Operator onboarding

Go-live checklist

Every licensed casino runs through these eight steps before pointing real players at Neon Vault Heist. Expect 1–3 business days end to end.

This page is maintained by the Neon Vault Heist team as operational guidance. It is not legal advice and not a certification of any operator's compliance posture — you hold the license, we run the game.

  1. 01

    Receive your credentials

    After signing, you get three values once: operator_id,api_key, and hmac_secret. Store them in your own secret manager — we only keep hashes and cannot recover them. If lost, rotate via POST /api/public/rgs/rotate-api-key.
  2. 02

    Configure your HMAC secret on our side

    Our server signs every wallet callback to you using a per-operator secret named OPERATOR_HMAC_<your-operator-id>. Send the value you want us to sign with to your integration contact, or rotate it yourself — until it is set, /round-start returnsoperator_hmac_not_configured.
  3. 03

    Stand up your wallet callback endpoints

    Expose POST /bet, POST /win, and POST /refund at a single base URL. Each must verify our X-Signature header, apply operator_tx_id idempotency, and return { ok, balance_minor }. See signing docs and webhooks.
  4. 04

    Set your operator config

    Confirm rtp_target, max_win_multiplier,min_bet_minor, max_bet_minor, and max_daily_loss_minor. These enforce your responsible- gaming posture on our engine.
  5. 05

    Run the sandbox flow

    Ask us to flip your account to is_sandbox=true. Sandbox traffic hits real endpoints but is excluded from revenue reporting. Complete at least: 1 bet, 1 win cashout, 1 bust, 1 refund, 1 webhook redelivery from the operator dashboard.
  6. 06

    Verify provably-fair

    Pull one settled round via GET /api/public/rgs/rounds and re-run the verification shown in provably-fair. The recomputed crashPoint must match the settled value bit- for-bit.
  7. 07

    Reconcile wallet ledger

    Compare your wallet's daily net movement against GET /api/public/rgs/rounds aggregated by operator_player_id. Deviations should be zero (or exactly pending webhook retries).
  8. 08

    Go-live sign-off

    Confirm in writing: (1) sandbox flow is green, (2) your compliance team has cleared jurisdiction, (3) your incident-response contact is on file. We flip is_sandbox=false and you can point real traffic at /api/public/rgs/launch.

Need help?

Your integration contact runs point during onboarding. For production incidents, use the escalation address on your MSA. Full spec: integration, signing, webhooks, provably-fair.