SSL Certificate Whitelisting

When integrating with StoneX APIs, your developers may need to whitelist SSL certificates used by our endpoints to ensure secure connectivity. This guide outlines how to retrieve and validate the certificates used by StoneX APIs and provides best practices for monitoring and trust store configuration.

API Endpoints and Certificate Retrieval

StoneX APIs are hosted behind Cloudflare, which manages SSL/TLS termination. The certificates presented may vary slightly depending on the endpoint and client environment.

Production & Sandbox URLs

Sandbox: https://api.sandbox.payments.stonex.com/livez
Prod: https://fx-api.payments.stonex.com/livez

Developers can inspect the SSL certificates by visiting these URLs in a browser and downloading the certificate chain directly.

Certificate Authority (CA) Information

StoneX uses certificates issued by Google Trust Services (GTS). The full list of root and intermediate certificates can be found at:🔗 https://pki.goog/repository/

This includes:

GTS Root R1, R2, R3, R4
Subordinate CAs such as WR1, WE1

Ensure all relevant certificates are added to your trust store to avoid connectivity issues.

Mismatch in Certificate Names: Some developers have reported seeing different certificate names (e.g. GTS Root R4 vs WR1) depending on whether they access the API via browser or server. This is expected due to Cloudflare’s dynamic certificate handling and does not impact functionality.

IP Whitelisting

Our APIs traffic is routed through Cloudflare and not hosted on a fixed IP address.

If you need to whitelist our IP addresses on your network, you can whitelist the IP ranges mentioned here on Cloudflare:

https://www.cloudflare.com/en-gb/ips/