A.4 Screen URL Conventions & Query Parameters

Standardized URL patterns and query parameters ensure consistent behavior across all SSO (OAuth) screens and InApp actions. This section defines the conventions for URL structure, parameter handling, and screen integration.

URL Structure Standards

Base URL Requirements

All SSO (OAuth) screens must be hosted at consistent endpoints relative to the broker's CRM URL:

Base Pattern: https://brokerCrmUrl.com/
Consistency: Avoid mixing domains (e.g., broker.com and my.broker.com)
SSL Required: All URLs must use HTTPS protocol

Screen URL Patterns

Login/Signup Screen

https://brokerCrmUrl.com/auth/login

Trading Account Creation

https://brokerCrmUrl.com/account/create

InApp Action Screens

https://brokerCrmUrl.com/inapp/{action}

Success/Callback URLs

https://brokerCrmUrl.com/callback/success

Mandatory Query Parameters

Core Parameters

Parameter	Screen(s)	Required?	Data Type	Description
`token`	InApp actions	Yes	`string`	The OT token required for authorisation.
`account`	InApp actions	Yes (deposits/withdrawals); No (others)	`integer`	The number of a specific trading account linked to the user.

Optional Query Parameters

Display and Behavior Parameters

Parameter	Screen(s)	Required?	Data Type	Description
`lang`	All screens	No	`string`	The language of the device OS. Takes Alpha-2 (ISO 369-2) codes.
`source`	All screens	No	`string`	Application type: `"Web"`, `"Android"`, `"iOS"`, `"MacOS"`, `"Desktop"`.
`theme`	All screens	No	`string`	Preferred colour scheme: `"light"` or `"dark"`.
`firstLogin`	Login/signup	No	`boolean`	Flag for first login attempt on current device.
`partnerId`	Login/signup	No	`string`	Email assigned as partner identifier to user/account.

UTM Tracking Parameters

Parameter	Screen(s)	Required?	Data Type	Description
`utm_source`	All screens	No	`string`	Source channel for user transfer to OAuth screen.
`utm_medium`	All screens	No	`string`	Content type that encouraged user to click link.
`utm_campaign`	All screens	No	`string`	Marketing campaign name for user transfer.
`utm_term`	All screens	No	`string`	Keyword that user engaged with for transfer.
`utm_gclid`	All screens	No	`string`	Google Click identifier for transferred user.

Parameter Implementation Guidelines

Language Parameter (`lang`)

Format: Alpha-2 (ISO 369-2) codes (e.g., en, es, fr)
Usage: Display forms and screens in appropriate language
Fallback: Use default broker language if parameter invalid
Storage: Store user language preference in CRM for future sessions

Source Parameter (`source`)

Values: "Web", "Android", "iOS", "MacOS", "Desktop"
Usage: Adjust screen design for different device types
Responsive Design: Implement mobile-first responsive layouts
Feature Detection: Adapt UI capabilities based on source platform

Theme Parameter (`theme`)

Values: "light", "dark"
Usage: Maintain consistent design with trading application
CSS Variables: Implement theme switching via CSS custom properties
Persistence: Store theme preference in user profile

First Login Parameter (`firstLogin`)

Values: true, false
Usage: Differentiate between user creation and login flows
Routing: Route to appropriate page (signup vs login form)
Analytics: Track new user acquisition vs returning users

Partner ID Parameter (`partnerId`)

Format: Email address or partner identifier string
Usage: Attribute users to specific partners/IBs
Validation: Validate partner ID against broker's partner database
Attribution: Store partner attribution for commission tracking

URL Examples

https://brokerCrmUrl.com/auth/login?lang=en&source=Web&theme=light&firstLogin=true&partnerId=partner@example.com

https://brokerCrmUrl.com/auth/login?lang=es&source=iOS&theme=dark&firstLogin=false

InApp Deposit Screen

https://brokerCrmUrl.com/inapp/deposit?token=abc123&account=123456&lang=en&source=Android

KYC Screen with UTM Tracking

https://brokerCrmUrl.com/inapp/kyc?token=xyz789&lang=fr&utm_source=email&utm_campaign=kyc_reminder

Screen Requirements

Frontend Implementation

Browser Controls: Screens must not include browser navigation controls
Responsive Design: Must work on mobile and desktop layouts
Loading Performance: Screen loading times ≤ 3 seconds on common connections
Error Handling: Graceful handling of missing or invalid parameters

Content Requirements

Platform References: No mentions of other trading platforms except cTrader
Legal Entities: Display correct legal entities and jurisdictions
No Pop-ups: Avoid pop-up messages on any screen
Clean UI: Organized layout without unnecessary UI elements

Integration Requirements

Parameter Acceptance: All screens must accept required and optional parameters
Content Adaptation: Modify page content based on parameter values
Callback Handling: Implement proper success/failure callback mechanisms
Token Validation: Validate OT tokens for InApp actions

Security Considerations

Parameter Validation

Input Sanitization: Sanitize all query parameters
Length Limits: Implement reasonable parameter length restrictions
Format Validation: Validate parameter formats before processing
SQL Injection: Use parameterized queries for database operations

Token Security

Token Validation: Always validate OT tokens before processing
Token Expiration: Check token expiration and one-time usage
Secure Storage: Never log or store tokens in client-side code
HTTPS Only: Always use HTTPS for token transmission

Error Handling

Missing Parameters

Response: HTTP 400 Bad Request
User Action: Display appropriate error message with guidance
Fallback: Use default values for non-critical parameters

Invalid Parameters

Response: HTTP 400 Bad Request
User Action: Show validation error with correction guidance
Logging: Log invalid parameter attempts for security monitoring

Token Issues

Invalid Token: HTTP 401 Unauthorized
Expired Token: HTTP 401 Unauthorized with specific message
Used Token: HTTP 401 Unauthorized indicating one-time usage

Testing Requirements

Parameter Testing

Test with all valid parameter combinations
Test missing required parameters
Test invalid parameter values
Test parameter encoding and special characters

Cross-Platform Testing

Test on all supported source platforms
Verify responsive design on different screen sizes
Test theme switching functionality
Validate language display and content

These URL conventions ensure consistent, secure, and user-friendly integration across all SSO (OAuth) screens and InApp actions.

URL Structure Standards​

Base URL Requirements​

Screen URL Patterns​

Login/Signup Screen​

Trading Account Creation​

InApp Action Screens​

Success/Callback URLs​

Mandatory Query Parameters​

Core Parameters​

Optional Query Parameters​

Display and Behavior Parameters​

UTM Tracking Parameters​

Parameter Implementation Guidelines​

Language Parameter (lang)​

Source Parameter (source)​

Theme Parameter (theme)​

First Login Parameter (firstLogin)​

Partner ID Parameter (partnerId)​

URL Examples​

Login Screen with Parameters​

Mobile Login Screen​

InApp Deposit Screen​

KYC Screen with UTM Tracking​

Screen Requirements​

Frontend Implementation​

Content Requirements​

Integration Requirements​

Security Considerations​

Parameter Validation​

Token Security​

Error Handling​

Missing Parameters​

Invalid Parameters​

Token Issues​

Testing Requirements​

Parameter Testing​

Cross-Platform Testing​