Skip to content

REST API Endpoints

Complete reference for the Slotty Labs REST API.

Servers

EnvironmentBase URL
Productionhttps://api.slottylabs.com
Staginghttps://staging-api.slottylabs.com
Sandboxhttps://sandbox-api.slottylabs.com

Authentication

All requests must include a Bearer JWT token in the Authorization header:

Authorization: Bearer <api_key_or_session_token>

Additionally, operator API calls require HMAC signature headers:

X-Slotty-Timestamp: <unix seconds>
X-Slotty-Signature: sha256=<HMAC-SHA256>

See Authentication for details.

Rate Limits

By Scope

ScopeLimit
Per API key1,000 req/min
Per player100 req/min
Per IP500 req/min

By Plan Tier

TierAPI Key LimitPlayer LimitBurst
Starter500 req/min50 req/min2× for 10s
Growth1,000 req/min100 req/min3× for 10s
Enterprise5,000 req/min500 req/min5× for 30s

Rate Limit Headers

Every response includes rate limit headers:

HeaderDescription
X-RateLimit-LimitMaximum requests per window
X-RateLimit-RemainingRemaining requests in current window
X-RateLimit-ResetUnix timestamp when the window resets
Retry-AfterSeconds to wait (only on 429 responses)

Endpoints

Health

MethodPathDescription
GET/api/v1/healthPlatform health check

Auth / SSO

MethodPathDescription
POST/api/v1/auth/sso/create-tokenCreate a single-use SSO launch token
POST/api/v1/auth/sso/exchangeExchange launch token for session
POST/api/v1/auth/refreshRefresh an access token
POST/api/v1/auth/logoutInvalidate a session

Games

MethodPathDescription
GET/api/v1/gamesList available games
GET/api/v1/games/:gameIdGet game details
GET/api/v1/games/:gameId/configGet game configuration

Wallet

MethodPathDescription
GET/api/v1/wallet/balanceGet player balance
POST/api/v1/wallet/depositInitiate a deposit
POST/api/v1/wallet/withdrawInitiate a withdrawal
GET/api/v1/wallet/transactionsList transactions
GET/api/v1/wallet/deposit-address/:chainGet deposit address for chain

Sandbox / Testing

MethodPathDescription
POST/api/v1/test/playersCreate a test player
POST/api/v1/test/players/:id/add-balanceAdd test balance
POST/api/v1/test/players/:id/resetReset test player
POST/api/v1/test/force-outcomeForce a game outcome
GET/api/v1/test/healthDetailed health check

Game Launch

MethodPathDescription
GET/launch/:gameIdLaunch game (browser redirect)

Admin

MethodPathDescription
GET/api/v1/admin/tenants/meGet operator profile
PATCH/api/v1/admin/tenants/meUpdate operator settings
GET/api/v1/admin/webhooksList webhook subscriptions
POST/api/v1/admin/webhooksConfigure webhook endpoint
GET/api/v1/admin/webhooks/logsView webhook delivery logs
POST/api/v1/admin/webhooks/replay/:eventIdReplay a webhook event
GET/api/v1/admin/playersList players
GET/api/v1/admin/players/:idGet player details
POST/api/v1/admin/players/:id/suspendSuspend a player
POST/api/v1/admin/players/:id/unsuspendUnsuspend a player
GET/api/v1/admin/roundsList game rounds
GET/api/v1/admin/rounds/:idGet round details
GET/api/v1/admin/audit-logQuery audit events

Response Envelope

All API responses follow a standard envelope format.

Success Response

typescript
interface ApiSuccessResponse<T> {
  success: true;
  data: T;
  meta?: {
    page?: number;
    pageSize?: number;
    total?: number;
    hasMore?: boolean;
  };
  requestId: string;
}

Error Response

typescript
interface ApiErrorResponse {
  success: false;
  error: {
    code: string;       // e.g. "80001"
    message: string;    // Human-readable description
    details?: Record<string, unknown>;
  };
  requestId: string;
}

Example Success

json
{
  "success": true,
  "data": {
    "launchToken": "eyJhbGciOiJIUzI1NiIs...",
    "expiresAt": "2026-01-15T10:30:30.000Z"
  },
  "requestId": "req_abc123def456"
}

Example Error

json
{
  "success": false,
  "error": {
    "code": "80001",
    "message": "Invalid API key",
    "details": {
      "hint": "Ensure you are using the correct environment key (sandbox vs production)"
    }
  },
  "requestId": "req_xyz789ghi012"
}

Idempotency

For financial operations (deposits, withdrawals, bets), include an idempotency key:

Idempotency-Key: <unique-string>
  • Must be a unique string per operation (UUID recommended)
  • Idempotency keys are valid for 24 hours
  • Duplicate requests with the same key return the original response
  • Required for: POST /wallet/deposit, POST /wallet/withdraw
typescript
const response = await fetch('https://api.slottylabs.com/api/v1/wallet/withdraw', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer sk_live_abc123...',
    'Content-Type': 'application/json',
    'Idempotency-Key': crypto.randomUUID(),
    'X-Slotty-Timestamp': timestamp.toString(),
    'X-Slotty-Signature': signature,
  },
  body: JSON.stringify({
    playerId: 'player-123',
    amount: '100.00',
    currency: 'USDT',
    chain: 'ethereum',
    toAddress: '0x1234...',
  }),
});