_id": 1,
"email": "[email protected]",
"full_name": "John Smith",
"first_name": "John",
"last_name": "Smith",
"status": 0,
"phone": "+35700000000",
"preferred_language": "en",
"brand": "default",
"desk_id": 1,
"manager_id": 10,
"last_login_time": 1777600000,
"otp_enabled": 1,
"accounts": [
{
"login": 100001,
"customer_id": 1,
"enable": 1,
"leverage": 100,
"group": "standard",
"name": "John Smith",
"email": "[email protected]"
}
],
"__token": "..."
}
Errors¶
| HTTP | Error | Description |
|---|---|---|
| 400 | INVALID_DATA |
Invalid request body |
| 403 | CUSTOMER_NOT_FOUND_OR_INCORRECT |
Email or password is incorrect |
| 403 | CUSTOMER_DISABLED |
Customer is disabled |
| 403 | OTP_REQUIRED |
OTP is enabled and otp_code was not provided |
| 403 | INVALID_OTP_CODE |
OTP code is invalid |
| 403 | OTP_NOT_CONFIGURED |
OTP is enabled but secret is missing |
GET /customer/session/accounts¶
Returns trading accounts linked to the authenticated customer.
Authorization¶
Requires SESSION_CUSTOMER token.
Response¶
{
"accounts": [
{
"login": 100001,
"customer_id": 1,
"enable": 1,
"leverage": 100,
"group": "standard",
"name": "John Smith",
"email": "[email protected]"
}
]
}
GET /customer/auth/otp¶
Generates a new TOTP setup secret and provisioning URI.
This method does not enable OTP. OTP is enabled only after PUT /customer/auth/otp succeeds.
Authorization¶
Requires SESSION_CUSTOMER token.
Response¶
{
"otp_url": "otpauth://totp/ION%20Trader:client%40example.com?secret=JBSWY3DPEHPK3PXP&issuer=ION%20Trader&algorithm=SHA1&digits=6&period=30",
"secret": "JBSWY3DPEHPK3PXP",
"algorithm": "SHA1",
"digits": 6,
"period": 30
}
PUT /customer/auth/otp¶
Enables or replaces customer OTP after verifying the setup code.
Authorization¶
Requires SESSION_CUSTOMER token.
Request¶
{
"secret": "JBSWY3DPEHPK3PXP",
"code": "123456",
"current_code": "654321"
}
current_code is required only when OTP is already enabled.
Response¶
{
"otp_enabled": 1
}
POST /customer/auth/otp/check¶
Checks the current customer OTP code.
Authorization¶
Requires SESSION_CUSTOMER token.
Request¶
{
"code": "123456"
}
Response¶
{
"data": "OK"
}
DELETE /customer/auth/otp¶
Disables customer OTP after verifying the current code.
Authorization¶
Requires SESSION_CUSTOMER token.
Request¶
{
"code": "123456"
}
Response¶
{
"otp_enabled": 0
}
TOTP Parameters¶
| Parameter | Value |
|---|---|
| Algorithm | SHA1 |
| Digits | 6 |
| Period | 30 seconds |
| Valid window | 1 |