The connect-broker wizard, end to end
Seven steps from sign-up to a live bot. Here's exactly what happens at each one, what to enter, what stays private, and how to fix the things that most commonly go wrong.
Open the wizard →What you'll need
Most of the wizard is paste-and-continue. The pieces you need to gather ahead of time:
- A funded broker account with API access enabled. See the broker list for which brokers Soar supports and how to enable API access on each. Most brokers don't require any minimum to enable API keys, but the bot can't trade what isn't there — so make sure the account is funded with whatever amount you want to deploy.
- A Cloudflare account on the free plan. The bot wakes up once a minute (well inside Cloudflare's free Worker request limits), so you almost certainly won't pay them anything for a single bot. If you don't have an account, you can sign up during the wizard — Cloudflare's sign-up takes under a minute.
- 10-15 minutes the first time through. Steps 5 (broker keys) and 6 (Cloudflare token) are the only ones that involve going to another tab.
- Your full legal name as it appears on your Soar account — you'll sign the deployment agreement at the end, and the signature has to match.
What you're actually deploying
The "Soar bot" is a small piece of code that lives on Cloudflare's global network. It wakes up once a minute, checks whether Soar has published any new signals for your broker, and decides whether to act based on the risk profile you set during the wizard.
Cloudflare Workers run in over 300 cities worldwide — meaning your bot has very low latency to most broker APIs, no "server" for you to manage, and no monthly hosting bill. The Worker has access to your broker keys, your risk settings, and a connection back to Soar to read signals. It does NOT have access to anything else in your Cloudflare account.
Critically: the bot runs on YOUR Cloudflare account, not Soar's. You always have unilateral control. You can pause it, kill it, or rotate its keys at any time from your Cloudflare dashboard.
The seven steps, in detail
Every step is reversible until you hit Deploy at step 7. Use the Back button freely; nothing persists to the broker or Cloudflare until the very end.
- 11. Profile intake
What you'll see
A short questionnaire — experience level, what you want the bot to do, time horizon, and how much drawdown you can stomach. Five or six questions, no free-text essays.
What to enter
Be honest. If you've never run an automated strategy before, say so — the bot will start with safer defaults and you can loosen them later. There's no "wrong" answer that locks you out.
Behind the scenes
Your answers map to a starting risk profile (Conservative / Standard / Aggressive). Nothing is irreversible — you can change every value in step 4.
Common pitfall — Picking Aggressive when you're new. Aggressive sizes positions at 5-10% of your account with up to 8 concurrent positions. On a fresh bot with no track record, that's a lot of exposure. Start Conservative or Standard for the first 2-4 weeks; loosen after you've seen it behave. - 22. Review your defaults
What you'll see
A summary card: the risk profile Soar picked for you, the per-position size, the max concurrent positions, and a one-line, jargon-free explanation of what that means in dollar terms (e.g. "On a $10,000 account, each trade will be ~$300").
What to enter
Just review. If anything looks surprising, tap Back and adjust the intake answers. Otherwise, Continue.
Behind the scenes
Soar stores the defaults on your account so the next time you deploy (e.g. on a different broker) they're pre-filled.
- 33. Pick your broker
What you'll see
A grid of broker tiles. Each one shows which assets it covers (crypto / US equities / perpetuals), whether it supports simulated (paper) trading, and any minimums or US-availability notes.
What to enter
Tap the broker where you already have a funded account. If you don't have one anywhere yet, Coinbase Advanced and Alpaca are the easiest to onboard (10-minute sign-up, US-friendly).
Behind the scenes
Each broker has its own key format, its own permission model, and its own bot bundle (a small Cloudflare Worker tailored to that broker's API). Soar picks the right bundle automatically based on your choice.
Common pitfall — Choosing a broker you can't actually trade on. A few brokers are US-restricted (Binance.US US-only) or jurisdiction-restricted (AsterDEX, Hyperliquid). The tile will warn you, but double-check before you generate keys — broker key creation is annoying to undo. - 44. Lock in your risk profile
What you'll see
Three preset cards (Conservative / Standard / Aggressive) plus a Custom option with sliders for position size %, max open positions, and per-trade max loss. A live preview shows the dollar impact on a sample $10,000 account.
What to enter
Pick a preset or build a custom one. The Custom slider lets you pin position size anywhere from 0.5% to 30% of your account. (The deploy API enforces these bounds for safety; most users land between 2% and 8%.)
Behind the scenes
Soar can only ever NARROW exposure relative to your settings — never widen. If a signal would trigger a position bigger than your cap, the bot scales it down. If your portfolio is already at max concurrent positions, the signal is skipped, not stacked.
Common pitfall — Setting max positions too low. If you cap concurrent positions at 1, the bot can only ever hold one trade at a time — which means it'll skip most signals. 3-5 is a reasonable starting range for most accounts. - 55. Paste your broker API keys
What you'll see
Two input fields (API key + secret, or key + private key depending on the broker), a Visual Guide button that opens broker-specific screenshots showing exactly where to click in the broker's dashboard, and a permissions checklist.
What to enter
Generate a fresh key in your broker's API settings with View + Trade permissions only — NEVER Withdraw or Transfer. Copy and paste both halves into Soar. The wizard validates the format as you type.
Behind the scenes
The keys are held in a short-lived HttpOnly cookie on your browser, then forwarded to Soar's deploy endpoint, which immediately pushes them into your Cloudflare Worker's secret store. Soar's database never receives them.
Common pitfall — Enabling Withdraw permission "just in case". Don't. Soar has zero withdrawal use-case, and a withdraw-enabled key is a much bigger blast radius if leaked. If any Soar instruction tells you to enable withdraw, you're on a phishing site — close it immediately. - 66. Connect Cloudflare
What you'll see
A one-tap "Connect Cloudflare" button that authorizes Soar in a popup — nothing to copy or paste. If you'd rather do it by hand, a "Generate token" deep-link opens Cloudflare with the right permissions pre-selected, plus a paste field for the token it gives back.
What to enter
Easiest path: tap Connect Cloudflare, sign in (or sign up — it takes under a minute), approve in the popup, and you're done. Prefer to do it manually? Follow the deep-link, hit Create Token, copy it, and paste it back into Soar. Either way takes under a minute.
Behind the scenes
This authorization only lets Soar provision a new Worker in your account — nothing else. You can revoke it from Cloudflare's dashboard the moment deployment finishes; the bot doesn't need it to keep running, only to be created.
Common pitfall — Connection or token validation fails. Use the one-tap Connect Cloudflare button — it requests exactly the access Soar needs. If you went the manual route and Cloudflare returns an error, the usual cause is a token built with the wrong permissions; use the "Generate token" deep-link instead of building one by hand. - 77. Sign the deployment agreement and deploy
What you'll see
A scrollable contract preview, five separate checkboxes (each affirming a specific point), a signature field, and a Deploy button that stays disabled until everything is signed.
What to enter
Read the agreement (it's shorter than a typical SaaS terms-of-service — 13 numbered Articles). Tick each affirmation. Type your full legal name in the signature field exactly as it appears on your account. Tap Deploy.
Behind the scenes
Soar captures a SHA-256 hash of the exact HTML you reviewed, generates a timestamped PDF, drops it in your Document Center, provisions the Cloudflare Worker, ships your broker keys into the Worker's secret store, and fires the first heartbeat. Total: ~30 seconds.
The deployment agreement — what it covers
Before any bot trades on your behalf, Soar walks you through a formal contract. It's shorter than a typical SaaS terms-of-service — 13 numbered Articles with the same anatomy as a normal commercial agreement (Definitions, Recitals, Limitation of Liability, Force Majeure, Arbitration, Waiver of Jury Trial).
The flow is ESIGN Act and UETA compliant. That means: the signature you type is legally equivalent to a wet-ink signature, Soar captures a SHA-256 hash of the exact HTML you reviewed (so the version you signed is provable later), and a timestamped PDF copy lands in your Document Center for your records.
You can download the signed PDF at any time. Soar can't alter it after signing; if either side wants to amend the agreement, you go through the wizard again for a fresh deploy.
The five attestations
During signing you tick five separate boxes — each one a distinct affirmation. They're listed in the agreement itself, but here's what each one means, in clear terms.
1. Ownership of the broker account
You confirm the broker account you're connecting belongs to you personally (or to an entity you have authority to bind). No connecting a friend's account, no shared logins.
2. Not investment advice
You acknowledge Soar publishes software and analysis — not personalized investment advice. The bot acts on signals you've configured it to act on; the trade decision is yours by virtue of the deploy.
3. Risk acknowledgement
You understand that automated trading can lose money quickly, that past performance does not guarantee future results, and that no strategy — including Soar's — is immune to drawdown or unexpected market events.
4. No withdraw permission
You confirm the API keys you provided do NOT have withdraw or transfer permissions, and you understand Soar would never ask for them.
5. Arbitration consent
You agree that any disputes are routed through binding arbitration rather than court, and you waive the right to jury trial. This is standard for SaaS — the full text is in the agreement.
Risk profiles compared
Step 4 of the wizard asks you to pick one of these. You can change it later by redeploying — there's no "upgrade fee" to a riskier preset. Custom gives you the fine-grained sliders.
Conservative
Standard
Aggressive
Custom
Simulated vs Live trading
Simulated mode
The bot reads real-time market data and Soar signals exactly as it would in live mode, but instead of placing orders at your broker, it records simulated trades in a separate ledger. No money moves. You see equity curves, position lists, and trade history as if it were real.
Every bot starts with a 14-day simulated trial, which is the best way to watch it for a week or two before committing real capital. Alpaca additionally offers dedicated paper API keys (separate from live keys); for other brokers, simulated mode means simulated execution against live prices without hitting the broker API.
Live mode (real money)
The bot places real orders against your funded broker account, using the API keys you pasted in step 5. Every fill is a real fill. P&L is real P&L.
Live mode is the default for most brokers. Soar will warn you clearly before deploying live, and the deployment agreement explicitly covers live execution.
What happens after you hit Deploy
Minute 0 — Deploy completes
You'll see a success screen with a link to your bot's dashboard. The Cloudflare Worker is live, your keys are in its secret store, and the first heartbeat usually lands within 30 seconds.
Minutes 1-60 — First heartbeats
The bot ticks every minute. It fetches your account balance from the broker, fetches the active signal list from Soar, and decides whether to act. Most ticks are no-ops — the bot only opens or closes positions when conditions are met. Watch the equity and positions panel in your dashboard to confirm the heartbeat is updating.
Hour 1-24 — First trades (maybe)
Whether the bot opens a position in the first day depends entirely on the signals Soar is publishing and how they match your risk profile. On a quiet market day, the bot may sit idle. On an active day with strong setups, it may take 1-3 positions. Both are normal.
Where to check the bot
- Equity and positions: Open the dashboard to see current equity, open positions with live P&L, and the last heartbeat timestamp.
- Trade history: every fill the bot places is logged with the signal it acted on, entry, exit, and realized P&L.
- Signed PDF: your Document Center has the deployment agreement, dated and hashed.
- The bot itself: your Cloudflare dashboard → Workers & Pages will show the Worker, its request count, and its logs. You always have direct access.
Pausing, disconnecting, or rotating keys
To pause the bot
From your dashboard, tap the bot card → "Pause". The bot stops opening new positions immediately. Existing positions stay open and are still managed (stops are still honored). Resume from the same place when you're ready.
To disconnect (stop entirely)
From your dashboard, tap the bot card → "Disconnect". Soar stops sending signals to the bot and removes the bot from your dashboard. The Cloudflare Worker is still in YOUR account until you delete it.
To fully tear it down, go to your Cloudflare dashboard → Workers & Pages, find the soar-bot Worker, and delete it. That removes the keys from the secret store and ends all possibility of further activity.
To rotate broker keys
If you want to swap out the broker keys (e.g. after a leak scare), the cleanest path is: (1) revoke the old key from your broker dashboard, (2) generate a new one with the same view+trade-only permissions, (3) come back to Soar and redeploy. The wizard will detect you already have a bot for that broker and offer a "Replace keys" flow that's faster than a full from-scratch deploy.
Because Soar never stores broker keys, there's nothing on Soar's side to update — the redeploy ships the new keys into the Worker and discards the old ones.
Common deploy errors
The wizard tries to catch problems before you hit Deploy, but a few things only surface during the actual provisioning. Here are the most common ones and how to fix them.
Token verification failed
The Cloudflare API token doesn't have the right permissions, or was generated for a different account than the one you're signed into.
Tap the "Generate Cloudflare token" button in the wizard rather than building one manually — it pre-selects the correct scope. Make sure you're signed into the Cloudflare account where you want the bot to live.
Workers.dev subdomain not provisioned
New Cloudflare accounts need to claim a free *.workers.dev subdomain before they can host a Worker. This is a one-time thing.
Open the Cloudflare dashboard → Workers & Pages → and click through any "Get started" prompt. It takes ~10 seconds. Then come back to Soar and retry the deploy.
Ed25519 key rejected on Coinbase
Coinbase Advanced switched its key format in 2024. Older keys (HMAC) don't work for the Soar bot. The new keys are Ed25519 and look like a base64 PEM block.
In Coinbase Developer Platform, generate a NEW key — make sure you pick the Ed25519 option (it's the default for new keys). The private key file you download will look like "-----BEGIN EC PRIVATE KEY-----" followed by a long block.
Bot stuck at "starting" for more than 5 minutes
The Worker provisioned but the first heartbeat hasn't landed. Usually a Cloudflare propagation delay or a transient broker API issue.
Wait another 5 minutes — Cloudflare cold-starts can take longer on new accounts. If it's still stuck after 10 minutes total, open Cloudflare's dashboard, find the Worker, and check the "Logs" tab for the actual error. The most common cause is a typo in the API key.
Heartbeat not updating after running for a while
Either the broker revoked or rotated your API key, the Cloudflare Worker hit a runtime error, or Cloudflare itself had an incident.
Check your broker's API settings page — confirm the key is still active. Check Cloudflare status (status.cloudflare.com). If both look fine, the fastest fix is to redeploy from /dashboard/connect-broker with a fresh key.
Permission denied or 401 from broker
API key was generated with wrong permissions, or your broker requires IP whitelisting and the Cloudflare Worker IP isn't allowed.
Regenerate the key with View + Trade only. If your broker requires IP whitelisting (rare — Kraken is the main one), check our broker-specific guide for the current Cloudflare egress IP ranges.
What if Soar disappeared tomorrow?
Because your bot runs on YOUR Cloudflare account using YOUR broker keys, Soar is not in the critical path of execution. If Soar shut down, went down for maintenance, or otherwise stopped responding, the practical effects would be:
- The bot stops receiving new signals — Soar publishes signals via an API, and if that API is unreachable, the bot has nothing fresh to act on.
- Existing positions are not auto-closed. The bot doesn't panic-sell when Soar is unreachable. Positions stay open until they hit their stop, target, or you close them manually from your broker.
- You still have full broker access. Your API keys, your dashboard, your positions — none of it depends on Soar being up.
- You can destroy the Worker any time from your Cloudflare dashboard, which ends all bot activity instantly.
