SoarSoar
Return to dashboard
Getting started

The connect-broker wizard, end to end

Seven steps from sign-up to a live bot. Here's exactly what happens at each one, what to enter, what stays private, and how to fix the things that most commonly go wrong.

Open the wizard →
Before you start

What you'll need

Most of the wizard is paste-and-continue. The pieces you need to gather ahead of time:

  • A funded broker account with API access enabled. See the broker list for which brokers Soar supports and how to enable API access on each. Most brokers don't require any minimum to enable API keys, but the bot can't trade what isn't there — so make sure the account is funded with whatever amount you want to deploy.
  • A Cloudflare account on the free plan. The bot wakes up once a minute (well inside Cloudflare's free Worker request limits), so you almost certainly won't pay them anything for a single bot. If you don't have an account, you can sign up during the wizard — Cloudflare's sign-up takes under a minute.
  • 10-15 minutes the first time through. Steps 5 (broker keys) and 6 (Cloudflare token) are the only ones that involve going to another tab.
  • Your full legal name as it appears on your Soar account — you'll sign the deployment agreement at the end, and the signature has to match.
What you're building

What you're actually deploying

The "Soar bot" is a small piece of code that lives on Cloudflare's global network. It wakes up once a minute, checks whether Soar has published any new signals for your broker, and decides whether to act based on the risk profile you set during the wizard.

Cloudflare Workers run in over 300 cities worldwide — meaning your bot has very low latency to most broker APIs, no "server" for you to manage, and no monthly hosting bill. The Worker has access to your broker keys, your risk settings, and a connection back to Soar to read signals. It does NOT have access to anything else in your Cloudflare account.

Critically: the bot runs on YOUR Cloudflare account, not Soar's. You always have unilateral control. You can pause it, kill it, or rotate its keys at any time from your Cloudflare dashboard.

These seven steps cover the Cloudflare path — but you have three hosting choices. Most brokers run on a free Cloudflare Worker on your own account (the steps below). Interactive Brokers and Webull need a long-running gateway, so they run on a small DigitalOcean droplet on your account instead. Or pick Soar-hosted — the no-setup path: no Cloudflare, no droplet, no token. You choose a broker and a risk profile, and Soar runs the bot for you (your keys are encrypted and trade-only, with your consent). See where your bot runs and the broker hub for which host fits your broker.
Step by step

The seven steps, in detail

Every step is reversible until you hit Deploy at step 7. Use the Back button freely; nothing persists to the broker or Cloudflare until the very end.

  1. 1
    1. Profile intake

    What you'll see

    A short questionnaire — experience level, what you want the bot to do, time horizon, and how much drawdown you can stomach. Five or six questions, no free-text essays.

    What to enter

    Be honest. If you've never run an automated strategy before, say so — the bot will start with safer defaults and you can loosen them later. There's no "wrong" answer that locks you out.

    Behind the scenes

    Your answers map to a starting risk profile (Conservative / Standard / Aggressive). Nothing is irreversible — you can change every value in step 4.

    Common pitfall — Picking Aggressive when you're new. Aggressive sizes positions at 5-10% of your account with up to 8 concurrent positions. On a fresh bot with no track record, that's a lot of exposure. Start Conservative or Standard for the first 2-4 weeks; loosen after you've seen it behave.
  2. 2
    2. Review your defaults

    What you'll see

    A summary card: the risk profile Soar picked for you, the per-position size, the max concurrent positions, and a one-line, jargon-free explanation of what that means in dollar terms (e.g. "On a $10,000 account, each trade will be ~$300").

    What to enter

    Just review. If anything looks surprising, tap Back and adjust the intake answers. Otherwise, Continue.

    Behind the scenes

    Soar stores the defaults on your account so the next time you deploy (e.g. on a different broker) they're pre-filled.

  3. 3
    3. Pick your broker

    What you'll see

    A grid of broker tiles. Each one shows which assets it covers (crypto / US equities / perpetuals), whether it supports simulated (paper) trading, and any minimums or US-availability notes.

    What to enter

    Tap the broker where you already have a funded account. If you don't have one anywhere yet, Coinbase Advanced and Alpaca are the easiest to onboard (10-minute sign-up, US-friendly).

    Behind the scenes

    Each broker has its own key format, its own permission model, and its own bot bundle (a small Cloudflare Worker tailored to that broker's API). Soar picks the right bundle automatically based on your choice.

    Common pitfall — Choosing a broker you can't actually trade on. A few brokers are US-restricted (Binance.US US-only) or jurisdiction-restricted (AsterDEX, Hyperliquid). The tile will warn you, but double-check before you generate keys — broker key creation is annoying to undo.
  4. 4
    4. Lock in your risk profile

    What you'll see

    Three preset cards (Conservative / Standard / Aggressive) plus a Custom option with sliders for position size %, max open positions, and per-trade max loss. A live preview shows the dollar impact on a sample $10,000 account.

    What to enter

    Pick a preset or build a custom one. The Custom slider lets you pin position size anywhere from 0.5% to 30% of your account. (The deploy API enforces these bounds for safety; most users land between 2% and 8%.)

    Behind the scenes

    Soar can only ever NARROW exposure relative to your settings — never widen. If a signal would trigger a position bigger than your cap, the bot scales it down. If your portfolio is already at max concurrent positions, the signal is skipped, not stacked.

    Common pitfall — Setting max positions too low. If you cap concurrent positions at 1, the bot can only ever hold one trade at a time — which means it'll skip most signals. 3-5 is a reasonable starting range for most accounts.
  5. 5
    5. Paste your broker API keys

    What you'll see

    Two input fields (API key + secret, or key + private key depending on the broker), a Visual Guide button that opens broker-specific screenshots showing exactly where to click in the broker's dashboard, and a permissions checklist.

    What to enter

    Generate a fresh key in your broker's API settings with View + Trade permissions only — NEVER Withdraw or Transfer. Copy and paste both halves into Soar. The wizard validates the format as you type.

    Behind the scenes

    The keys are held in a short-lived HttpOnly cookie on your browser, then forwarded to Soar's deploy endpoint, which immediately pushes them into your Cloudflare Worker's secret store. Soar's database never receives them.

    Common pitfall — Enabling Withdraw permission "just in case". Don't. Soar has zero withdrawal use-case, and a withdraw-enabled key is a much bigger blast radius if leaked. If any Soar instruction tells you to enable withdraw, you're on a phishing site — close it immediately.
  6. 6
    6. Connect Cloudflare

    What you'll see

    A one-tap "Connect Cloudflare" button that authorizes Soar in a popup — nothing to copy or paste. If you'd rather do it by hand, a "Generate token" deep-link opens Cloudflare with the right permissions pre-selected, plus a paste field for the token it gives back.

    What to enter

    Easiest path: tap Connect Cloudflare, sign in (or sign up — it takes under a minute), approve in the popup, and you're done. Prefer to do it manually? Follow the deep-link, hit Create Token, copy it, and paste it back into Soar. Either way takes under a minute.

    Behind the scenes

    This authorization only lets Soar provision a new Worker in your account — nothing else. You can revoke it from Cloudflare's dashboard the moment deployment finishes; the bot doesn't need it to keep running, only to be created.

    Common pitfall — Connection or token validation fails. Use the one-tap Connect Cloudflare button — it requests exactly the access Soar needs. If you went the manual route and Cloudflare returns an error, the usual cause is a token built with the wrong permissions; use the "Generate token" deep-link instead of building one by hand.
  7. 7
    7. Sign the deployment agreement and deploy

    What you'll see

    A scrollable contract preview, five separate checkboxes (each affirming a specific point), a signature field, and a Deploy button that stays disabled until everything is signed.

    What to enter

    Read the agreement (it's shorter than a typical SaaS terms-of-service — 13 numbered Articles). Tick each affirmation. Type your full legal name in the signature field exactly as it appears on your account. Tap Deploy.

    Behind the scenes

    Soar captures a SHA-256 hash of the exact HTML you reviewed, generates a timestamped PDF, drops it in your Document Center, provisions the Cloudflare Worker, ships your broker keys into the Worker's secret store, and fires the first heartbeat. Total: ~30 seconds.

The legal piece

The deployment agreement — what it covers

Before any bot trades on your behalf, Soar walks you through a formal contract. It's shorter than a typical SaaS terms-of-service — 13 numbered Articles with the same anatomy as a normal commercial agreement (Definitions, Recitals, Limitation of Liability, Force Majeure, Arbitration, Waiver of Jury Trial).

The flow is ESIGN Act and UETA compliant. That means: the signature you type is legally equivalent to a wet-ink signature, Soar captures a SHA-256 hash of the exact HTML you reviewed (so the version you signed is provable later), and a timestamped PDF copy lands in your Document Center for your records.

You can download the signed PDF at any time. Soar can't alter it after signing; if either side wants to amend the agreement, you go through the wizard again for a fresh deploy.

Why this exists: Soar is software, not an advisor. The agreement makes that relationship explicit and documents that you affirmatively chose to enable automated execution. See Security & trust for the full breakdown.
What you're affirming

The five attestations

During signing you tick five separate boxes — each one a distinct affirmation. They're listed in the agreement itself, but here's what each one means, in clear terms.

1. Ownership of the broker account

You confirm the broker account you're connecting belongs to you personally (or to an entity you have authority to bind). No connecting a friend's account, no shared logins.

2. Not investment advice

You acknowledge Soar publishes software and analysis — not personalized investment advice. The bot acts on signals you've configured it to act on; the trade decision is yours by virtue of the deploy.

3. Risk acknowledgement

You understand that automated trading can lose money quickly, that past performance does not guarantee future results, and that no strategy — including Soar's — is immune to drawdown or unexpected market events.

4. No withdraw permission

You confirm the API keys you provided do NOT have withdraw or transfer permissions, and you understand Soar would never ask for them.

5. Arbitration consent

You agree that any disputes are routed through binding arbitration rather than court, and you waive the right to jury trial. This is standard for SaaS — the full text is in the agreement.

Risk presets

Risk profiles compared

Step 4 of the wizard asks you to pick one of these. You can change it later by redeploying — there's no "upgrade fee" to a riskier preset. Custom gives you the fine-grained sliders.

Preset

Conservative

Position size
1-3% per trade
Max open
3 concurrent positions
Best for
New to automated trading, smaller account, want to see the bot behave before loosening.
Preset

Standard

Position size
3-5% per trade
Max open
5 concurrent positions
Best for
Have a feel for risk, balanced approach. The default for most users.
Preset

Aggressive

Position size
5-10% per trade
Max open
8 concurrent positions
Best for
Larger account that can absorb concentration, comfortable with drawdown, want maximum exposure to high-conviction signals.
Preset

Custom

Position size
You pick (0.5% – 30%)
Max open
You pick (1 – 20)
Best for
You know what you want. Tune position size, max open positions, and per-trade loss cap independently. The deploy API enforces a 0.5%–30% per-position floor/ceiling for safety.
You can always tighten, not just loosen. If you start on Aggressive and decide you want less concentration, drop to Standard or Conservative on the next deploy. There's no penalty for changing your mind.
Trading mode

Simulated vs Live trading

Simulated mode

The bot reads real-time market data and Soar signals exactly as it would in live mode, but instead of placing orders at your broker, it records simulated trades in a separate ledger. No money moves. You see equity curves, position lists, and trade history as if it were real.

Every bot starts with a 14-day simulated trial, which is the best way to watch it for a week or two before committing real capital. Alpaca additionally offers dedicated paper API keys (separate from live keys); for other brokers, simulated mode means simulated execution against live prices without hitting the broker API.

Live mode (real money)

The bot places real orders against your funded broker account, using the API keys you pasted in step 5. Every fill is a real fill. P&L is real P&L.

Live mode is the default for most brokers. Soar will warn you clearly before deploying live, and the deployment agreement explicitly covers live execution.

Heads up on paper keys vs live keys. Alpaca has separate API endpoints for paper and live; the keys are not interchangeable. Generate the matching key from the correct Alpaca dashboard (Paper vs Live) and the wizard will validate it. If you ever see "forbidden" or "account not found" errors after deploy, that is almost always a paper-key-on-live-endpoint mismatch — disconnect, regenerate from the right dashboard, and redeploy.
The first 24 hours

What happens after you hit Deploy

Minute 0 — Deploy completes

You'll see a success screen with a link to your bot's dashboard. The Cloudflare Worker is live, your keys are in its secret store, and the first heartbeat usually lands within 30 seconds.

Minutes 1-60 — First heartbeats

The bot ticks every minute. It fetches your account balance from the broker, fetches the active signal list from Soar, and decides whether to act. Most ticks are no-ops — the bot only opens or closes positions when conditions are met. Watch the equity and positions panel in your dashboard to confirm the heartbeat is updating.

Hour 1-24 — First trades (maybe)

Whether the bot opens a position in the first day depends entirely on the signals Soar is publishing and how they match your risk profile. On a quiet market day, the bot may sit idle. On an active day with strong setups, it may take 1-3 positions. Both are normal.

Where to check the bot

  • Equity and positions: Open the dashboard to see current equity, open positions with live P&L, and the last heartbeat timestamp.
  • Trade history: every fill the bot places is logged with the signal it acted on, entry, exit, and realized P&L.
  • Signed PDF: your Document Center has the deployment agreement, dated and hashed.
  • The bot itself: your Cloudflare dashboard → Workers & Pages will show the Worker, its request count, and its logs. You always have direct access.
Staying in control

Pausing, disconnecting, or rotating keys

To pause the bot

From your dashboard, tap the bot card → "Pause". The bot stops opening new positions immediately. Existing positions stay open and are still managed (stops are still honored). Resume from the same place when you're ready.

To disconnect (stop entirely)

From your dashboard, tap the bot card → "Disconnect". Soar stops sending signals to the bot and removes the bot from your dashboard. The Cloudflare Worker is still in YOUR account until you delete it.

To fully tear it down, go to your Cloudflare dashboard → Workers & Pages, find the soar-bot Worker, and delete it. That removes the keys from the secret store and ends all possibility of further activity.

To rotate broker keys

If you want to swap out the broker keys (e.g. after a leak scare), the cleanest path is: (1) revoke the old key from your broker dashboard, (2) generate a new one with the same view+trade-only permissions, (3) come back to Soar and redeploy. The wizard will detect you already have a bot for that broker and offer a "Replace keys" flow that's faster than a full from-scratch deploy.

Because Soar never stores broker keys, there's nothing on Soar's side to update — the redeploy ships the new keys into the Worker and discards the old ones.

When something goes wrong

Common deploy errors

The wizard tries to catch problems before you hit Deploy, but a few things only surface during the actual provisioning. Here are the most common ones and how to fix them.

Token verification failed

Why it happens

The Cloudflare API token doesn't have the right permissions, or was generated for a different account than the one you're signed into.

Fix

Tap the "Generate Cloudflare token" button in the wizard rather than building one manually — it pre-selects the correct scope. Make sure you're signed into the Cloudflare account where you want the bot to live.

Workers.dev subdomain not provisioned

Why it happens

New Cloudflare accounts need to claim a free *.workers.dev subdomain before they can host a Worker. This is a one-time thing.

Fix

Open the Cloudflare dashboard → Workers & Pages → and click through any "Get started" prompt. It takes ~10 seconds. Then come back to Soar and retry the deploy.

Ed25519 key rejected on Coinbase

Why it happens

Coinbase Advanced switched its key format in 2024. Older keys (HMAC) don't work for the Soar bot. The new keys are Ed25519 and look like a base64 PEM block.

Fix

In Coinbase Developer Platform, generate a NEW key — make sure you pick the Ed25519 option (it's the default for new keys). The private key file you download will look like "-----BEGIN EC PRIVATE KEY-----" followed by a long block.

Bot stuck at "starting" for more than 5 minutes

Why it happens

The Worker provisioned but the first heartbeat hasn't landed. Usually a Cloudflare propagation delay or a transient broker API issue.

Fix

Wait another 5 minutes — Cloudflare cold-starts can take longer on new accounts. If it's still stuck after 10 minutes total, open Cloudflare's dashboard, find the Worker, and check the "Logs" tab for the actual error. The most common cause is a typo in the API key.

Heartbeat not updating after running for a while

Why it happens

Either the broker revoked or rotated your API key, the Cloudflare Worker hit a runtime error, or Cloudflare itself had an incident.

Fix

Check your broker's API settings page — confirm the key is still active. Check Cloudflare status (status.cloudflare.com). If both look fine, the fastest fix is to redeploy from /dashboard/connect-broker with a fresh key.

Permission denied or 401 from broker

Why it happens

API key was generated with wrong permissions, or your broker requires IP whitelisting and the Cloudflare Worker IP isn't allowed.

Fix

Regenerate the key with View + Trade only. If your broker requires IP whitelisting (rare — Kraken is the main one), check our broker-specific guide for the current Cloudflare egress IP ranges.

Still stuck? Open a support ticket from your dashboard. Include the error message verbatim and the time you saw it — Soar's support team can correlate that with the deploy logs to give you a specific answer.
Unilateral control

What if Soar disappeared tomorrow?

Because your bot runs on YOUR Cloudflare account using YOUR broker keys, Soar is not in the critical path of execution. If Soar shut down, went down for maintenance, or otherwise stopped responding, the practical effects would be:

  • The bot stops receiving new signals — Soar publishes signals via an API, and if that API is unreachable, the bot has nothing fresh to act on.
  • Existing positions are not auto-closed. The bot doesn't panic-sell when Soar is unreachable. Positions stay open until they hit their stop, target, or you close them manually from your broker.
  • You still have full broker access. Your API keys, your dashboard, your positions — none of it depends on Soar being up.
  • You can destroy the Worker any time from your Cloudflare dashboard, which ends all bot activity instantly.
The bottom line: you can always pull the plug yourself. Soar is software you chose to run; you remain the one with the keys and the final say.
See also

Related help