Single Sign-On (SSO) Integration Guide for External Applications

Single Sign-On (SSO) Process Between external applications and MTT Platform.

We have added this endpoint to the Broker-API to support external integrations that do not store or manage user passwords.

This endpoint allows generating a One-Time Token (OTT), which lets a user log in to the platform without needing their password.

This solution enables seamless redirection of an authenticated user from an external application (e.g. Client Office) to the platform without re-entering their trading credentials.

Security Requirements

Access to this endpoint is protected on two levels:

1. Your API Key must have the rights enabled to call this endpoint (API ACCESS → Create One Time Token for Login).
2. The IP address used for the request must be whitelisted by our Support Team.

Endpoint Details

Method: POST Path: /v1/one-time-token

Parameters:

1. email - the user’s email address (the account you want to generate the token for)
2. validityTime - token expiration time in seconds

Example cURL

 
curl --location '{baseURL}/v1/one-time-token' \
--header 'Content-Type: application/json' \
--header 'Authorization: {APIKey}' \
--data-raw '{
  "email": "test@match-trade.com",
  "validityTime": 30
}'

Demo environment details:

• baseURL: https://broker-api-demo.match-trader.com/
• APIKey: XXX

Demo platform test credentials

• Link: https://mtr-demo-prod.match-trader.com/
• Login: test@match-trade.com
• Password: abcd1234

How to Test the One-Time Token

After generating a token, open this link in your browser: {platformURL}/?auth={oneTimeToken} https://mtr-demo-prod.match-trader.com/?auth={oneTimeToken}

This will automatically log in the user associated with the given email.

Example Scenarios

1. Valid login: You generate a token valid for 30 seconds and log in within that time → login works.
2. Expired token: You generate a token valid for 30 seconds but try after it expires → token is invalid. Generate a new token and repeat.
3. Regenerated token: You generate a token valid for 1 hour, but then issue a new token valid for 15 minutes → the first token becomes invalid, and only the latest one works.