Spec v1.0
Wallet API Contract
The casino implements these four endpoints. Rocket Rush X calls them during every round to debit bets and credit wins. The casino's wallet is the source of truth — Rocket Rush X never holds player funds.
1. Game Launch URL (signed)
The casino mints a short-lived JWT and redirects the player into the game iframe:
https://rocketrushx.io/embed
?operator=acme
&token=<JWT>
¤cy=USDC
&lang=en
&return_url=https://acme.casino/lobbyJWT payload (HS256, signed with operator's shared secret):
{
"sub": "player_8f3a1c", // casino's player ID
"op": "acme", // operator slug
"cur": "USDC", // ISO/ticker
"bal": 250.00, // initial balance hint
"iat": 1730000000,
"exp": 1730000600, // 10 min TTL
"sid": "session_xyz" // game session ID
}2. POST /wallet/bet — debit a player
POST https://acme.casino/api/rrx/bet
X-RRX-Signature: t=1730000000,v1=<hmac_sha256(secret, t + "." + body)>
X-RRX-Idempotency-Key: bet_round42_player8f3a1c
Content-Type: application/json
{
"session_id": "session_xyz",
"player_id": "player_8f3a1c",
"round_id": "round_42",
"currency": "USDC",
"amount": "5.00",
"rocket": "blue_streak",
"seed_hash": "a3f9...e21c" // committed before round
}
200 OK
{ "txn_id": "tx_998", "balance": "245.00" }
402 Payment Required
{ "error": "INSUFFICIENT_FUNDS" }3. POST /wallet/win — credit a payout
POST https://acme.casino/api/rrx/win
{
"session_id": "session_xyz",
"round_id": "round_42",
"bet_txn_id": "tx_998",
"currency": "USDC",
"amount": "12.50",
"multiplier": 2.50,
"crash_at": 3.87,
"server_seed": "9e4d...", // revealed post-round
"client_seed": "user_input"
}
200 OK
{ "txn_id": "tx_999", "balance": "257.50" }4. POST /wallet/refund — round void / disconnect
POST https://acme.casino/api/rrx/refund
{
"session_id": "session_xyz",
"round_id": "round_42",
"bet_txn_id": "tx_998",
"reason": "ROUND_VOIDED" | "TIMEOUT" | "OPERATOR_REQUEST"
}
200 OK
{ "txn_id": "tx_1000", "balance": "250.00" }5. GET /wallet/balance — pre-bet check
GET https://acme.casino/api/rrx/balance?player_id=player_8f3a1c¤cy=USDC
200 OK
{ "balance": "245.00", "currency": "USDC" }Security requirements
- HMAC-SHA256 over
timestamp + "." + raw_body. Reject if timestamp drift > 60s. - Idempotency key required on all writes. Replays return the original response.
- TLS 1.2+ on every endpoint. IP-allowlist Rocket Rush X egress IPs (published in operator dashboard).
- Amounts as decimal strings, never floats. Currency code per ISO-4217 or ticker.
- Round IDs are globally unique.
bet_txn_idties win/refund back to the original bet.
Error codes
INSUFFICIENT_FUNDS 402 Player balance below bet amount
INVALID_SIGNATURE 401 HMAC mismatch / expired timestamp
DUPLICATE_TXN 409 Idempotency key already used (return original)
SESSION_EXPIRED 401 JWT exp passed; player must relaunch
PLAYER_LOCKED 403 Operator-side self-exclusion / KYC freeze
CURRENCY_NOT_SUPPORTED 400 Player wallet does not support requested currency
INTERNAL 500 Retry with backoff (max 3, exponential)Reference implementations: Node, Go, and PHP sample servers ship with the integration SDK at /integrate. Every round logged is browsable at /operator/rounds.