Quote security

When placing an order via the API, a quote must first be requested. The quote system is designed to prevent tampering with prices and order details.

How the quote flow works

1. Request a quote from one of the quote endpoints (buy or sell).
2. The API returns the quoted price, fees, expiry time, and an encrypted quote string.
3. Display the quote to the user for confirmation.
4. If the user accepts, send the quote string to the corresponding confirm endpoint (buy confirm or sell confirm).

Validation

When you submit the quote string to the confirm endpoint, the API validates:

• The quote has not been tampered with.
• The quote has not expired.
• The quote belongs to the wallet address provided.
• The quote belongs to the authenticated API client and user.

If all checks pass, the order is placed.

Encryption

The quote string is a JWE token (JSON Web Encryption), encrypted with strong encryption to ensure integrity, authenticity, and confidentiality. Even if the token were decrypted, modified, and re-encrypted, the API performs additional server-side checks that would reject it.

Note

The quote string in API response examples is abbreviated for readability. The actual string is significantly longer.