Account creation
Open cooud.exchange/sign-up and provide a valid email, a strong password (minimum 12 characters, at least one symbol), and your country of residence. The country selector enforces the same restricted-jurisdiction list described in the Terms of Service; if your country is restricted, account creation is blocked at submit.
On success the API issues a short-lived session cookie and a CSRF token. The session is bound to your browser fingerprint via FingerprintJS Pro — sessions resumed from a materially different device profile are challenged with step-up auth. See the cookie model described in RFC 0004 — Auth, sessions, CSRF.
One natural person — one account. Duplicate accounts detected via shared KYC documents, device fingerprints, or payout addresses will be merged or closed at our discretion.
Verifying your email
Immediately after sign-up we send a verification link to the address on file. The link carries a single-use token that expires after 30 minutes. Until you verify, you can browse market data and the dashboard, but you cannot deposit, trade, or withdraw.
If the verification email does not arrive within a few minutes, check spam, then use the “Resend verification email” control in your account settings. We rate-limit resends to one every 60 seconds and five per hour.
Two-factor authentication
2FA is optional for browsing but mandatory for withdrawals, API key creation, and any sensitive setting change. Cooud supports TOTP via any RFC 6238-compliant authenticator (1Password, Authy, Google Authenticator, Bitwarden) and WebAuthn / passkeys for phishing-resistant step-up.
Enrolling a TOTP authenticator
- Open
Settings → Security → Two-factor authentication. - Scan the QR code with your authenticator app. The shared secret is displayed once — copy it into a password manager before continuing.
- Enter the current 6-digit code to confirm enrolment. We store an HMAC of the secret, never the secret itself.
- Save the 10 recovery codes shown on the confirmation screen. Each is single-use and replaces a TOTP step-up exactly once.
Adding a passkey
Under the same settings panel, click Add passkey and follow your browser's WebAuthn prompt. Passkeys can be synced across your devices (iCloud Keychain, 1Password, Google Password Manager) and act as both an authentication factor and a recovery signer for smart-wallet accounts. See Smart wallet for the recovery model.
Your first deposit
Cooud generates a unique deposit address per (user, asset, chain) tuple. Addresses are derived from a BIP-44 HD wallet for EVM assets and BIP-84 for native BTC; see Custody & withdrawals for the derivation paths.
To deposit USDT on Ethereum, for example:
- Navigate to
Wallet → Depositand selectUSDTas the asset andEthereumas the chain. - Copy the address (or scan the QR). Send any amount from your external wallet. There is no minimum deposit, but the network gas on send is yours.
- Watch the confirmation counter on the deposit row. Funds become spendable after the chain-specific threshold (12 confirmations for Ethereum mainnet).
To inspect your balance over the REST API:
curl -H "Authorization: Bearer $TOKEN" \ https://api.cooud.exchange/v1/wallet/balances
A response includes both confirmed and pending balances per asset, so you can render an “incoming” chip in your own UI.
Placing your first order
Open Trade → BTC/USDT. The order ticket on the right accepts LIMIT, MARKET, and STOP_LIMIT orders; full type reference lives in Trading & matching.
Submit a small LIMIT buy via the API:
curl -X POST https://api.cooud.exchange/v1/orders \
-H "Authorization: Bearer $TOKEN" \
-H "Idempotency-Key: $(uuidgen)" \
-H "Content-Type: application/json" \
-d '{
"symbol": "BTC/USDT",
"side": "buy",
"type": "limit",
"price": "61500.00",
"size": "0.0005",
"tif": "GTC"
}'The Idempotency-Key header is required on all mutating calls. Retrying a request with the same key always returns the original response — never a duplicate order. The full idempotency model is documented under API reference.
Orders match internally first against other Cooud users. If no counterparty exists in the book, the order rests until cancelled, filled, or its time-in-force expires.
Withdrawing
Withdrawals walk through a fixed gate chain before they are signed and broadcast. The chain is enforced atomically — a failure at any gate aborts the request and refunds the held balance.
- KYC tier check. Your current tier must allow the requested amount. Tier 1 is sufficient for small daily withdrawals; tier 2 is required above the daily cap.
- 2FA challenge. Every withdrawal triggers a TOTP or passkey prompt. The challenge is bound to the withdrawal payload — you cannot reuse a code across requests.
- Address screening. The destination is screened against TRM Labs and Chainalysis sanction and risk lists. High-risk hits block the withdrawal; the full list lives under Withdrawal gates.
- Velocity check. Per-asset 24-hour rolling caps. Sudden spikes above your historical baseline trigger a soft hold for manual review.
- Broadcast. Approved withdrawals are signed by the hot-wallet signer and broadcast. The transaction hash appears on the withdrawal row within seconds of broadcast.
That's the full happy path. Continue to API reference for the complete REST and WebSocket surface, or jump to Smart wallet if you want to skip custody entirely and run a self-custodial ERC-4337 account.

