API Layer & Hosting Strategy

Our API infrastructure is built to support secure, scalable external integrations while promoting efficiency, collaboration, and future-proof growth.

API Architecture and Protocols

We utilize RESTful APIs exclusively, designed around standard HTTP methods with JSON as the primary data exchange format. This ensures wide compatibility, simplicity, and ease of integration for external partners and internal consumers.

Authentication and Authorization

We implement strict access control mechanisms to secure all endpoints:

• OAuth 2.0 - Employed for external partner authentication (Google), supporting delegated authorization.

• JWT (JSON Web Tokens) - Used for stateless authentication across client applications, securely carrying identity and access claims.

• 2FA Integration - Two-Factor Authentication is required for all sensitive actions, enhancing security beyond password-based logins.

• API Keys (Internal Use Only) - Admin-level internal API calls are secured with scoped API keys, never exposed to external systems.

API Security and Management

To maintain reliability and prevent misuse, we enforce key security and usage practices:

• HTTPS Only - All endpoints are TLS-secured to protect data in transit.

• Rate Limiting & Throttling - Request quotas are enforced to mitigate abuse and ensure system stability.

• Input Validation & Sanitization - Every input payload is rigorously checked to prevent injection and malformed data attacks.

Documentation & Developer Experience

We prioritize clarity and a smooth onboarding process for integrators:

• OpenAPI / Swagger Specifications - All APIs are fully documented using the OpenAPI standard, providing up-to-date reference material, code samples, and compatibility with tools like Swagger UI and Postman.

• Postman Collections - Ready-to-use request sets for testing and onboarding new/external developers.

Multi-Region Hosting Strategy

• Primary Region – UAE North (Dubai). Microsoft Azure region with three availability zones, offering in-country data residency for VARA/DFSA-regulated activities and Near-Zero-Latency service to Gulf investors.

• Secondary Region – West Europe (Netherlands). Azure’s Amsterdam-Schiphol campus delivers GDPR-aligned processing for EEA clients and acts as the paired site for cross-region resilience.

• Topology. Active-active for low-latency trading functions; active-passive for analytics workloads. Azure Front Door directs users to the nearest healthy region, with automatic failover in < 60 s.