CoinTrade Review: Crypto Exchange Platform with Binance API

CoinTrade is a self-hosted crypto exchange platform with built-in Binance API integration. You deploy it on your own infrastructure, your users trade real crypto through your branded interface, and you keep the revenue. There's no recurring license, no per-trade royalty, and no obfuscated code. You get the full source code, ready to customize and deploy.

If you've ever priced out building a cryptocurrency exchange from scratch, you already know the numbers are brutal. Six-figure dev costs, months of architecture decisions, and a security surface area that keeps growing. So when CoinTrade — a crypto exchange platform with Binance API integration that ships as full source code — landed on my desk claiming to be production-ready, I did what any skeptical developer would do. I read every file.

Here's what I found.

What Is CoinTrade?

The model is straightforward: your platform acts as a broker layer on top of Binance's infrastructure. Users connect their own Binance API keys, execute trades through your exchange frontend, and you take a configurable cut on every fill. You never custody funds — everything stays in the user's Binance account. That alone sidesteps an enormous amount of regulatory complexity.

It ships with 17 pre-configured trading pairs (BTC, ETH, SOL, BNB, XRP, DOGE, ADA, AVAX, DOT, LINK, LTC, UNI, TRX, PEPE, SHIB against USDC, plus ETH/BTC and SOL/BTC). Adding more is a one-file edit in lib/constants.ts — each pair is a config object with symbol, precision, and minimum notional value. No database changes, no redeployment of services.

The Stack

The frontend runs on Next.js 16 with React 19, TailwindCSS 4, and Zustand 5 for state management. Charts are powered by TradingView's Lightweight Charts library — the same rendering engine behind TradingView's public charts. The backend is Fastify 5 with TypeScript, Prisma 6 for the ORM, PostgreSQL for persistent storage, and Redis for caching and session management.

That's a modern, well-understood stack. No exotic dependencies. No framework lock-in. Any mid-level TypeScript developer could navigate this codebase within a day.

The Trading Interface

This is where CoinTrade earns its keep. The main trading view is a single-page layout with five panels: candlestick chart, order book, recent trades, order form, and a blotter (open orders, order history, trade history, balances).

The chart supports 7 timeframes (1m, 5m, 15m, 30m, 1h, 4h, 1d) and there's a separate depth chart that renders bid/ask cumulative volume on canvas. The order book displays with real-time updates via WebSocket and supports configurable price aggregation levels per pair — BTC/USDC aggregates at $0.01, $0.10, $1, $10, and $100 steps, while a micro-cap like PEPE/USDC aggregates at the eighth decimal place.

Seven order types are supported: Limit, Market, Stop-Limit, Stop-Loss, Take-Profit, Take-Profit Limit, and OCO (One-Cancels-the-Other). OCO orders are handled through Binance's dedicated OCO endpoint and create two linked orders in the database. The order form dynamically adjusts its fields based on the selected type — stop price inputs appear only when relevant, time-in-force defaults to GTC for limit types.

There's also a paper trading mode. Toggle a switch in the header and you get a $100,000 virtual USDC balance with simulated order execution stored in the browser's localStorage. It's a nice onboarding tool — users can explore the interface and test strategies before connecting real money.

How the Binance API Integration Works

All market data flows through the backend. The frontend never calls Binance directly. Here's the pipeline:

Cron job (every 30 seconds) warms the Redis cache with ticker data for all active pairs
REST endpoints serve cached data: tickers (5s TTL), order book (2s), recent trades (2s), klines (10s), pair configs (5min)
WebSocket fan-out maintains one upstream Binance WebSocket connection per active stream and broadcasts to all subscribed clients

The fan-out architecture is the right call here. Instead of each client opening its own connection to Binance (which would hit rate limits fast), the server subscribes once and multicasts. The ConnectionManager class tracks subscriptions per client and caps each user at 3 simultaneous WebSocket connections.

For authenticated operations — placing orders, checking balances — the backend decrypts the user's stored Binance API credentials on the fly and makes signed requests. Balances are cached for 10 seconds in Redis to avoid hammering Binance's account endpoint.

Security — Where It Matters Most

This is usually where crypto exchange scripts fall apart. CoinTrade handles it better than I expected.

Password hashing uses Argon2id — the current winner of the Password Hashing Competition and the recommended choice over bcrypt for new projects. No configuration shortcuts here.

API key encryption uses AES-256-GCM with a 32-byte master key from environment variables. Each key-secret pair gets its own random 12-byte IV and authentication tag. The crypto.ts module is 34 lines of straightforward Node.js crypto — no wrapper libraries, no unnecessary abstraction. Keys are decrypted only at the moment of trade execution, never held in memory longer than needed.

JWT implementation uses short-lived access tokens (15 minutes) and longer refresh tokens (7 days) with rotation. Refresh tokens are stored as SHA-256 hashes in Redis, so even a database breach doesn't expose valid sessions. Token refresh issues a new pair and invalidates the old one.

Account lockout kicks in after 5 failed login attempts with a 15-minute cooldown, tracked in Redis. This is basic but effective brute-force protection.

2FA is TOTP-based (the same protocol used by Google Authenticator and Authy). When a user enables it, login becomes a two-step process: password verification returns a temporary token, then the TOTP code exchanges that temp token for the real JWT pair. The TOTP secret is encrypted with the same AES-256-GCM system as API keys.

Rate limiting is applied per-route with sensible defaults: 5 registrations per hour per IP, 10 login attempts per 15 minutes, 120 market data requests per minute, 30 trading requests per minute per user. All backed by Redis.

Security headers come via @fastify/helmet — Content Security Policy, HSTS (production only), strict Referrer-Policy — plus a custom hook that adds Permissions-Policy to block camera, microphone, geolocation, and payment API access.

Input validation uses Zod schemas on every endpoint. Symbols are regex-validated and uppercased. Prices are string-validated against decimal patterns to avoid floating-point injection. Password requirements enforce minimum 8 characters with uppercase, lowercase, number, and special character.

One thing worth noting: email verification is enforced before login. You can't authenticate until you've clicked the verification link. This prevents throwaway account spam, which matters when each account can store encrypted API keys.

The Fee System

Revenue generation is built into the order execution flow. When a trade fills, the platform calculates fees based on:

Check for a per-user fee override (UserFeeOverride table)
Fall back to global rates (FeeConfig table, default 0.1% maker / 0.1% taker)
Calculate: fee = fillPrice * fillQuantity * feeRate
Record the fill with fee data in the Trade table

Limit orders are classified as maker fees, market orders as taker. The admin panel lets you adjust global rates and set per-user overrides — useful for VIP tiers or promotional pricing.

An hourly cron job aggregates daily volume, realized PnL, and fee totals into an AnalyticsSnapshot table, which feeds the analytics dashboard. There's also a CSV export endpoint for trade history that properly sanitizes values against injection attacks.

Admin Panel

The admin interface covers the basics: user listing with search, global and per-user fee management, order monitoring across all users with status filtering, and a statistics dashboard showing total users, orders, trades, collected fees, and active API keys.

It's functional, not flashy. Admin access is verified from the database on each request (not just the JWT claim), which is the correct approach — it prevents privilege escalation if a regular user somehow obtains an admin-scoped token.

Deployment

CoinTrade ships with a complete deployment setup:

Docker Compose with five services: PostgreSQL 17, Redis 7, API server, Next.js frontend, and Nginx
Nginx config with TLS 1.2+1.3, OCSP stapling, WebSocket upgrade support, rate limiting, and static asset caching
PM2 ecosystem config for non-Docker deployments (cluster mode, auto-restart, memory limits)
GitHub Actions CI pipeline that runs backend tests, frontend build, and Docker image builds
Database backup/restore scripts with gzip compression and 30-day retention

The Dockerfiles use multi-stage builds with dumb-init for proper signal handling and run as non-root users. The Next.js build uses standalone output mode for minimal image size. Health checks are wired up on every service with proper dependency ordering — Postgres must be healthy before the API starts, the API must be healthy before the frontend starts, and so on.

For secrets management, there's a documented .env.production.example with generation commands for every key (openssl rand -base64 48 for JWTs, openssl rand -hex 32 for the encryption key). The actual .env files are gitignored.

Getting it running locally takes about five minutes: install dependencies, copy .env.example, run prisma migrate dev, seed the database, start both servers. The seed script creates the admin account and the global fee configuration.

The Database

Seven Prisma models, cleanly normalized:

User — email, hashed password, role, email verification status, encrypted TOTP secret
ApiKey — AES-256-GCM encrypted Binance credentials with per-record IV and auth tags
Order — links to Binance order ID, tracks status locally, supports all 7 order types
Trade — individual fills with fee tracking (rate, amount, asset, maker/taker flag)
FeeConfig — global singleton with maker/taker rates
UserFeeOverride — per-user fee customization
AnalyticsSnapshot — daily aggregated metrics per user

Indexes are placed on the query patterns you'd expect: userId + status for order lookups, userId + createdAt for trade history, userId + date for analytics. The schema uses Prisma's Decimal type mapped to PostgreSQL DECIMAL(20,8) for price and quantity fields — no floating-point rounding issues in financial calculations.

What's Missing

No review is complete without the gaps.

No fiat on-ramp. There's no payment gateway integration for buying crypto with credit cards or bank transfers. Users need an existing Binance account with funds.

Binance-only. The Binance API integration is deep and well-implemented, but there's no built-in support for other exchanges. The service architecture is clean enough that adding Bybit or OKX would be a reasonable project for a developer, but it's not plug-and-play.

No mobile app. The frontend is responsive but it's a web application, not a native app.

No KYC/AML integration. If your jurisdiction requires identity verification, you'll need to build or integrate that separately.

No margin or futures trading. This is spot trading only.

These are reasonable scope boundaries for a source code product. Adding any of these would double the codebase complexity and introduce regulatory obligations that vary by jurisdiction.

The Verdict

CoinTrade is a solid, well-architected crypto exchange platform that does what it claims. The Binance API integration is thorough — market data, order execution, balance queries, and WebSocket streaming all work through a clean proxy layer. The code is readable, the security decisions are sound, and the deployment infrastructure is genuinely production-grade. It's not a weekend hackathon project someone slapped a price tag on — this is professional-grade work with 426 tests across backend and frontend.

The Binance integration model is smart. You get access to deep liquidity and a battle-tested matching engine without building one yourself. Users keep custody of their own funds. You earn revenue on every trade with zero marginal cost per transaction.

If you're a developer or entrepreneur looking to launch a crypto exchange platform without starting from a blank editor, CoinTrade is one of the more complete options I've seen. You'll still need to handle your own domain, hosting, and any regulatory requirements for your market — but the engineering is done.

Live demo: demo-exchange.blockshark.com Full documentation: demo-exchange.blockshark.com/documentation.html Contact: blockshark.com/contact-us