Quote.Trade authenticated trading reference for agents

This page documents Quote.Trade authenticated trading and account data workflows for humans and agent builders. It is documentation only. It is not financial advice, not a trading recommendation, and not permission for autonomous live trading.

Canonical source of truth: https://doc.quote.trade

Security requirements

Before any authenticated integration:

Use the official Quote.Trade API docs as the source of truth.
Use scoped API credentials and avoid withdrawal permissions for agent workflows.
Never put API keys, secret keys, wallet private keys, seed phrases, session cookies, or bearer tokens into prompts, screenshots, logs, or frontend code.
Require explicit human approval before any live order.
Add allowed-symbol limits, max-notional limits, and rate-limit handling.
Keep order preview/dry-run logic in the calling application where possible.
Do not expose withdrawal, transfer, wallet signing, staking, or unstaking actions to autonomous agents without separate review.

Auth and signing summary

Quote.Trade passes API keys in the X-MBX-APIKEY HTTP header. Signed private endpoints require a signature HTTP header. The documented signing method is HMAC SHA256, using the API secret key as the HMAC key and the minified JSON request body as the HMAC value.

For POST and PUT endpoints, send a minified JSON request body with Content-Type: application/json. For GET endpoints, send parameters in the query string.

Send a BUY/SELL order

Endpoint:

POST https://app.quote.trade/api/order

Purpose:

Place a BUY or SELL order.

Documented request fields:

Field	Type	Required	Notes
`account`	integer	yes	User/account ID.
`liquidityOrder`	integer	yes	Docs say set default value to `1`.
`paymentCurrency`	string	yes	Payment currency, for example `USDT`.
`price`	number/string	yes	Order price.
`quantity`	number/string	yes	Order quantity.
`side`	string	yes	`BUY` or `SELL`.
`symbol`	string	yes	Example: `BTC`.
`timestamp`	integer	yes	Client timestamp in milliseconds.
`type`	string	yes	Example: `LIMIT`.
`disableLeverage`	integer	no	Docs state `0` enables leverage/shorting and `1` disables it; default is `0`. For agent workflows, prefer disabling leverage unless the human explicitly approves leverage.

Request-shape example only:

{
  "liquidityOrder": 1,
  "account": 12345,
  "symbol": "BTC",
  "side": "BUY",
  "type": "LIMIT",
  "price": 89091.5,
  "quantity": 0.001,
  "disableLeverage": 1,
  "paymentCurrency": "USDT",
  "timestamp": 1741765600791
}

Shell signing pattern using placeholders only:

api_key="<QUOTE_TRADE_API_KEY>"
secret_key="<QUOTE_TRADE_API_SECRET>"
api_url="https://app.quote.trade/api/order"
request_body='{"liquidityOrder":1,"account":12345,"symbol":"BTC","side":"BUY","type":"LIMIT","price":89091.5,"quantity":0.001,"disableLeverage":1,"paymentCurrency":"USDT","timestamp":1741765600791}'

signature=$(printf '%s' "$request_body" | openssl dgst -sha256 -hmac "$secret_key" | awk '{print $2}')

# Do not run this from an autonomous agent. Require explicit human approval first.
curl -X POST "$api_url" \
  -H "X-MBX-APIKEY: $api_key" \
  -H "signature: $signature" \
  -H "Content-Type: application/json" \
  -d "$request_body"

Expected response shape includes fields such as accountId, symbol, clientOrderId, cumQuote, executedQty, orderId, origQty, price, reduceOnly, side, status, timeInForce, type, and updateTime.

Agent policy:

Agents may draft the order body and explain risk.
Agents must not submit the order without explicit human approval.
Agents must not enable leverage/shorting unless the human explicitly requests and approves it.
Agents must not place orders outside configured symbol and notional limits.

Get balances, margin, and account summary

Endpoint:

GET https://app.quote.trade/api/account

Purpose:

Fetch authenticated account information, including balances and margin summary fields.

Documented request pattern:

api_key="<QUOTE_TRADE_API_KEY>"
api_url="https://app.quote.trade/api/account"

curl -X GET "$api_url" \
  -H "X-MBX-APIKEY: $api_key" \
  -H "Content-Type: application/json"

Documented response fields include:

Field	Meaning
`assets`	Asset/balance array.
`canDeposit`	Whether the account can deposit.
`canTrade`	Whether the account can trade.
`canWithdraw`	Whether the account can withdraw. Do not expose withdrawal access to agents.
`feeTier`	Account fee tier.
`maxWithdrawAmount`	Maximum withdrawal amount. Do not use for agent withdrawals.
`totalInitialMargin`	Total initial margin.
`totalMaintMargin`	Total maintenance margin.
`totalMarginBalance`	Total margin balance.
`totalOpenOrderInitialMargin`	Margin tied to open orders.
`totalPositionInitialMargin`	Margin tied to positions.
`totalUnrealizedProfit`	Total unrealized P/L.
`totalWalletBalance`	Total wallet balance.
`updateTime`	Last update time.

Agent policy:

Reading account/balance data is lower risk than order placement but still private.
Use read-only credentials where possible.
Never display full account identifiers or sensitive values outside the user's authorized session.

Get position and balance updates with private WebSocket streams

Quote.Trade documents private WebSocket streams at:

wss://app.quote.trade/ws/listenKey

The documented user positions stream subscribes with an account value, an unsubscribe flag, and a requestToken value.

Subscribe request shape:

{
  "account": "<ACCOUNT_ID>",
  "unsubscribe": 0,
  "requestToken": "<QUOTE_TRADE_API_KEY>"
}

Unsubscribe request shape:

{
  "account": "<ACCOUNT_ID>",
  "unsubscribe": 1,
  "requestToken": "<QUOTE_TRADE_API_KEY>"
}

Documented ACCOUNT_UPDATE events include a balances array under a.B. Balance fields include:

Field	Meaning
`a`	Asset.
`wb`	Wallet balance or quantity.
`aq`	Available quantity.
`u`	User ID.
`i`	Instrument ID.
`at`	Asset type.
`ucb`	USD cost basis.
`uacb`	USD average cost basis.
`uv`	USD value.
`up`	USD unrealized value/P/L.
`ur`	USD realized value/P/L.
`m`	Base USD mark.
`sm`	Settle coin USD mark.
`su`	Settle coin unrealized.
`sr`	Settle coin realized.

The public docs label this section “User Positions Stream,” but the visible example is an account/balance update. Treat it as the documented private stream for position/balance-related updates and rely on the official docs for the latest event schema.

Get user order updates with private WebSocket streams

Quote.Trade documents user order updates on the same private WebSocket path:

wss://app.quote.trade/ws/listenKey

Subscribe request shape:

{
  "account": "<ACCOUNT_ID>",
  "unsubscribe": 0,
  "requestToken": "<QUOTE_TRADE_API_KEY>"
}

Documented ORDER_TRADE_UPDATE events include order fields such as symbol, client order ID, side, order type, time in force, quantity, price, execution type, order status, order ID, last quantity, cumulative quantity, last price, fee fields, execution ID, instrument ID, user ID, order update sequence, hidden flag, liquidation flag, leaves quantity, and quote type.

Get risk and position-value updates

Quote.Trade documents a RISK_UPDATE private WebSocket event on:

wss://app.quote.trade/ws/listenKey

Documented risk fields include:

Field	Meaning
`bpe`	USD buying power estimate.
`lr`	Leverage ratio.
`mmv`	USD margin value.
`mrv`	USD margin required value.
`mv`	USD margin value.
`oo`	USD open-orders value.
`oor`	USD open-orders required value.
`pv`	USD position value.
`rd`	Risk update date.
`u`	User ID.
`um`	USD marginable value.
`up`	USD unrealized P/L.
`uv`	USD value.

Agent policy:

Private streams are for authenticated sessions only.
Do not put request tokens into prompts or client-side code.
Reconnect carefully and respect WebSocket message limits.
Do not use risk events as the sole approval signal for live trading.

What is intentionally not documented here as an agent action

Withdrawals.
Transfers.
Wallet private-key flows.
Seed phrases.
Staking/unstaking execution.
Unrestricted live order loops.
Any endpoint not currently documented by Quote.Trade.

Use the official docs for full API detail and contact Quote.Trade support for production integration questions.