Operator onboarding
Every licensed casino runs through these eight steps before pointing real players at Neon Vault Heist. Expect 1–3 business days end to end.
This page is maintained by the Neon Vault Heist team as operational guidance. It is not legal advice and not a certification of any operator's compliance posture — you hold the license, we run the game.
operator_id,api_key, and hmac_secret. Store them in your own secret manager — we only keep hashes and cannot recover them. If lost, rotate via POST /api/public/rgs/rotate-api-key.OPERATOR_HMAC_<your-operator-id>. Send the value you want us to sign with to your integration contact, or rotate it yourself — until it is set, /round-start returnsoperator_hmac_not_configured.POST /bet, POST /win, and POST /refund at a single base URL. Each must verify our X-Signature header, apply operator_tx_id idempotency, and return { ok, balance_minor }. See signing docs and webhooks.rtp_target, max_win_multiplier,min_bet_minor, max_bet_minor, and max_daily_loss_minor. These enforce your responsible- gaming posture on our engine.is_sandbox=true. Sandbox traffic hits real endpoints but is excluded from revenue reporting. Complete at least: 1 bet, 1 win cashout, 1 bust, 1 refund, 1 webhook redelivery from the operator dashboard.GET /api/public/rgs/rounds and re-run the verification shown in provably-fair. The recomputed crashPoint must match the settled value bit- for-bit.GET /api/public/rgs/rounds aggregated by operator_player_id. Deviations should be zero (or exactly pending webhook retries).is_sandbox=false and you can point real traffic at /api/public/rgs/launch.Your integration contact runs point during onboarding. For production incidents, use the escalation address on your MSA. Full spec: integration, signing, webhooks, provably-fair.