API and webhooks
REST API and webhook reference — authentication, endpoints, payload schemas, signature verification, and rate limits.
TICPOZ exposes a small REST API for managing strategies and droplets, plus outbound webhooks that fire on trade events. The same authentication model — bearer JWT — is used across the entire surface.
Base URL
https://ticpoz.com/api/
Authentication
Every request needs an Authorization: Bearer <token> header. Tokens are issued at Settings → API keys. Each token carries a scope (read-only or read-write), a per-token rate budget, and an expiry. JWTs are signed server-side; do not try to mint them locally.
curl https://ticpoz.com/api/deployments \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiI..."
Key endpoints
List droplets
GET /api/deployments
Returns every droplet owned by the authenticated user with its state, strategy id, account id, and most recent equity snapshot.
Manual tick
POST /api/deployments/{id}/tickForces an immediate evaluation cycle on the droplet without waiting for the 15-second boundary. Useful for testing webhook delivery or reacting to a corporate event.
Trade history
GET /api/deployments/{id}/trades?since=2026-05-01&limit=200Paginated list of closed trades. Each row includes open time, close time, direction, size, average open price, average close price, realised PnL, and commission.
Force a trade
POST /api/deployments/{id}/force-trade
{
"side": "buy",
"size": 0.10,
"stopLoss": 1.0850,
"takeProfit": 1.0950
}Opens a position manually, bypassing the entry clause tree. Risk caps still apply — a force-trade that breaches perTradePct or dailyDdCap is rejected.
List strategies
GET /api/strategies
Returns every StrategySpec owned by the user, with the latest version id and the timestamp of its most recent edit.
Chat with Quant-AI
POST /api/ai/chat
{
"strategyId": "strat_4f3...",
"message": "Tighten the stop to 1.0 ATR and trail after 1.5 ATR."
}Routes a chat turn through Quant-AI. Returns the next candidate spec plus the model's explanation. See AI builder.
Webhooks
Each droplet can register a webhook URL. We POST a signed JSON payload on every position open and close. The payload shape:
POST <your-url>
Headers:
Content-Type: application/json
X-Ticpoz-Event: position.opened
X-Ticpoz-Signature: t=1715600000,v1=4a7e...
{
"event": "position.opened",
"droplet": "drop_4f3a...",
"strategy": "strat_a91b...",
"account": "acct_77c4...",
"symbol": "EURUSD",
"side": "buy",
"size": 0.10,
"openTime": "2026-05-13T08:14:22Z",
"openPrice": 1.0843,
"stopLoss": 1.0820,
"takeProfit": 1.0890
}Signature verification
The X-Ticpoz-Signature header carries a timestamp and an HMAC-SHA256 of<timestamp>.<raw-body> keyed with the per-droplet webhook secret. Reject any request older than five minutes; reject any request whose recomputed signature does not match. The secret is shown once when you save the webhook — store it server-side.
Delivery
- Retries: up to five attempts with exponential backoff over fifteen minutes.
- Idempotency: every event has an
id. Treat duplicates as a no-op. - A 2xx response acknowledges. Any other status is treated as a failure and retried.
Rate limits
Default budgets, per token:
- Read endpoints — 600 requests per minute.
- Mutating endpoints — 60 requests per minute.
- AI chat — 30 turns per minute, additionally throttled by your plan's monthly token budget.
Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset. A 429 response includes a Retry-Afterheader you should respect.
error.message. 401 is a missing or expired token. 403 is a scope mismatch (read-only token attempting a write). 404 is an unknown resource. 429 is rate-limited. 5xx means we are at fault and you should retry.