Changelog
Introduction

Sections

Changelog

Theme switcher

Single Sign-On (SSO) Integration Guide for External Applications

Single Sign-On (SSO) Process Between external applications and MTT Platform.

The SSO mechanism is designed for external application → MTT platform login flow, not the other way around. One-Time Token Endpoint. We have added this endpoint to the Broker-API to support external integrations that do not store or manage user passwords. This endpoint allows generating a One-Time Token (OTT), which lets a user log in to the platform without needing their password. For security reasons, this endpoint is not included in the public API (Broker-API) documentation.

Security Requirements

Access to this endpoint is protected on two levels:

  1. Your API Key must have the rights enabled to call this endpoint (API ACCESS → Create One Time Token for Login).
  2. The IP address used for the request must be whitelisted by our Support Team.

Endpoint Details

Method: POST Path: /v1/one-time-token

Parameters:

  1. email - the user’s email address (the account you want to generate the token for)
  2. validityTime - token expiration time in seconds

Example cURL

CURL
curl --location '{baseURL}/v1/one-time-token' \
--header 'Content-Type: application/json' \
--header 'Authorization: {APIKey}' \
--data-raw '{
  "email": "test@match-trade.com",
  "validityTime": 30
}'

Demo environment details:

  • baseURL: https://broker-api-demo.match-trader.com/
  • APIKey: XXX

Demo platform test credentials

How to Test the One-Time Token

After generating a token, open this link in your browser: {platformURL}/?auth={oneTimeToken} https://mtr-demo-prod.match-trader.com/?auth={oneTimeToken}

This will automatically log in the user associated with the given email.

Example Scenarios

  1. Valid login: You generate a token valid for 30 seconds and log in within that time → login works.
  2. Expired token: You generate a token valid for 30 seconds but try after it expires → token is invalid. Generate a new token and repeat.
  3. Regenerated token: You generate a token valid for 1 hour, but then issue a new token valid for 15 minutes → the first token becomes invalid, and only the latest one works.
Was this section helpful?

What made this section unhelpful for you?

On this page
  • Single Sign-On (SSO) Integration Guide for External Applications