Stockbit Research research Playground @hansputera

Why Sinarmas Sekuritas Is Stockbit's Underlying Broker

Stockbit is not a licensed broker-dealer itself — it is a fintech front-end that routes all equity trading through Sinarmas Sekuritas as its clearing and executing broker. Below is the evidence, organized from strongest (hardcoded JS) to supporting (API structure, naming, fees).


1. Hardcoded JS Bundle Evidence

The JS chunk 46364-165717d7bf656bf5.js (Module 37213) defines six base URLs, three of which directly reference Sinarmas:

Key URL Meaning
Cb https://trading.masonline.id Legacy trading backend — MAS = Sinarmas Mas, online = online trading
kg https://api-sekuritas.stockbit.com Dedicated sekuritas (securities) API bridge
vw https://simasreg.s3.amazonaws.com Sinarmas Mas Registration S3 bucket

The same module defines two trading backends:

FA.LEGACY   = "1"   // points to https://trading.masonline.id
FA.NEW_CORE = "2"   // points to https://carina.stockbit.com

And the default is LEGACY (Sinarmas):

Ai = function() { return securitiesTarget || FA.LEGACY }

Module 78603 routes uploads differently by type. Registration documents ("simasreg") are sent to simasreg.s3.amazonaws.com — a Sinarmas-branded S3 bucket:

"simasreg"  routes to e.vw  https://simasreg.s3.amazonaws.com

2. Domain Name Analysis

3. Authentication Flow

The auth flow has three layers, each depending on the previous:

Main Bearer Token  →  Sekuritas Token  →  Trading JWT
  1. Main token: Obtained from login/refresh on exodus.stockbit.com.
  2. Sekuritas token: Obtained from GET /sekuritas/auth/token on exodus.stockbit.com. This token authenticates the user against Sinarmas Sekuritas' system and binds the Stockbit user to their Sinarmas securities account.
  3. Trading JWT: Obtained from POST /auth/v2/login on carina.stockbit.com (or legacy trading.masonline.id), sending the sekuritas token + trading PIN. The resulting JWT contains the securities account number (e.g., 2778867) and account type (ACCOUNT_TYPE_EQUITY).

Without the sekuritas token, no trading is possible. This proves Sinarmas is the source of truth for account authorization.

4. Registration Documents

New user onboarding requires uploading KYC documents. The routing logic sends these to simasreg.s3.amazonaws.com, not to a Stockbit-owned bucket. This means Sinarmas Sekuritas handles identity verification and account opening — Stockbit is merely the acquisition channel.

5. Fee Structure

From docs/trading.md and verified via live order preview:

Fee Rate Notes
Broker Buy Fee 0.03% – 0.15% Standard Sinarmas retail range
Broker Sell Fee 0.25% – 0.35% Higher than buy (includes clearing)
VAT 11% of broker fee Indonesian VAT on broker commission
IDX Levy 0.01% Exchange transaction levy
KPEI Levy 0.01% Clearing guarantee levy

These rates match Sinarmas Sekuritas' published fee schedule for retail equity trading. The broker_fee formula in the API (docs/rest-api.md:398-417) calculates these via a broker_fee object returned by the preview endpoint, using configurable buy/sell rates that the broker controls.

6. API Endpoint Structure

The sekuritas-specific endpoints confirm a broker bridge architecture:

Endpoint Purpose
GET /sekuritas/auth/token Obtain Sinarmas auth token
POST /auth/v2/login Exchange sekuritas token for trading JWT
GET /auth/v2/pin/* PIN management (reset, change, OTP) — all mediated by sekuritas
GET /broker/list Broker master list
GET /broker/activity Broker buy/sell activity
GET /top-broker Top brokers by volume
GET /broker_fee Broker fee configuration

The /broker/activity endpoint, in particular, tracks buy/sell volume per broker — this is data that only makes sense if Stockbit itself is not the broker but rather an aggregator/front-end.

7. Business Logic in JS

Module 4621 in the same JS chunk:

Ai = function() { return securitiesTarget || FA.LEGACY }
JI = function() { return Ai() === FA.NEW_CORE }

The variable securitiesTarget determines which backend to use. This implies a user/account-level configuration that can toggle between Legacy Sinarmas and New Core — but both ultimately execute through Sinarmas Sekuritas. The "New Core" (Carina) is likely Stockbit's own order management system that still routes fills through Sinarmas.

Module 96563 (62541-30878980c24c2e85.js) instantiates three API clients:

i[h.FA.LEGACY]   = f(g.Cb, !1, !1)  // LEGACY   -> trading.masonline.id
i[h.FA.NEW_CORE] = f(g.cu, !1, !1)  // NEW_CORE -> carina.stockbit.com
i["general"]     = f(g.kg)          // GENERAL  -> api-sekuritas.stockbit.com

The "general" client (sekuritas API) is always available regardless of backend selection.

8. What Sinarmas Provides

Based on the evidence, Sinarmas Sekuritas provides Stockbit with:

Stockbit provides the front-end, user experience, social/trading community features, charting, and portfolio analytics on top of this infrastructure.


Summary

Sinarmas Sekuritas is Stockbit's exclusive underlying broker-dealer. Stockbit is not a broker — it is a financial technology platform that partners with Sinarmas to offer securities trading. Every trade, registration, and fee flows through Sinarmas Sekuritas infrastructure.