Partner-facing API

External Game Aggregator API

One integration for player creation, game launch, and seamless wallet settlement. The aggregator layer handles the provider bridge while your wallet remains the balance source of truth.

Start with auth Review wallet callbacks

Auth: x-api-key
Format: JSON or form body
Wallet: HMAC-SHA256

Open game request ready

POST /game/open-game

{
  "user_agent": "LAG1.0632094194",
  "game_provider": "PGSoft",
  "game_id": "1513328",
  "mobile": true
}

01 Partner Signed request

02 Aggregator Provider bridge

03 Wallet Debit / settle

01 Authenticate Headers, prefix, IP whitelist 02 Create and launch User handle, provider, game URL 03 Verify callbacks Balance, bet, settle, history

Base URL

All API requests are made to your assigned base URL. Replace https://api.example.com with the host provided to you.

https://api.example.com

Note - every endpoint is served over HTTPS. Plain HTTP requests are rejected.

Authentication

Authenticate every request with your secret API key in the x-api-key header. Your key is unique to your account and must be kept private - never expose it in client-side code.

Header	Required	Description
`x-api-key`	required	Your secret API key.
`x-api-prefix`	optional	Your account prefix. Speeds up routing when supplied; otherwise it is resolved from the key.
`Content-Type`	optional	`application/json` (recommended) or `application/x-www-form-urlencoded`.

curl https://api.example.com/game/provider \
  -H "x-api-key: YOUR_API_KEY"

Keep it secret - anyone with your API key can act on behalf of your account. Rotate it immediately if it leaks.

IP whitelist

For an extra layer of security your account can be locked to a list of allowed source IP addresses. When a whitelist is configured, requests from any other address are rejected with 403.

Provide the public IPs (or CIDR ranges) of your servers to enable the whitelist.
Both single addresses (203.0.113.10) and CIDR ranges (203.0.113.0/24) are supported.
Leave it unset to allow any source IP (API key only).

Conventions

Request bodies may be sent as JSON or form-encoded. Responses are always JSON.
The user_agent is the unique identifier of a player, returned by Register (for example LAG1.0632094194).
Monetary amounts are decimal numbers in your account currency.
Timestamps are ISO-8601 strings in UTC.

API reference

POST /create-user

Register

Create a player in the system. The returned user_agent is the handle you use for every subsequent call for this player.

Body parameters

Field	Type		Description
`user_agent`	string	required	Your unique player reference.
`firstname`	string	optional	Player first name.
`lastname`	string	optional	Player last name.
`password`	string	optional	Player password.
`phone`	string	optional	Player phone number.
`ip`	string	optional	Player IP address.

curl https://api.example.com/create-user \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "user_agent": "0632094194",
    "firstname": "Test",
    "lastname": "01",
    "password": "aa1234",
    "phone": "0632094194",
    "ip": "139.180.143.22"
  }'

{
  "user_agent": "LAG1.0632094194"
}

GET /game/provider

Product list

Return the list of available game providers (products).

curl https://api.example.com/game/provider \
  -H "x-api-key: YOUR_API_KEY"

[
  {
    "provider_name": "PGSoft",
    "display_name": "pg soft",
    "image": "https://img.example.com/providers/pg.jpg"
  },
  {
    "provider_name": "Evolution Gaming",
    "display_name": "evolution gaming",
    "image": "https://img.example.com/providers/evo.jpg"
  }
]

POST /game/list

Game list

Return the games offered by a single provider.

Body parameters

Field	Type		Description
`game_provider`	string	required	`provider_name` from Product list.
`mobile`	boolean	optional	Return the mobile catalogue.

curl https://api.example.com/game/list \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "game_provider": "PGSoft", "mobile": true }'

{
  "is_item": true,
  "items": [
    {
      "game_id": "1513328",
      "game_name": "Super Golf Drive",
      "game_provider": "PGSoft",
      "game_type": "slot",
      "game_image": "https://cdn.example.com/pgsoft/spr-golf-drive.png",
      "is_active": true
    }
  ]
}

POST /game/open-game

Open game

Create a launch URL for a player. Redirect the player to the returned url to start playing.

Body parameters

Field	Type		Description
`user_agent`	string	required	Player handle from Register.
`game_provider`	string	required	`provider_name` of the game.
`game_id`	string	required	`game_id` from Game list. Use `0` for the provider lobby.
`redirect_url`	string	optional	Where to return the player after the game.
`mobile`	boolean	optional	Launch the mobile client.
`ip`	string	optional	Player IP address.

curl https://api.example.com/game/open-game \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "user_agent": "LAG1.0632094194",
    "game_provider": "PGSoft",
    "game_id": "1513328",
    "redirect_url": "https://your-site.com/lobby",
    "mobile": true,
    "ip": "139.180.143.22"
  }'

{
  "is_item": false,
  "url": "https://play.example.com/launch?token=..."
}

POST /bet-history/report/detail-bet

Bet history

Return a detail view for a single bet. The item is a URL that renders the round result.

Body parameters

Field	Type		Description
`bet_id`	string	required	The bet reference received in the Bet callback.

curl https://api.example.com/bet-history/report/detail-bet \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "bet_id": "64aa6ac13b909c3b91986abe" }'

{
  "status": true,
  "item": "https://history.example.com/redirect.html?trace_id=..."
}

Seamless wallet

Overview

In the seamless wallet model you hold the player balance. When a player bets or wins, our platform calls your wallet endpoints in real time and uses your response as the source of truth - no balance transfers are required.

You implement and host the five callback endpoints below under a single base URL (your wallet URL). Every request is signed with HMAC-SHA256 so you can verify it is authentic.

Callback	When we call it
`POST /balance`	To read the player's current balance.
`POST /bet`	To debit a bet amount.
`POST /settle-bet`	To credit a win.
`POST /bet-end`	To finalise a round.
`POST /history`	To deliver a bet record for your reporting.

Idempotency - always de-duplicate on bet_id. The same bet may be delivered more than once; a repeated bet_id must not move the balance twice.

HMAC signature

Every callback body includes an hmac field. Verify it with your shared AGENT_SECRET before trusting the payload.

Remove the hmac field. The remaining fields are your payload.
Sort the payload keys alphabetically (A to Z).
Serialise to a compact JSON string (no extra whitespace).
Compute HMAC-SHA256 of that string with AGENT_SECRET and output hex.
Compare against the received hmac. If equal, the request is authentic.

const crypto = require('crypto');

function verifyCallbackSignature(reqBody, agentSecret) {
  const { hmac, ...payload } = reqBody;
  if (!hmac) return false;

  const sorted = Object.keys(payload).sort()
    .reduce((acc, k) => { acc[k] = payload[k]; return acc; }, {});

  const expected = crypto
    .createHmac('sha256', agentSecret)
    .update(JSON.stringify(sorted))
    .digest('hex');

  return hmac === expected;
}

// app.post('/bet', (req, res) => {
//   if (!verifyCallbackSignature(req.body, AGENT_SECRET))
//     return res.status(401).json({ error: 'invalid signature' });
//   ...
// });

Reject unsigned requests - if the signature is missing or does not match, respond with an error and do not change any balance.

POST{wallet}/balance

Check balance

Return the player's current balance.

{
  "user_agent": "LAG1.0632094194",
  "hmac": "8f2be832..."
}

{
  "balance": 296.59,
  "tmp": 0,
  "fish_remaining": 0,
  "turn_over": 1580.38,
  "game_type": "slot"
}

POST{wallet}/bet

Bet

Debit a bet from the player's balance. Return the resulting balance.

Field	Type	Description
`user_agent`	string	Player handle.
`balance`	number	The bet amount to debit.
`bet_id`	string	Unique bet reference (use for idempotency).
`hmac`	string	Signature - verify before processing.

{
  "user_agent": "LAG1.0632094194",
  "balance": 5,
  "bet_id": "1677950013029748736",
  "hmac": "8f2be832..."
}

{
  "balance": 291.59,
  "tmp": 0,
  "fish_remaining": 0
}

POST{wallet}/settle-bet

Settle bet

Credit a win to the player's balance.

Field	Type	Description
`user_agent`	string	Player handle.
`bet`	number	The original bet amount.
`balance`	number	The win amount to credit.
`bet_id`	string	Unique bet reference.
`hmac`	string	Signature.

{
  "user_agent": "LAG1.0632094194",
  "bet": 5,
  "balance": 20,
  "bet_id": "1677950013029748736",
  "hmac": "8f2be832..."
}

{
  "balance": 311.59,
  "tmp": 0,
  "fish_remaining": 0
}

POST{wallet}/bet-end

Bet end

Finalise a round. Sent with both the bet and win amounts.

Field	Type	Description
`user_agent`	string	Player handle.
`balance`	number	The bet amount.
`win_balance`	number	The win amount.
`bet_id`	string	Unique bet reference.
`hmac`	string	Signature.

{
  "user_agent": "LAG1.0632094194",
  "balance": 5,
  "win_balance": 20,
  "bet_id": "1677950013029748736",
  "hmac": "8f2be832..."
}

POST{wallet}/history

History

Delivered whenever a bet record is created or updated, so you can keep a full copy for reporting and reconciliation. Acknowledge with HTTP 200.

Field	Type	Description
`_id`	string	Bet record id.
`type`	string	`create` or `update`.
`provider`	string	Provider name.
`game`	string	Game name.
`game_id`	string	Game identifier.
`user_agent`	string	Player handle.
`before_balance`	number	Balance before the round.
`after_balance`	number	Balance after the round.
`used_balance`	number	Amount staked.
`receive_balance`	number	Amount returned.
`winlose`	number	Net win (+) or loss (-).
`createdAt`	string	Created timestamp (ISO-8601).
`updatedAt`	string	Updated timestamp (ISO-8601).
`hmac`	string	Signature.

{
  "_id": "66a1c0f2e1b2c3d4e5f60718",
  "type": "update",
  "provider": "PGSoft",
  "game": "Super Golf Drive",
  "game_id": "1513328",
  "user_agent": "LAG1.0632094194",
  "before_balance": 296.59,
  "after_balance": 311.59,
  "used_balance": 5,
  "receive_balance": 20,
  "winlose": 15,
  "createdAt": "2026-06-04T09:30:00.000Z",
  "updatedAt": "2026-06-04T09:30:04.000Z",
  "hmac": "8f2be832..."
}

Reference

Errors

The API uses standard HTTP status codes. Authentication and authorisation failures return a JSON body with an error message.

Status	Meaning	Body
200	Success.	Endpoint payload.
401	Missing or invalid API key.	`{ "error": "Invalid API key" }`
403	IP not allowed, or account not permitted.	`{ "error": "IP not allowed" }`
404	Unknown route.	`{ "error": "Not Found" }`
500	Unexpected server error.	`{ "error": "..." }`

Integration flow

A typical end-to-end integration looks like this:

Register each of your players once with /create-user and store the returned user_agent.
Browse games with /game/provider and /game/list.
Launch a game with /game/open-game and redirect the player to the returned URL.
Settle play as it happens - implement the seamless wallet callbacks so we can read balance, debit bets, and credit wins against your wallet.
Reconcile using the /history feed and /bet-history/report/detail-bet.

Need a key or a base URL? Contact your account manager to receive your API key, base URL, AGENT_SECRET, and to register your wallet URL and IP whitelist.