Integration spec · v1

Neon Vault Heist RGS

B2B casino integration. Server-authoritative rounds, provably-fair outcomes, HMAC-signed wallet callbacks. You hold the license and the player wallet; we run the game and take a 15% GGR share by default.

1. What you provide

  • A wallet callback base URL (must expose /bet, /win, /refund)
  • Your gaming license & jurisdictional coverage
  • KYC/AML, geo-blocking, and responsible-gambling controls on your side
  • Public IPs you'll call our API from (optional allow-list)

2. What we provide

  • operator_id (UUID), api_key, and hmac_secret — shown once at provisioning
  • Per-operator config: rtp_target (default 96%), max_win_multiplier (default 2000×), allowed_currencies
  • REST API for launching sessions, verifying rounds, and pulling revenue
  • Provably-fair server seeds — sha256(server_seed) published pre-round, revealed post-settle

3. Auth

Every inbound call to /api/public/rgs/* requires four headers:

X-Operator-Id: <uuid>
X-Operator-Key: <api_key>
X-Operator-Hmac: <hmac_secret>
X-Timestamp: <unix seconds>
X-Signature: HMAC_SHA256(hmac_secret, "<ts>.<METHOD>.<path>.<sha256(rawBody)>")

Timestamp tolerance ±5 minutes. Signature comparison is timing-safe. We sign our outbound wallet calls back to you with the same scheme.

4. Launch a player session

POST /api/public/rgs/launch
{
  "operator_player_id": "player-42",
  "currency": "USD",
  "balance_minor": 500000,          // $5,000.00
  "ttl_seconds": 3600
}

→ 200
{
  "ok": true,
  "session_id": "…",
  "launch_url": "https://<host>/play?session=<opaque>",
  "expires_at": "2026-07-03T21:00:00Z"
}

Embed launch_url in an iframe.

5. Wallet callbacks (we call you)

When the player bets or cashes out, we call your wallet API. All requests are HMAC-signed with the same scheme as above.

POST <wallet_callback_url>/bet
{
  "operator_tx_id": "bet-<round_id>",   // idempotency key
  "operator_player_id": "player-42",
  "session_id": "…",
  "round_id": "…",
  "currency": "USD",
  "amount_minor": 10000                 // $100.00
}
→ { "ok": true, "balance_minor": 490000 }

POST <wallet_callback_url>/win
{ …, "amount_minor": 25000, "multiplier": 2.5 }
→ { "ok": true, "balance_minor": 515000 }

POST <wallet_callback_url>/refund
{ …, "amount_minor": 10000 }
→ { "ok": true, "balance_minor": 500000 }

Idempotency is enforced on our side by operator_tx_id; enforce it on yours too. If /bet returns non-200, we void the round and no bet is recorded.

6. Provably-fair verification

Every round exposes:

GET /api/public/rgs/round/<round_id>
→ {
  "server_seed": "…",           // revealed only after settle/refund
  "server_seed_hash": "…",      // published pre-round
  "client_seed": "…",
  "nonce": 3,
  "outcome": { "crashPoint": 4.87, "mapSeed": "…", "lootSeed": "…", "guardSeed": "…" },
  "realized_multiplier": 2.50,
  "payout_minor": 25000
}

Verify by computing sha256(server_seed) and confirming it matches server_seed_hash, then replaying HMAC_SHA256(server_seed, "<client_seed>:<nonce>:crash") to reproduce the crash point.

7. Revenue reporting

GET /api/public/rgs/revenue?from=2026-07-01&to=2026-07-31
→ {
  "ok": true,
  "days": [
    {
      "period_day": "2026-07-01",
      "currency": "USD",
      "ggr_minor": 148000,
      "house_share_minor": 22200,      // your 15% goes to the house
      "operator_share_minor": 125800,
      "rounds": 342
    }, …
  ]
}

8. What's out of scope

  • Certification (GLI, iTech Labs, BMM) — this is the technical baseline; certification is a separate lab engagement
  • KYC/AML, geo-blocking, self-exclusion, deposit/loss limits — handled by you as the licensed operator
  • Player-facing payments — we never touch player funds

Contact the studio for provisioning. Bootstrap keys, rev-share overrides, and allow-lists are set per-operator.