Skip to main content

User Authentication

This guide explains how external apps integrate with League of Traders (LOT) to obtain a user access token and verify it.

Prerequisites

  • app_id (client_id) — request this from us. Contact us directly to register your app and share your logo and redirect (return) URLs.
  • return_url — for local testing you can use any localhost. For production, you must register allowed return URLs with us (contact us).

1) Launch LOT Auth from your app

Add a button/link on your site/app that opens:

https://leagueoftraders.io/auth?app_id=<app_id>&return_url=<return_url>

Example HTML:

<a
  href="https://leagueoftraders.io/auth?app_id=YOUR_APP_ID&return_url=https%3A%2F%2Fyour.app%2Foauth%2Flot%2Fcallback"
>
  Connect League of Traders
</a>

2) Handle the return_url (receive access token)

After the user completes auth, LOT redirects the browser to your return_url with an access token for that user.

  • The token is a JWT and includes:
    • sub — the LOT user id (subject).
    • username - The LOT username
    • aud — your app id (the audience will be your app_id).
    • Other standard claims as applicable.

3) Verify the token

You can verify the token in two ways:

A. Verify locally with LOT's Ed25519 public key

  1. Fetch our public key: 
    GET https://api.leagueoftraders.io/v3/app/auth/key
  2. Verify the JWT signature using Ed25519 with that public key and then validate claims (aud contains your app_id, exp/nbf/iat, etc.).

B. Ask LOT to verify (introspection)

Send the token to LOT and receive validity + claims:

GET https://api.leagueoftraders.io/v3/app/auth/token?token=<access-token>

Successful response shape:

{
  "data": {
    "is_valid": true,
    "claims": {
      "sub": "<string>",
      "username": "<string>",
      "aud": ["<YOUR_APP_ID>"]
      // ...other claims
    }
  }
}

cURL:

curl "https://api.leagueoftraders.io/v3/app/auth/token?token=${TOKEN}"

4) Production notes

  • Always check the token’s signature, expiry (exp), not-before (nbf), and that aud includes your app_id.
  • Rotate and cache the public key with sensible TTL; refetch on signature failure.
  • Treat the token as a bearer credential—store and transmit only over HTTPS.
  • Register all production return URLs with us before going live (contact us).

Where to go next

  • If you need an app_id or to register return URLs/assets, contact us.