Casino Onboarding Guide
This is the complete path from "we signed with Slotty Labs" to "our players are spinning real-money games". Most operators complete sandbox integration in 1–3 days.
How onboarding works
Onboarding is a two-sided process:
| Who | Does what |
|---|---|
| Slotty Labs | Creates your tenant, assigns your games & RTP variants, creates your admin panel accounts, issues your sandbox API key and webhook secret |
| You (operator) | Integrate the SDK, embed games, receive webhooks, test in sandbox, then request production access |
You cannot self-register — your account manager provisions everything in Step 0. Everything after that is self-service.
Step 0 — What you receive from us
After your kickoff call, Slotty Labs sends you (via a secure channel):
- Sandbox API key —
sk_sandbox_…— authenticates your backend. - Webhook secret —
whsec_…— signs webhooks we send you, and signs sensitive requests you send us (the SDK does this automatically). - Admin panel access — your operator dashboard login(s) with MFA setup.
- This documentation.
Keep secrets server-side
The API key and webhook secret must ONLY live on your backend (environment variables / secret manager). Never ship them to a browser or mobile app.
Step 1 — Log in to your operator panel
Your admin panel is where you manage everything about your casino:
- Dashboard — GGR, active players, round volume
- Players — search, detail, notes, limits
- Games — your enabled games and RTP configuration
- Withdrawals — approval queue for player withdrawals
- Reports — on-demand + scheduled financial/game/player reports
- Settings → Webhooks — endpoint URL, event subscriptions, test events, delivery log
- Settings → Branding — white-label colors, logo, company name
Log in, complete MFA enrollment, and confirm your game list matches the contract. See the Operator Dashboard guide.
Step 2 — Install the SDK
npm install @slottylabs/sdkNode.js 18+ required (the SDK is dependency-free and uses native fetch).
import { SlottyClient } from '@slottylabs/sdk';
const client = new SlottyClient({
apiKey: process.env.SLOTTY_API_KEY!, // sk_sandbox_...
webhookSecret: process.env.SLOTTY_WEBHOOK_SECRET!, // whsec_...
});Your tenant identity is derived from your API key on our servers — there is nothing else to configure.
Not on Node.js? Use the raw REST API with HMAC request signing.
Step 3 — Launch your first game (sandbox)
The launch flow is: your backend creates a short-lived token → your frontend embeds the game iframe with it.
// Your backend — when a logged-in player clicks a game tile
const { launchToken } = await client.auth.createSSOToken({
playerId: user.id, // YOUR player identifier — we map it to ours
currency: 'USD',
jurisdiction: 'CW',
locale: 'en',
});
const launchUrl = client.games.getLaunchUrl('slotty-slots', launchToken, {
lang: 'en',
lobby: 'https://yourcasino.com/lobby',
});
// → hand launchUrl to your frontend<!-- Your frontend -->
<div style="width:100%;max-width:1200px;aspect-ratio:16/9;">
<iframe src="{launchUrl}" style="width:100%;height:100%;border:none;"
allow="autoplay; fullscreen"
sandbox="allow-scripts allow-same-origin allow-popups allow-forms"></iframe>
</div>Launch tokens are single-use and expire in 30 seconds
Create a token per game launch, at click time. Never cache or reuse them.
Players are created on our side automatically the first time you launch a game for a new playerId (seamless registration) — no separate "create player" call is needed in production. Details: Authentication and Game Embedding.
Step 4 — Set up webhooks
We push events (completed rounds, deposits, withdrawal status, RG events) to your HTTPS endpoint.
- In your operator panel: Settings → Webhooks — set your endpoint URL and choose event subscriptions.
- Verify every delivery:
import { WebhookVerifier } from '@slottylabs/sdk';
const verifier = new WebhookVerifier(process.env.SLOTTY_WEBHOOK_SECRET!);
app.post('/webhooks/slotty', (req, res) => {
try {
const event = verifier.constructEvent(
req.rawBody, // RAW body string, not parsed JSON
req.headers['x-slotty-signature'],
req.headers['x-slotty-timestamp'],
);
// Deduplicate by event.id — deliveries are at-least-once
handle(event);
res.status(200).json({ received: true });
} catch {
res.status(400).json({ error: 'invalid signature' });
}
});- Click "Send Test Event" in the panel — you should receive and verify a signed
webhook.testevent. The panel shows the delivery result and keeps a log (with replay for failures).
Full event catalog: Webhooks.
Step 5 — Test in sandbox
Sandbox lets you create funded test players and even force specific game outcomes:
await client.test.createPlayer({
externalId: 'qa-player-1',
currency: 'USD',
startingBalance: '1000000', // $10,000.00 (amounts are integer cents)
});
await client.test.forceOutcome({
playerId: 'qa-player-1',
gameId: 'slotty-slots',
outcome: { type: 'slots', reelPositions: [0, 5, 10, 15, 20] },
});Play at least one full round of every game you licensed. Watch the rounds appear in your operator panel (Dashboard / Players / Games). Details: Sandbox Testing.
Step 6 — Operational readiness
Before requesting production access, make sure your team can run the casino:
- Withdrawals: player withdrawal requests land in your panel's Withdrawals queue with funds ledger-locked. Your staff review and approve (funds released to payout) or reject with a reason (funds returned).
- Reports: generate a GGR report (Reports → On-Demand) and set up scheduled delivery to your finance team.
- Responsible gaming: understand limits, reality checks, and exclusions for your jurisdiction — Responsible Gaming.
- Branding: configure your white-label look under Settings → Branding.
- Notifications: the bell in your panel surfaces pending withdrawals, incidents, RTP alerts, and announcements from Slotty Labs.
Step 7 — Go live
Work through the Going to Production checklist, then contact your account manager (or office@slottylabs.com) to request the production review. After approval you receive:
- A production API key (
sk_production_…) — swap it in via environment variable; no code changes needed. - Tenant activation — real-money play enabled.