This document covers the public REST API and WebSocket events available in Online Casino Script v1.0.0.
Interactive docs are available at http://your-domain/api/docs on any running instance (Swagger UI).
Full OpenAPI 3.0 spec: development/online-casino-script/docs/api/openapi.json
Table of Contents
- Base URL and versioning
- Authentication
- Rate limiting
- Error format
- Player API endpoints
- Admin API endpoints
- WebSocket events (Reverb)
- Payment webhooks
- Importing into Postman / Insomnia
1. Base URL and versioning
| Environment |
Base URL |
| Player API |
https://example.com/api |
| Admin API |
https://example.com/admin/api |
| WebSocket |
wss://example.com/app/{REVERB_APP_KEY} |
API version: 1.0.0 — no version prefix in the URL path.
2. Authentication
Player authentication
POST /api/auth/login
Content-Type: application/json
{ "email": "player@example.com", "password": "secret" }
→ 200
{
"access_token": "eyJ...",
"refresh_token": "eyJ...",
"token_type": "bearer",
"expires_in": 900,
"user": { ... }
}
Use the access_token in subsequent requests:
Authorization: Bearer <access_token>
Token lifetimes:
- Access token: 15 minutes
- Refresh token: 30 days
Refreshing:
POST /api/auth/refresh
Authorization: Bearer <expired_access_token>
→ 200 { "access_token": "eyJ...", "expires_in": 900 }
Admin authentication
Admin endpoints require both a Bearer token and a valid TOTP 2FA code on every request.
POST /admin/api/auth/login
Content-Type: application/json
{ "email": "admin@casino.com", "password": "secret" }
→ 200
{
"access_token": "eyJ...",
"requires_2fa": true
}
All subsequent admin API requests require two headers:
Authorization: Bearer <admin_access_token>
X-2FA-Code: <current_totp_code>
3. Rate limiting
| Endpoint group |
Limit |
| Login (player + admin) |
5 requests / minute / IP |
| Password reset |
5 requests / minute / IP |
| Player game play |
60 requests / minute / user |
| Wallet writes (deposit/withdraw) |
10 requests / minute / user |
| General API |
120 requests / minute / user |
Exceeded limits return 429 Too Many Requests with a Retry-After header in seconds.
All errors return a consistent JSON structure:
{
"message": "Human-readable error description",
"errors": {
"field_name": ["Validation error details"]
}
}
| HTTP status |
Meaning |
400 |
Bad request / invalid input |
401 |
Unauthenticated — missing or expired token |
403 |
Unauthorized — authenticated but insufficient permissions |
404 |
Resource not found |
422 |
Validation failed — errors object contains field-level detail |
429 |
Rate limit exceeded |
500 |
Internal server error — check storage/logs/laravel.log |
5. Player API endpoints
Authentication
| Method |
Endpoint |
Description |
POST |
/api/auth/register |
Register a new player account |
POST |
/api/auth/login |
Player login → returns JWT |
POST |
/api/auth/logout |
Invalidate the current token |
POST |
/api/auth/refresh |
Refresh an expired access token |
GET |
/api/auth/me |
Get the authenticated player’s profile |
POST |
/api/auth/verify-email |
Verify email with code |
POST |
/api/auth/resend-verification |
Resend email verification code |
POST |
/api/auth/forgot-password |
Request a password reset email |
POST |
/api/auth/reset-password |
Reset password with token |
POST |
/api/auth/2fa/enable |
Enable 2FA (step 1 — returns QR code) |
POST |
/api/auth/2fa/confirm |
Confirm and activate 2FA (step 2) |
POST |
/api/auth/2fa/disable |
Disable 2FA |
GET |
/api/auth/2fa/backup-codes |
Regenerate 2FA backup codes |
Game Lobby
| Method |
Endpoint |
Description |
GET |
/api/games |
List all available games |
GET |
/api/games/{slug} |
Get details for a specific game |
Instant Games (single-request play)
Includes: Dice, Plinko, Keno, Limbo, and all Slot titles.
| Method |
Endpoint |
Description |
POST |
/api/games/{slug}/play |
Place a bet and receive result in one request |
Request body:
{
"amount": "10.00",
"options": { }
}
The options object is game-specific (e.g., for Dice: { "target": 50, "direction": "over" }; for Keno: { "picks": [3, 7, 14, 22] }).
Response:
{
"round_id": "01JNABCDEFGHIJKL",
"outcome": { },
"payout": "19.50",
"balance": "109.50",
"provably_fair": {
"client_seed": "abc123",
"server_seed_hash": "sha256hash",
"nonce": 42
}
}
Stateful Games (multi-step play)
Blackjack
| Method |
Endpoint |
Description |
POST |
/api/games/blackjack/deal |
Place bet and deal initial hand |
POST |
/api/games/blackjack/action |
Apply action: hit, stand, double, split, surrender |
GET |
/api/games/blackjack/state |
Get current round state |
Crash
| Method |
Endpoint |
Description |
GET |
/api/games/crash/state |
Get current round state (betting or in-progress) |
POST |
/api/games/crash/bet |
Place a bet during the betting phase |
POST |
/api/games/crash/cashout |
Cash out at the current multiplier |
GET |
/api/games/crash/history |
Recent crash round history |
Mines
| Method |
Endpoint |
Description |
POST |
/api/games/mines/start |
Start a new Mines game (place bet, set mine count) |
POST |
/api/games/mines/reveal |
Reveal a tile |
POST |
/api/games/mines/cashout |
Cash out the current multiplier |
GET |
/api/games/mines/state |
Get current game state |
HiLo
| Method |
Endpoint |
Description |
POST |
/api/games/hilo/start |
Start a new HiLo game |
POST |
/api/games/hilo/guess |
Make a guess: higher or lower |
POST |
/api/games/hilo/cashout |
Cash out current winnings |
GET |
/api/games/hilo/state |
Get current game state |
Video Poker
| Method |
Endpoint |
Description |
POST |
/api/games/video-poker/deal |
Deal initial 5-card hand |
POST |
/api/games/video-poker/draw |
Hold cards and draw replacements to complete the round |
POST |
/api/games/video-poker/gamble |
Double-up sub-game (higher/lower) |
GET |
/api/games/video-poker/state |
Get current round state |
Wallet and Payments
| Method |
Endpoint |
Description |
GET |
/api/wallet/balances |
Get player’s current wallet balance |
GET |
/api/wallet/transactions |
Paginated transaction history |
GET |
/api/wallet/payment-methods |
List available deposit/withdrawal methods |
POST |
/api/wallet/deposit |
Initiate a deposit (returns payment URL or instructions) |
POST |
/api/wallet/withdraw |
Request a withdrawal |
POST |
/api/wallet/withdraw/cancel |
Cancel a pending withdrawal request |
GET |
/api/wallet/sepa-mandates |
List SEPA direct debit mandates |
POST |
/api/wallet/sepa-mandates/{id}/revoke |
Revoke a SEPA mandate |
Monetary values are always returned as decimal strings (e.g., "100.50000000"). Submit amounts as decimal strings too (e.g., "10.00").
Bonuses
| Method |
Endpoint |
Description |
GET |
/api/bonuses |
List bonuses eligible to claim |
GET |
/api/bonuses/active |
List the player’s active bonuses |
GET |
/api/bonuses/history |
Bonus claim history |
POST |
/api/bonuses/{id}/claim |
Claim a bonus |
POST |
/api/bonuses/{id}/forfeit |
Forfeit (cancel) an active bonus |
POST |
/api/bonuses/redeem-code |
Redeem a promo code |
VIP and Loyalty
| Method |
Endpoint |
Description |
GET |
/api/vip/status |
Current VIP tier and progress |
GET |
/api/vip/tiers |
List all VIP tier thresholds and benefits |
GET |
/api/shop/points-balance |
Current spendable points balance |
GET |
/api/shop/points-history |
Points transaction history |
GET |
/api/shop/rewards |
Browse the rewards catalog |
GET |
/api/shop/categories |
Reward categories |
POST |
/api/shop/redeem |
Redeem a reward item with points |
GET |
/api/shop/redemptions |
Redemption history |
GET |
/api/leaderboard |
Platform leaderboard |
Player Profile
| Method |
Endpoint |
Description |
PUT |
/api/profile |
Update profile (username, avatar, etc.) |
PUT |
/api/profile/password |
Change password |
PATCH |
/api/user/locale |
Update preferred locale/language |
GET |
/api/session/stats |
Current session stats (duration, wagered, won) |
Provably Fair
| Method |
Endpoint |
Description |
GET |
/api/provably-fair/active |
Get the active server seed hash and client seed |
POST |
/api/provably-fair/client-seed |
Set a new client seed |
POST |
/api/provably-fair/rotate |
Rotate the seed pair (reveals current server seed) |
GET |
/api/provably-fair/history |
Past seed pairs (with revealed server seeds) |
GET |
/api/provably-fair/verify/{roundId} |
Verify an individual game round’s outcome |
All instant games and stateful games use the provably fair system. Every game round response includes the client_seed, server_seed_hash, and nonce needed to verify the outcome independently.
KYC
| Method |
Endpoint |
Description |
GET |
/api/kyc/status |
Current KYC verification status |
POST |
/api/kyc/initiate |
Start the KYC flow (returns redirect URL for provider, or upload instructions for manual) |
Responsible Gaming
| Method |
Endpoint |
Description |
GET |
/api/profile/deposit-limits |
View current deposit limits |
POST |
/api/profile/deposit-limits |
Set a deposit limit (daily / weekly / monthly) |
DELETE |
/api/profile/deposit-limits/{period} |
Remove a deposit limit |
GET |
/api/player/loss-limits |
View current loss limits |
POST |
/api/player/loss-limits |
Set a loss limit |
DELETE |
/api/player/loss-limits/{period} |
Remove a loss limit |
GET |
/api/player/wager-limits |
View current wager limits |
POST |
/api/player/wager-limits |
Set a wager limit |
DELETE |
/api/player/wager-limits/{period} |
Remove a wager limit |
GET |
/api/profile/self-exclusion |
Get self-exclusion status |
POST |
/api/profile/self-exclusion |
Self-exclude (specify duration in days) |
GET |
/api/profile/self-exclusion/history |
Self-exclusion history |
Notifications
| Method |
Endpoint |
Description |
GET |
/api/notifications |
List in-app notifications (paginated) |
GET |
/api/notifications/unread-count |
Get count of unread notifications |
POST |
/api/notifications/{id}/read |
Mark a notification as read |
POST |
/api/notifications/read-all |
Mark all notifications as read |
Affiliates
| Method |
Endpoint |
Description |
GET |
/api/affiliates/stats |
Affiliate summary stats |
GET |
/api/affiliates/referrals |
List referred players |
GET |
/api/affiliates/commissions |
Commission history |
System
| Method |
Endpoint |
Description |
GET |
/api/health |
Platform health check — returns status of database, Redis, Horizon |
6. Admin API endpoints
All admin endpoints are under /admin/api/ and require both a Bearer token and X-2FA-Code header.
Admin Authentication
| Method |
Endpoint |
Description |
POST |
/admin/api/auth/login |
Admin login |
POST |
/admin/api/auth/logout |
Admin logout |
POST |
/admin/api/auth/refresh |
Refresh admin JWT |
GET |
/admin/api/auth/me |
Get authenticated admin profile |
Dashboard
| Method |
Endpoint |
Description |
GET |
/admin/api/dashboard/stats |
KPI cards (players, GGR, deposits, pending items) |
GET |
/admin/api/dashboard/recent-activity |
Real-time activity feed |
GET |
/admin/api/dashboard/charts |
Historical chart data (DAU, revenue, deposits) |
Players
| Method |
Endpoint |
Description |
GET |
/admin/api/players |
List players (filterable) |
GET |
/admin/api/players/{id} |
Player detail |
POST |
/admin/api/players/{id}/suspend |
Suspend player |
POST |
/admin/api/players/{id}/unsuspend |
Unsuspend player |
POST |
/admin/api/players/{id}/ban |
Permanently ban player |
POST |
/admin/api/players/{id}/force-logout |
Invalidate all player sessions |
POST |
/admin/api/players/{id}/reset-password |
Send password reset email |
GET |
/admin/api/players/{id}/transactions |
Player transaction history |
GET |
/admin/api/players/{id}/game-rounds |
Player game round history |
GET |
/admin/api/players/{id}/bonuses |
Player bonus history |
GET |
/admin/api/players/{id}/notes |
Internal admin notes |
POST |
/admin/api/players/{id}/notes |
Add internal note |
DELETE |
/admin/api/players/{id}/notes/{noteId} |
Delete note |
GET |
/admin/api/players/{id}/points-history |
Loyalty points history |
Finance
| Method |
Endpoint |
Description |
GET |
/admin/api/transactions |
All transactions (filterable) |
GET |
/admin/api/finance/summary |
Aggregated financial KPIs |
GET |
/admin/api/finance/export |
Export transactions to CSV |
POST |
/admin/api/wallet/{userId}/credit |
Credit player wallet |
POST |
/admin/api/wallet/{userId}/debit |
Debit player wallet |
GET |
/admin/api/withdrawals |
Withdrawal approval queue |
GET |
/admin/api/withdrawals/{id} |
Withdrawal detail |
POST |
/admin/api/withdrawals/{id}/approve |
Approve a withdrawal |
POST |
/admin/api/withdrawals/{id}/reject |
Reject a withdrawal (with reason) |
POST |
/admin/api/withdrawals/batch-approve |
Batch approve withdrawals |
Game Management
| Method |
Endpoint |
Description |
POST |
/admin/api/games/{game}/toggle |
Enable or disable a game |
PUT |
/admin/api/games/{game}/order |
Set display order |
PUT |
/admin/api/games/{game}/category |
Assign game category |
PUT |
/admin/api/games/{game}/metadata |
Update title, RTP, description |
GET/POST |
/admin/api/games/{slug}/config |
Get or update game configuration (per-game endpoint) |
GET/POST/PUT/DELETE |
/admin/api/games/slots/titles/* |
Full CRUD for slot titles |
POST |
/admin/api/games/slots/titles/{id}/clone |
Clone a slot configuration |
GET |
/admin/api/games/slots/titles/{id}/preview |
Preview a test spin |
Bonuses
| Method |
Endpoint |
Description |
GET |
/admin/api/bonuses |
List bonus campaigns |
POST |
/admin/api/bonuses |
Create a bonus campaign |
PUT |
/admin/api/bonuses/{id} |
Update a campaign |
DELETE |
/admin/api/bonuses/{id} |
Delete a campaign |
POST |
/admin/api/bonuses/{id}/clone |
Clone a campaign |
POST |
/admin/api/bonuses/award |
Manually award a bonus to one or more players |
GET |
/admin/api/bonuses/reports |
Bonus cost and conversion report |
Compliance and KYC
| Method |
Endpoint |
Description |
GET |
/admin/api/kyc/dashboard |
KYC pipeline metrics |
GET |
/admin/api/kyc/pending |
Players pending KYC review |
GET |
/admin/api/kyc/{userId}/documents |
Player KYC documents |
GET |
/admin/api/kyc/documents/{id}/download |
Download a document file |
POST |
/admin/api/kyc/{userId}/approve |
Approve KYC |
POST |
/admin/api/kyc/{userId}/reject |
Reject KYC (with reason) |
GET |
/admin/api/aml-alerts |
AML alert queue |
POST |
/admin/api/aml-alerts/{id}/review |
Review alert: clear, escalate, or freeze |
GET |
/admin/api/jurisdiction-rules |
List jurisdiction rules |
POST |
/admin/api/jurisdiction-rules |
Create jurisdiction rule |
PUT |
/admin/api/jurisdiction-rules/{id} |
Update rule |
DELETE |
/admin/api/jurisdiction-rules/{id} |
Delete rule |
Settings
| Method |
Endpoint |
Description |
GET |
/admin/api/settings |
Get all site settings |
PUT |
/admin/api/settings |
Bulk update settings |
POST |
/admin/api/settings/test-email |
Send a test email |
GET |
/admin/api/vpn-detection-logs |
Last 50 VPN detection events |
Roles and Permissions (RBAC)
| Method |
Endpoint |
Description |
GET |
/admin/api/admin-users |
List admin users |
POST |
/admin/api/admin-users |
Create admin user |
PUT |
/admin/api/admin-users/{id} |
Update admin user |
DELETE |
/admin/api/admin-users/{id} |
Deactivate admin user |
GET |
/admin/api/roles |
List roles and permissions |
POST |
/admin/api/roles |
Create custom role |
PUT |
/admin/api/roles/{id} |
Update role permissions |
DELETE |
/admin/api/roles/{id} |
Delete role |
Audit Logs
| Method |
Endpoint |
Description |
GET |
/admin/api/audit-logs |
List audit log entries (filterable) |
GET |
/admin/api/audit-logs/export |
Export audit log to CSV |
7. WebSocket events (Reverb)
Online Casino Script uses Laravel Reverb for real-time events. Connect to the WebSocket server using Pusher-compatible clients.
Connection:
wss://example.com/app/{REVERB_APP_KEY}
Public channels
| Channel |
Event |
Payload description |
crash |
RoundStarted |
{ round_id, hash } — new round betting phase begins |
crash |
Tick |
{ multiplier, elapsed_ms } — current multiplier during flight |
crash |
RoundCrashed |
{ crash_multiplier, server_seed } — round ended |
leaderboard |
LeaderboardUpdated |
Top player list updated |
Private channels (require authenticated player)
Authenticate: send POST /api/broadcasting/auth with your Bearer token.
| Channel |
Event |
Payload description |
private-player.{id} |
BalanceUpdated |
{ balance } — wallet balance changed |
private-player.{id} |
WithdrawalStatusChanged |
{ withdrawal_id, status } |
private-player.{id} |
BonusAwarded |
{ bonus_id, type, amount } |
private-player.{id} |
Notification |
{ id, title, body, type } |
private-player.{id} |
KycStatusChanged |
{ status } — KYC approved or rejected |
private-crash.{id} |
BetPlaced |
{ user_id, amount } — player placed a crash bet |
private-crash.{id} |
CashedOut |
{ user_id, multiplier, payout } |
8. Payment webhooks
Payment providers send webhook notifications to:
POST /api/webhooks/payment/{provider}
Where {provider} is the provider slug (e.g., stripe, coinbase, paypal, mollie).
Webhook security: Each webhook request is verified using the provider’s signing secret (configured in .env). Requests with invalid signatures are rejected with 403.
Configure your payment provider’s webhook URL to point to https://example.com/api/webhooks/payment/{provider} and set the corresponding *_WEBHOOK_SECRET variable in .env.
9. Importing into Postman / Insomnia
Postman
- Open Postman → Import
- Select File and choose
development/online-casino-script/docs/api/openapi.json
- A complete collection is created with all endpoints pre-configured
- Set the collection variable
baseUrl to your server URL
- Set
Authorization: Bearer <token> in the collection-level auth settings
The Postman environment file at docs/api/OnlineCasinoScript.postman_environment.json contains pre-set variables for local development.
Insomnia
- Open Insomnia → File → Import
- Choose
development/online-casino-script/docs/api/openapi.json
- All endpoints will be imported with request bodies and parameters
Interactive Swagger UI
Start your local dev environment and visit:
http://localhost/api/docs
The Swagger UI provides live “Try it out” functionality for all endpoints against your running instance.