User authentication

Endpoints that operate on behalf of a user (viewing orders, managing wallet addresses, placing orders) require user-level authentication in addition to client authentication.

There are two ways to authenticate a user: email/password login or a user identifier header.

Option 1: Email and password

Let the user log in via POST /api/v1/user/login:

curl -X POST https://api-sandbox.btcdirect.eu/api/v1/user/login \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer PARTNER_TOKEN" \
  -d '{"email": "[email protected]", "password": "user_password"}'

Response:

{
  "token": "eyJ...",
  "refreshToken": "abc123...",
  "identifier": "b959356546fca..."
}

Try it out

Base URL Authorization (partner JWT token) Request body

Response

Include the user token alongside the partner token in all user-level requests:

Authorization: Bearer {partner_token}
User-Authorization: Bearer {user_token}

The user token is valid for 1 hour and can be refreshed the same way as the partner token, by sending the refresh token to POST /api/v1/refresh.

To log a user out and invalidate their token, call POST /api/v1/user/logout.

Option 2: User identifier

You can send a unique identifier header (e.g. a hashed XPUB key) to authenticate a user without email/password:

User-Identifier: {userIdentifier}

You can use this identifier in all requests that require a logged-in user. However, to confirm quotes and perform user-specific operations (such as retrieving user info), the identifier must be linked to a user account.

To link a user identifier to an account, call POST /api/v1/user/register-identifier. This returns either a registration URL (for new users) or a dashboard URL (if the identifier is already linked).

User management endpoints

POST /api/v2/user: register a new user
GET /api/v1/user/exists: check if a user exists
GET /api/v1/user/info: get user details
POST /api/v1/user/identity-document: submit identity document
POST /api/v1/user/reset-password: request password reset