Stockbit is not a licensed broker-dealer itself — it is a fintech front-end that routes all equity trading through Sinarmas Sekuritas as its clearing and executing broker. Below is the evidence, organized from strongest (hardcoded JS) to supporting (API structure, naming, fees).
The JS chunk 46364-165717d7bf656bf5.js (Module 37213) defines six base URLs, three of which directly reference Sinarmas:
| Key | URL | Meaning |
|---|---|---|
Cb |
https://trading.masonline.id |
Legacy trading backend — MAS = Sinarmas Mas, online = online trading |
kg |
https://api-sekuritas.stockbit.com |
Dedicated sekuritas (securities) API bridge |
vw |
https://simasreg.s3.amazonaws.com |
Sinarmas Mas Registration S3 bucket |
The same module defines two trading backends:
FA.LEGACY = "1" // points to https://trading.masonline.id
FA.NEW_CORE = "2" // points to https://carina.stockbit.com
And the default is LEGACY (Sinarmas):
Ai = function() { return securitiesTarget || FA.LEGACY }
Module 78603 routes uploads differently by type. Registration documents ("simasreg") are sent to simasreg.s3.amazonaws.com — a Sinarmas-branded S3 bucket:
"simasreg" → routes to e.vw → https://simasreg.s3.amazonaws.com
trading.masonline.id — the mas subdomain + online suffix is a clear abbreviation of Sinarmas Online Trading. This domain is now dead (DNS failure), suggesting Stockbit migrated to its own Carina backend but still relies on Sinarmas for order execution.simasreg.s3.amazonaws.com — the bucket name is a portmanteau of Sinarmas Mas Registration. User onboarding documents (KYC, identity) are uploaded here for Sinarmas account creation.api-sekuritas.stockbit.com — a dedicated API subdomain for the sekuritas (securities) auth bridge, sitting between Stockbit and Sinarmas.The auth flow has three layers, each depending on the previous:
Main Bearer Token → Sekuritas Token → Trading JWT
login/refresh on exodus.stockbit.com.GET /sekuritas/auth/token on exodus.stockbit.com. This token authenticates the user against Sinarmas Sekuritas' system and binds the Stockbit user to their Sinarmas securities account.POST /auth/v2/login on carina.stockbit.com (or legacy trading.masonline.id), sending the sekuritas token + trading PIN. The resulting JWT contains the securities account number (e.g., 2778867) and account type (ACCOUNT_TYPE_EQUITY).Without the sekuritas token, no trading is possible. This proves Sinarmas is the source of truth for account authorization.
New user onboarding requires uploading KYC documents. The routing logic sends these to simasreg.s3.amazonaws.com, not to a Stockbit-owned bucket. This means Sinarmas Sekuritas handles identity verification and account opening — Stockbit is merely the acquisition channel.
From docs/trading.md and verified via live order preview:
| Fee | Rate | Notes |
|---|---|---|
| Broker Buy Fee | 0.03% – 0.15% | Standard Sinarmas retail range |
| Broker Sell Fee | 0.25% – 0.35% | Higher than buy (includes clearing) |
| VAT | 11% of broker fee | Indonesian VAT on broker commission |
| IDX Levy | 0.01% | Exchange transaction levy |
| KPEI Levy | 0.01% | Clearing guarantee levy |
These rates match Sinarmas Sekuritas' published fee schedule for retail equity trading. The broker_fee formula in the API (docs/rest-api.md:398-417) calculates these via a broker_fee object returned by the preview endpoint, using configurable buy/sell rates that the broker controls.
The sekuritas-specific endpoints confirm a broker bridge architecture:
| Endpoint | Purpose |
|---|---|
GET /sekuritas/auth/token |
Obtain Sinarmas auth token |
POST /auth/v2/login |
Exchange sekuritas token for trading JWT |
GET /auth/v2/pin/* |
PIN management (reset, change, OTP) — all mediated by sekuritas |
GET /broker/list |
Broker master list |
GET /broker/activity |
Broker buy/sell activity |
GET /top-broker |
Top brokers by volume |
GET /broker_fee |
Broker fee configuration |
The /broker/activity endpoint, in particular, tracks buy/sell volume per broker — this is data that only makes sense if Stockbit itself is not the broker but rather an aggregator/front-end.
Module 4621 in the same JS chunk:
Ai = function() { return securitiesTarget || FA.LEGACY }
JI = function() { return Ai() === FA.NEW_CORE }
The variable securitiesTarget determines which backend to use. This implies a user/account-level configuration that can toggle between Legacy Sinarmas and New Core — but both ultimately execute through Sinarmas Sekuritas. The "New Core" (Carina) is likely Stockbit's own order management system that still routes fills through Sinarmas.
Module 96563 (62541-30878980c24c2e85.js) instantiates three API clients:
i[h.FA.LEGACY] = f(g.Cb, !1, !1) // LEGACY -> trading.masonline.id
i[h.FA.NEW_CORE] = f(g.cu, !1, !1) // NEW_CORE -> carina.stockbit.com
i["general"] = f(g.kg) // GENERAL -> api-sekuritas.stockbit.com
The "general" client (sekuritas API) is always available regardless of backend selection.
Based on the evidence, Sinarmas Sekuritas provides Stockbit with:
Stockbit provides the front-end, user experience, social/trading community features, charting, and portfolio analytics on top of this infrastructure.
Sinarmas Sekuritas is Stockbit's exclusive underlying broker-dealer. Stockbit is not a broker — it is a financial technology platform that partners with Sinarmas to offer securities trading. Every trade, registration, and fee flows through Sinarmas Sekuritas infrastructure.