Developer Docs

REST API Reference

Full JSON REST API under /api/*. Cookie-based authentication. 15 resource groups. /api/*.

Base URL

https://ohlcx.com/api

Auth

Cookie Auth

Format

JSON {data: ...}

Errors

422 validation / 500 proxy

OpenAPI

docs/api/openapi.yaml

Auth

Public

POST /api/loginPOST /api/registerPOST /api/password/emailPOST /api/password/resetPOST /api/two-factor-challengeGET /api/user

Cookie-based authentication. GET /sanctum/csrf-cookie before first write.

Profile

Auth

PUT /api/user-profile/profilePUT /api/user-profile/passwordGET /api/user-profile/sessionsPOST /api/user-profile/logout-other-sessionsDELETE /api/user-profileDELETE /api/user-profile/profile-photo

Profile management - name, email, photo, password, sessions, and account deletion.

User Data

Auth

GET/POST /api/user/preferencesGET/POST /api/user/settingsGET/POST /api/user/onboarding

Order defaults, risk limits, feature toggles, and onboarding state.

Knowledge Base

Auth

GET /api/knowledge-baseGET /api/knowledge-base/{slug}

16 articles. Filter by area or full-text q param. Returns { data: Article[] }.

Markets

Auth

GET /api/marketsGET /api/markets/{id}GET /api/tickersGET /api/tickers/{symbol}GET /api/market-calendarPOST /api/market-balanceGET /api/newsGET /api/popular-newsGET /api/crypto-newsGET /api/analysis

Proxied to external OHLCX API with ~1 min cache. Returns upstream data key or 500 proxy error.

AI Agents

Public / Auth

POST /api/ai/agents/supportPOST /api/ai/agents/tradingPOST /api/ai/agents/assistant

All return SSE text stream. Support and assistant are public (throttle 60/min). Trading requires authentication.

Strategies

Auth

GET/POST /api/strategiesGET/PUT/DELETE /api/strategies/{id}GET /api/strategies/search/{sym}POST /api/strategy/{id}/deployPOST /api/strategy/{id}/duplicatePOST /api/strategy/{id}/retainGET /api/strategy/{id}/conditionsGET /api/strategy/{id}/activities

Full CRUD + lifecycle. All proxy to external OHLCX API with cache invalidation on writes.

Conditions & Signals

Auth

GET/POST /api/conditionsGET/PUT/DELETE /api/conditions/{id}GET /api/signals

Conditions are attached to strategies. Signals are read-only.

Accounts

Auth

GET /api/accountsGET /api/accounts/balancesGET /api/accounts/{id}/balanceGET /api/accounts/{id}/growthGET /api/accounts/{id}/pnl

Schwab account summaries. Live broker data is fetched directly from Schwab by the frontend via useApiService - not this API.

Activities

Auth

GET /api/activitiesPOST /api/activitiesDELETE /api/activities/{id}

User activity log. Create and delete entries.

Billing

Auth

GET /api/creditsGET /api/transaction-history

Credit balance and transaction history. Stripe-backed. Admin billing routes require is_admin.

Support

Public (contact-form) / Auth

POST /api/contact-formPOST /api/support-requestPOST /api/report-issue

POST /api/contact-form is CSRF-exempt for public use.

Chat

Auth

POST/GET/PUT/DELETE /api/group/{group}POST/DELETE /api/messageGET /api/sidebar-conversationsGET/POST /api/invitesPOST /api/invites/accept

Trading rooms - group CRUD, messaging, invites, and join requests.

Admin Users

Auth + is_admin

GET /api/usersPOST /api/usersGET/PUT/DELETE /api/users/{id}POST /api/user/block-unblock/{user}POST /api/user/change-role/{user}

Paginated user management. Cannot delete own account.

Auth Strategy Note

Set the CSRF cookie via GET /sanctum/csrf-cookie before first write. All mutations send credentials via window.axios with cookie auth. Only POST /api/contact-form is CSRF-exempt.

Request API Access →