Enterprise API
Authentication

Authentication

The Enterprise API uses Bearer-token authentication. Tokens are issued from t1.ordertune.com — we never email them, never expose them in URLs, and never let you view a plaintext token twice.

Token format

Every token follows the pattern:

ot_live_<43-char-base64url>
  • ot_live_ is a fixed prefix that identifies the token type at a glance in logs and code reviews.
  • The 43-char body is 32 random bytes encoded as URL-safe base64 without padding — 256 bits of entropy.

Example (do not use):

ot_live_EVAzyg7GVsUALzOODDnc4U8YDbhgjGVf22ebiedwdcM
⚠️

Treat tokens like passwords. Anyone with the plaintext can act as your account. Rotate immediately if a token leaks.

How the server stores it

The plaintext token never touches our database. We store:

  • A SHA-256 hash of the plaintext, used to look up the key on each request
  • An 8-character display prefix (e.g. ot_live_EVAzyg7G…) shown in your Settings UI so you can identify keys
  • Status, label, creation timestamp, last-used timestamp, and last-used IP

If you lose a token, generate a new one — we cannot recover or re-display it.

Generating a key

  1. Sign in to t1.ordertune.com.
  2. Go to Settings → API Keys (this tab is visible only on the Enterprise tier).
  3. On first use, accept the API Terms of Use.
  4. Click Generate key, give it a label (e.g. prod, staging, the host that will use it).
  5. A modal shows the plaintext token once. Copy it into your secrets store immediately and close the modal.

You can have multiple active keys per account. Common patterns:

  • One per environment (prod, staging)
  • One per host or service
  • One per fund or strategy bucket inside your firm

Sending the token

Use the Authorization header:

curl -H "Authorization: Bearer ot_live_..." \
  https://t1.ordertune.com/api/enterprise/v1/strategies

No other auth method is supported — no query-string tokens, no Basic auth, no cookies.

Revoking a key

In Settings → API Keys, click Revoke next to the key. You can choose:

  • Revoke immediately — the next request with this token returns 401.
  • Revoke with 24h grace — the token keeps working for 24 hours, then becomes invalid. Use this if you suspect a leak but cannot rotate your integration that instant.

Revoked tokens cannot be reinstated. Generate a new one if you change your mind.

Automatic revocation on tier change

If your account is downgraded from the Enterprise tier (for example because the contract ends), all active and grace-period tokens are revoked immediately. You will see this in your audit log as tier_downgrade_revoked events.

Last-used tracking

Every successful authentication updates last_used_at and last_used_ip on the key. Use this to:

  • Identify unused keys safe to rotate
  • Notice if a key is in use from an unexpected IP
  • Confirm your integration is actually pinging us before debugging on our side
OverviewEndpoints