Skip to main content

Architecture

REST/gRPC is Internet-Native

  • Public API accessible over HTTPS
  • Authentication is Private Key JWT (RSA key signatures → access token)
  • Secured cryptographically (private key signatures), not by network location
  • No VPC, PrivateLink, or IP allowlisting required
  • Designed for stateless, elastic, internet-style clients

FIX is Exchange-Native

  • Traffic terminates on dedicated FIX gateways via AWS PrivateLink
  • Access is gated by AWS account allowlisting
  • Authentication is FIX session identity (SenderCompID / TargetCompID / SenderSubID)
  • Designed for long-lived, stateful connections with known counterparties
REST/gRPC relies on cryptographic identity (RSA signatures and JWTs). FIX relies on network-level trust (AWS account allowlisting via PrivateLink) + session semantics. They run on different infrastructure layers and intentionally use different trust models.

Concept Mapping

This table shows how the same concepts are represented in REST/gRPC vs FIX:
ConceptREST/gRPCFIX
Firm / participantImplicit via loginSenderCompID (49)
ExchangeREST base URLTargetCompID (56)
User / traderLogged-in userSenderSubID (50)
Trading accountImplicitAccount (1)
InstrumentSymbolSymbol (55)
Client order IDClient-generated IDClOrdID (11)
Exchange order IDReturned in responseOrderID (37)
Sidebuy / sellSide (54)
Order typeJSON fieldOrdType (40)
QuantityJSON fieldOrderQty (38)
PriceJSON fieldPrice (44)
Time in forceJSON fieldTimeInForce (59)

Authentication

REST/gRPC

Authentication is cryptographic and passwordless. User and account context is implicit once authenticated. Users authenticate by:
  1. Generating an RSA key pair during onboarding
  2. Signing a JWT with their private key
  3. Exchanging the signed JWT for an access token from Auth0
  4. Using the access token in API requests

FIX

User and account context is explicit per order. FIX does not use JWTs or passwords. Authentication is based on:
  1. AWS account allowlisting via PrivateLink
  2. FIX session identity (SenderCompID, TargetCompID)

Identity Model

REST/gRPC infers user + account from login. FIX requires them to be sent on every order.
ConceptREST/gRPCFIX
Firm identityImplicit via loginSenderCompID (49)
User / traderLogin userSenderSubID (50)
Trading accountImplicitAccount (1)
Auth scopeSession tokenFIX session
In FIX, the session itself (SenderCompID / TargetCompID) uniquely identifies the participant firm/clearing member, so symbols, accounts, and trader IDs do not need globally unique, fully qualified names the way REST resources do. REST/gRPC: Uses globally unique, fully qualified resource names (e.g., firms/{id}/accounts/{id}) FIX: Fully qualified names are not required; participant identity is scoped by the FIX session (CompIDs), and identifiers only need to be unique within that session context

Connectivity

REST/gRPC

HTTPS (REST) / HTTP streaming (gRPC). No static IP requirement. No VPC or network allowlisting. Public internet access. Single endpoint per environment.

FIX

TCP FIXT.1.1. Static IP allowlisting required. Separate sessions for:
  • Order Management
  • Drop Copy
  • Market Data

State & Reliability

AreaREST/gRPCFIX
TransportRequest/responsePersistent session
SequencingNot requiredMandatory (MsgSeqNum)
RecoveryClient retriesResendRequest / GapFill
HeartbeatsNot applicableRequired

Permissions & Validation

REST/gRPC

Permissions enforced at login. Invalid actions rejected at API layer.

FIX

Permissions enforced at:
  1. Session level
  2. User level (SenderSubID)
  3. Account level (Account)
Invalid values cause order-level rejects.

Onboarding

REST/gRPC

Self-service after initial onboarding, no network infrastructure required, cryptographically secured (RSA signatures), public internet access.
  1. Generate RSA key pairs for each environment
  2. Submit onboarding request via Google Drive to onboarding@qcex.com with public keys and signed Individual or Entity Participant Agreement
  3. Receive Client ID credentials from Polymarket
  4. Sign JWTs with private key to obtain access tokens
  5. Fund account via wire transfer (production only)

FIX

Requires AWS account and VPC setup, coordinated provisioning with exchange, uses AWS PrivateLink for private network connectivity, suited for automated trading systems and high-throughput integrations.
  1. Download and complete Individual or Entity Participant Agreement
  2. Email fix@qcex.com with firm name, AWS Account ID, and Google Drive link to documents
  3. Receive connection details from Polymarket (VPC Service Names, FIX session identifiers, user/account IDs, connection ports and DNS endpoints)
  4. Create AWS VPC Endpoint and wait for Polymarket to accept connection request
  5. Configure Private DNS and test FIX sessions (Logon, Orders, Market Data, Drop Copy)

Operational Differences

AreaREST/gRPCFIX
Who can onboardAny userExchange + client
Network setupNoneRequired
Identity setupAutomaticManual
Failure modesHTTP errorsSession / sequence errors