Skip to main content

Setup a Wrapper Authentication Flow leveraging TTS Authentication Module

T
Written by TradeTechSolutions
Updated over 3 months ago

Overview

This guide explains how to integrate with our authentication system to programmatically create users and obtain authentication tokens. This is useful if you're building a wrapper application or need to automate user management on your platform.

The authentication flow is straightforward: register a user, log them in, and use the returned token to make authenticated API calls or auto-login users on redirect.

How Authentication Works

Our platform uses Token-based Authentication. Here's the basic flow:

  1. Register a new user — Create a user account with their email, name, and password

  1. Login — Authenticate with email and password to receive an authentication token

  1. Use the token — Include the token in subsequent API requests to act on behalf of the user, or use the token to directly log users in.

The token returned is a persistent key that remains valid until explicitly revoked. You can use this token to make API calls as that user or to establish authenticated sessions in your wrapper application.

Step 1: Register a New User

To create a new user account, send a POST request to the registration endpoint.

Example Request

curl --location 'https://<backend-url>/auth/registration/' \
--header 'Content-Type: application/json' \
--data-raw '{
    "full_name": "testU1",
    "email": "[email protected]",
    "password": "test1234",
    "confirm_password": "test1234",
    "subscribe": true,
    "password1": "test@1291",
    "password2": "test@1291"
}'

Successful Response

When registration succeeds, you'll receive a response containing the authentication token:

{
    "key": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"
}

The key field contains the authentication token for the newly created user. Store this token securely — it provides full access to the user's account.

Error Response

If registration fails (e.g., email already exists), you'll receive an error:

{
    "email": ["Email address already in use"]
}

Step 2: Login an Existing User

If the user already has an account, authenticate them using the login endpoint to obtain their token.

Example Request

curl -X POST "https://<backend-url>/auth/login/" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "SecurePassword123!"
  }'

Successful Response

{
    "key": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"
}

Error Responses

Invalid credentials:

{
    "non_field_errors": ["Unable to log in with provided credentials."]
}

Blocked account:

{
    "non_field_errors": ["Your account has been blocked. Please contact support."]
}

Step 3: Using the Authentication Token

Once you have the token, you can use it in two ways:

Option A: Making Authenticated API Calls

Include the token in the Authorization header for any API request:

curl -X GET "https://your-api-domain.com/authentication/user/" \

-H "Authorization: Token a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0" \

-H "Content-Type: application/json"

Important: The header format must be exactly Authorization: Token <your-token> (note the word "Token" followed by a space, then the token value).

Option B: Session Hijacking for Wrapper Applications

If you're building a wrapper application and want users to seamlessly access our trader dashboard without logging in twice, you can use the token to construct a direct login URL.

Once you have the user's authentication token (from registration or login), redirect them to:

https://<your-trader-dashboard-url>/hijack/<token>

Example:

https://dashboard.yourplatform.com/hijack/a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0

When users visit this URL, they will be automatically authenticated and logged into the trader dashboard — no additional login required on our end.

How to use this in your application:

  1. User logs into your platform (your own authentication)

  1. Behind the scenes, your backend calls our /auth/login/ endpoint with the user's credentials

  1. Store the returned token

  1. When the user clicks "Go to Dashboard" or similar, redirect them to the hijack URL with their token

This creates a seamless single sign-on experience where users only need to authenticate once on your platform, and they're automatically logged into ours.

Security Note: The hijack URL should only be generated server-side and used for immediate redirects. Never expose the token in client-side JavaScript, store it in cookies accessible to the browser, or include it in URLs that might be logged or shared.

Security Best Practices

Token Storage — Store tokens securely on your server. Never expose tokens in client-side code, URLs, or logs.

HTTPS Only — Always make API calls over HTTPS. Never send tokens over unencrypted connections.

Token Scope — Each token provides full access to that user's account. Treat tokens with the same level of security as passwords.

Error Handling — Implement proper error handling for expired or invalid tokens. If you receive a 401 Unauthorized response, the token may have been revoked.


Did this answer your question?