API V1 Users method group

/api/v1/users/local/authenticate
POST

Authenticates a user with local credentials (email + password) and establishes a server session.
Upon successful login, the server returns the text OK and sets cookies (session_id, access_token, refresh_token), which are used for subsequent authorized requests.

URL

https://quickex.io/api/v1/users/local/authenticate

Authorization Required

No (public login with local credentials).

Headers

• Accept: application/json
• Content-Type: application/json

Request Body (JSON)

{
  "browserFingerprint": "1231231231231231212312312",
  "email": "test@test.com",
  "password": "testtest"
}

Request Example (cURL)

curl -X POST \
  'https://quickex.io/api/v1/users/local/authenticate' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "browserFingerprint": "1231231231231231212312312",
    "email": "test@test.com",
    "password": "testtest"
  }'

Responses

A successful response includes Set-Cookie and session-id headers that establish the user session.

Notes

• Store tokens and cookies only in secure places (HttpOnly/Secure cookies, environment variables, secret vaults).
• browserFingerprint must remain consistent for a specific device/browser.
• After login, use the issued cookies to call protected API v1 methods.

Initiates the password reset process. A password recovery code will be sent to the specified email address.
This code must be saved for further use with the /api/v1/users/local/reset-password method.

URL

https://quickex.io/api/v1/users/local/request-password-reset

Authorization Required

No (public password reset request).

Headers

• Accept: application/json
• Content-Type: application/json

Request Body (JSON)

{
  "email": "user@example.com"
}

Request Example (cURL)

curl -X POST \
  'https://quickex.io/api/v1/users/local/request-password-reset' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "email": "user@example.com"
  }'

Responses

{
  "status": "ERR_VALIDATION",
  "message": "Validation Exception",
  "data": {
    "email": {
      "isEmail": "email must be an email"
    }
  }
}

Notes

• After calling this method, the specified email will receive a password recovery code.
• Save this code — it is required for the next step with the /api/v1/users/local/reset-password method.
• If the email does not exist or is invalid, the server will return a validation error (400).

Completes the password reset process. The user must provide the recovery code received by email as a result of the
/api/v1/users/local/request-password-reset call, along with the new password.
If successful, the password will be updated and the user will be able to log in with the new credentials.

URL

https://quickex.io/api/v1/users/local/reset-password

Authorization Required

No (recovery code is used).

Headers

• Accept: application/json
• Content-Type: application/json

Request Body (JSON)

{
  "resetCode": "1231231231231231212312312",
  "password": "testtest",
  "email": "test@example.com"
}

Request Example (cURL)

curl -X POST \
  'https://quickex.io/api/v1/users/local/reset-password' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "resetCode": "1231231231231231212312312",
    "password": "testtest",
    "email": "test@example.com"
  }'

Responses

Notes

• This method is used only after calling /api/v1/users/local/request-password-reset.
• The recovery code has a limited validity period.
• After a successful password reset, use the new credentials to log in via /api/v1/users/local/authenticate.

Refreshes the access_token using a refresh_token.
This method is used when the current access_token has expired.
It returns a new access_token, which must be used for subsequent requests to protected endpoints.

URL

https://quickex.io/api/v1/users/authentication/refresh

Authorization Required

Yes (a valid refresh_token passed in cookies is required).

Headers

• Accept: application/json
• Content-Type: application/json
• Cookie: refresh_token={REFRESH_TOKEN}

Request Body (JSON)

{
  "browserFingerprint": "1231231231231231212312312"
}

Request Example (cURL)

curl -X POST \
  'https://quickex.io/api/v1/users/authentication/refresh' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  --cookie "refresh_token=YOUR_REFRESH_TOKEN" \
  -d '{
    "browserFingerprint": "1231231231231231212312312"
  }'

Responses

Notes

• This method is used only to refresh the access_token. A new refresh_token is not issued.
• browserFingerprint must match the one provided during login via /api/v1/users/local/authenticate.
• Always store and transmit the refresh_token only in secure cookies (HttpOnly, Secure).

Returns account data for an authenticated user: ID, email, and a set of permissions.
Used by the client after login to determine available sections/actions in the interface.

URL

https://quickex.io/api/v1/users/account-data

Authorization Required

Yes — a valid session cookie issued by the /api/v1/users/local/authenticate method.

Headers

• Accept: application/json
• Cookie (e.g., session_id=...)

Parameters

None

Request Example (cURL)

curl -X GET \
  'https://quickex.io/api/v1/users/account-data' \
  -H 'Accept: application/json' \
  --cookie "session_id=YOUR_SESSION_ID"

Response Example (200)

{
  "userId": 42,
  "email": "user@example.com",
  "permissions": "USER",
  "adminPermissionsScope": {
    "ORDERS": { "READ": true, "CONFIGURE": false, "PROCESS": true, "CREATE_LARGE_ADDITIONAL_WITHDRAWALS": false, "ENABLE_MANUAL_PROCESSING": false },
    "INSTRUMENTS": { "READ": true, "UPDATE": false },
    "PAIRS": { "READ": true, "UPDATE": false },
    "BESTCHANGE": { "READ": true, "UPDATE": false },
    "USERS": { "READ": true, "UPDATE": false },
    "API_KEYS": { "READ": true, "UPDATE": false },
    "STATS": { "READ": true },
    "AFFILIATES": { "READ": true, "UPDATE": false },
    "PLATFORM_FEE_COLLECTION": { "READ": true, "UPDATE": false },
    "TRANSLATION": { "READ": true, "UPDATE": false }
  }
}

Responses

Notes

• adminPermissionsScope details subsystem rights (read/update/processing, etc.).
• If the frontend does not require administrative rights, only the fields userId, email, and permissions may be used.
• To refresh the session, use the method /api/v1/users/authentication/refresh (if applicable in your flow).

Terminates the current user session.
Used to log out and invalidate active authorization tokens (or cookies).

URL

https://quickex.io/api/v1/users/authentication/logout

Authorization Required

Yes — the user must be authenticated.

Headers

• Accept: application/json

Request Body

Not required (an empty body is sent).

Request Example (cURL)

curl -X POST \
  'https://quickex.io/api/v1/users/authentication/logout' \
  -H 'Accept: application/json' \
  --cookie "session_id=YOUR_SESSION_ID" \
  -d ''

Response Example (201)

OK

Responses

Notes

• This method only terminates the current session. If the user is logged in on multiple devices, sessions on other devices will remain active.
• After calling this method, the user must re-authenticate to access private methods.
• If the cookie or token expired before calling this method, the server will return a 401 Unauthorized error.

Generates a new API key for the authenticated user.
The key consists of a pair: publicKey and secretKey, which are used when working with API v2 methods.
Additionally, you can specify a list of trusted IP addresses (whitelist) and the key’s active status.

URL

https://quickex.io/api/v1/users/generate-api-key

Authorization Required

Yes — the method is available only to logged-in users.

Headers

• Accept: application/json
• Content-Type: application/json
• Session Cookie (session_id=...)

Request Body (JSON)

{
  "name": "Api name / App name",
  "whiteListIp": [
    "127.0.0.1",
    "127.0.0.2"
  ],
  "isActive": true
}

Request Example (cURL)

curl -X POST \
  'https://quickex.io/api/v1/users/generate-api-key' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  --cookie "session_id=YOUR_SESSION_ID" \
  -d '{
    "name": "Api name / App name",
    "whiteListIp": ["127.0.0.1", "127.0.0.2"],
    "isActive": true
  }'

Response Example (200)

{
  "apiId": 1,
  "name": "Api name / App name",
  "publicKey": "pk_123456789",
  "secretKey": "sk_987654321",
  "whiteListIp": ["127.0.0.1","127.0.0.2"],
  "isActive": true,
  "createdAt": "2025-08-26 12:16:20"
}

Responses

Notes

• Public Key is used to identify the client.
• Secret Key is stored only by the user and is used to sign requests in API v2.
• It is recommended to restrict API key usage by IP (whiteListIp) for increased security.
• If the secretKey is lost, it cannot be recovered — a new key must be generated.

Returns a list of all API keys created by the user.
The method allows viewing active and inactive keys, their parameters (name, IP whitelist, status), as well as the creation date.
Used for managing keys in the user’s personal account.

URL

https://quickex.io/api/v1/users/list-api-key

Authorization Required

Yes — the user must be authenticated (session cookie or access token).

Parameters

None

Request Example (cURL)

curl -X GET \
  'https://quickex.io/api/v1/users/list-api-key' \
  -H 'Accept: application/json' \
  --cookie "session_id=YOUR_SESSION_ID"

Response Example (200)

[
  {
    "apiId": 1,
    "name": "Api name / App name",
    "publicKey": "pk_123456789",
    "whiteListIp": [
      "127.0.0.1",
      "127.0.0.2"
    ],
    "isActive": true,
    "createdAt": "2025-08-26 12:16:20"
  }
]

Responses

Notes

• publicKey is used in the request headers of API v2.
• secretKey is returned only when the key is created via /generate-api-key and is not shown in the list.
• whiteListIp restricts the usage of the key to the specified IP addresses only.
• To disable or delete a key, separate API key management methods must be used (if available).

Deletes a previously generated API key.
After deletion, the key becomes invalid and can no longer be used for authenticating requests in API v2.

URL

https://quickex.io/api/v1/users/delete-api-key

Authorization Required

Yes — the method is available only to authenticated users.

Headers

• Accept: application/json
• Content-Type: application/json
• Session Cookie (session_id=...)

Request Body (JSON)

{
  "apiId": 1
}

Request Example (cURL)

curl -X POST \
  'https://quickex.io/api/v1/users/delete-api-key' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  --cookie "session_id=YOUR_SESSION_ID" \
  -d '{
    "apiId": 1
  }'

Response Example (200)

true

Responses

Notes

• After deletion, the key cannot be restored. To access API v2, a new key must be generated.
• The method only accepts the key identifier (apiId) obtained from the key list (/api/v1/users/list-api-key).
• Deletion is recommended in case of key compromise or when the integration is no longer needed.

Returns the current KYC (Know Your Customer) status for the authenticated user.
This method is used to check whether the user has passed identity verification, as well as to obtain the rejection reason if verification was not successful.

URL

https://quickex.io/api/v1/users/kyc/status

Authorization Required

Yes — a valid user session is required.

Headers

• Accept: application/json
• Session cookie (access_token=...)

Parameters

None

Request Example (cURL)

curl -X GET \
  'https://quickex.io/api/v1/users/kyc/status' \
  -H 'Accept: application/json' \
  --cookie "access_token=YOUR_TOKEN"

Example Response (200)

{
  "status": "PASS",
  "rejectReason": "ID_INFO_INVALID"
}

Possible status values

• PENDING — document verification in progress.
• PASS — verification successfully completed.
• REJECTED — verification rejected.

Responses

Notes

• This method only returns the status — document upload for KYC is handled by other methods.
• The rejectReason field is present only when the status is REJECTED or the verification has been denied.
• Status values can be used to display progress in the user dashboard.