Skip to content

Casino Onboarding Guide

This is the complete path from "we signed with Slotty Labs" to "our players are spinning real-money games". Most operators complete sandbox integration in 1–3 days.

How onboarding works

Onboarding is a two-sided process:

WhoDoes what
Slotty LabsCreates your tenant, assigns your games & RTP variants, creates your admin panel accounts, issues your sandbox API key and webhook secret
You (operator)Integrate the SDK, embed games, receive webhooks, test in sandbox, then request production access

You cannot self-register — your account manager provisions everything in Step 0. Everything after that is self-service.

Step 0 — What you receive from us

After your kickoff call, Slotty Labs sends you (via a secure channel):

  1. Sandbox API keysk_sandbox_… — authenticates your backend.
  2. Webhook secretwhsec_… — signs webhooks we send you, and signs sensitive requests you send us (the SDK does this automatically).
  3. Admin panel access — your operator dashboard login(s) with MFA setup.
  4. This documentation.

Keep secrets server-side

The API key and webhook secret must ONLY live on your backend (environment variables / secret manager). Never ship them to a browser or mobile app.

Step 1 — Log in to your operator panel

Your admin panel is where you manage everything about your casino:

  • Dashboard — GGR, active players, round volume
  • Players — search, detail, notes, limits
  • Games — your enabled games and RTP configuration
  • Withdrawals — approval queue for player withdrawals
  • Reports — on-demand + scheduled financial/game/player reports
  • Settings → Webhooks — endpoint URL, event subscriptions, test events, delivery log
  • Settings → Branding — white-label colors, logo, company name

Log in, complete MFA enrollment, and confirm your game list matches the contract. See the Operator Dashboard guide.

Step 2 — Install the SDK

bash
npm install @slottylabs/sdk

Node.js 18+ required (the SDK is dependency-free and uses native fetch).

typescript
import { SlottyClient } from '@slottylabs/sdk';

const client = new SlottyClient({
  apiKey: process.env.SLOTTY_API_KEY!,          // sk_sandbox_...
  webhookSecret: process.env.SLOTTY_WEBHOOK_SECRET!, // whsec_...
});

Your tenant identity is derived from your API key on our servers — there is nothing else to configure.

Not on Node.js? Use the raw REST API with HMAC request signing.

Step 3 — Launch your first game (sandbox)

The launch flow is: your backend creates a short-lived token → your frontend embeds the game iframe with it.

typescript
// Your backend — when a logged-in player clicks a game tile
const { launchToken } = await client.auth.createSSOToken({
  playerId: user.id,          // YOUR player identifier — we map it to ours
  currency: 'USD',
  jurisdiction: 'CW',
  locale: 'en',
});

const launchUrl = client.games.getLaunchUrl('slotty-slots', launchToken, {
  lang: 'en',
  lobby: 'https://yourcasino.com/lobby',
});
// → hand launchUrl to your frontend
html
<!-- Your frontend -->
<div style="width:100%;max-width:1200px;aspect-ratio:16/9;">
  <iframe src="{launchUrl}" style="width:100%;height:100%;border:none;"
          allow="autoplay; fullscreen"
          sandbox="allow-scripts allow-same-origin allow-popups allow-forms"></iframe>
</div>

Launch tokens are single-use and expire in 30 seconds

Create a token per game launch, at click time. Never cache or reuse them.

Players are created on our side automatically the first time you launch a game for a new playerId (seamless registration) — no separate "create player" call is needed in production. Details: Authentication and Game Embedding.

Step 4 — Set up webhooks

We push events (completed rounds, deposits, withdrawal status, RG events) to your HTTPS endpoint.

  1. In your operator panel: Settings → Webhooks — set your endpoint URL and choose event subscriptions.
  2. Verify every delivery:
typescript
import { WebhookVerifier } from '@slottylabs/sdk';

const verifier = new WebhookVerifier(process.env.SLOTTY_WEBHOOK_SECRET!);

app.post('/webhooks/slotty', (req, res) => {
  try {
    const event = verifier.constructEvent(
      req.rawBody,                          // RAW body string, not parsed JSON
      req.headers['x-slotty-signature'],
      req.headers['x-slotty-timestamp'],
    );
    // Deduplicate by event.id — deliveries are at-least-once
    handle(event);
    res.status(200).json({ received: true });
  } catch {
    res.status(400).json({ error: 'invalid signature' });
  }
});
  1. Click "Send Test Event" in the panel — you should receive and verify a signed webhook.test event. The panel shows the delivery result and keeps a log (with replay for failures).

Full event catalog: Webhooks.

Step 5 — Test in sandbox

Sandbox lets you create funded test players and even force specific game outcomes:

typescript
await client.test.createPlayer({
  externalId: 'qa-player-1',
  currency: 'USD',
  startingBalance: '1000000',   // $10,000.00 (amounts are integer cents)
});

await client.test.forceOutcome({
  playerId: 'qa-player-1',
  gameId: 'slotty-slots',
  outcome: { type: 'slots', reelPositions: [0, 5, 10, 15, 20] },
});

Play at least one full round of every game you licensed. Watch the rounds appear in your operator panel (Dashboard / Players / Games). Details: Sandbox Testing.

Step 6 — Operational readiness

Before requesting production access, make sure your team can run the casino:

  • Withdrawals: player withdrawal requests land in your panel's Withdrawals queue with funds ledger-locked. Your staff review and approve (funds released to payout) or reject with a reason (funds returned).
  • Reports: generate a GGR report (Reports → On-Demand) and set up scheduled delivery to your finance team.
  • Responsible gaming: understand limits, reality checks, and exclusions for your jurisdiction — Responsible Gaming.
  • Branding: configure your white-label look under Settings → Branding.
  • Notifications: the bell in your panel surfaces pending withdrawals, incidents, RTP alerts, and announcements from Slotty Labs.

Step 7 — Go live

Work through the Going to Production checklist, then contact your account manager (or office@slottylabs.com) to request the production review. After approval you receive:

  • A production API key (sk_production_…) — swap it in via environment variable; no code changes needed.
  • Tenant activation — real-money play enabled.

Support