Integration quickstart
Integration quickstart
An operator integrates in both directions:
The Sample Integrator in the Wuzzlo source repository is a reference operator. It demonstrates the protocol, but its demo users, administrative routes, configuration, and local conveniences are not production requirements.
End-to-end flow
Exchange onboarding information
Send Wuzzlo your operator name, wallet base URLs, currency, RSA public key, callback paths, allowed source IPs, and funded staging test user. Wuzzlo returns an operatorId, staging and production API URLs, and the Wuzzlo public key.
Expose the operator APIs
Implement POST /auth/login, POST /balance, POST /betrequest, POST /resultrequest, and POST /rollbackrequest on an HTTPS service reachable by Wuzzlo.
Implement signing
Sign operator-to-Wuzzlo requests with the operator private key. Verify Wuzzlo-to-operator wallet callbacks with the Wuzzlo public key. Use RSA-SHA256 with PKCS#1 v1.5 padding over the exact UTF-8 request body.
Environments
Keep environment credentials and keys separate. Never use staging keys, wallet URLs, test users, or operator IDs in production unless Wuzzlo explicitly assigned the same value.
Launch example
Serialize the body once, sign those exact bytes, and send the same bytes:
A successful response has body status 0 and includes gameUrl and expiresAtUtc. Treat HTTP status and body status as separate values.
Load the game in an iframe
After the operator backend creates the session, the operator frontend must set the returned gameUrl as the iframe src. Do not construct or modify this URL because it contains the Wuzzlo launch route and session information.
In an application, assign the URL returned by your backend rather than placing a session URL in source code:
The operator backend—not browser JavaScript—must call Wuzzlo and create the signature. The browser receives only the short-lived gameUrl. Create a fresh session when the URL expires, remove the iframe when the player closes the game, and make the container responsive for desktop and mobile layouts.
Treat gameUrl as sensitive session data. Do not persist it in analytics, browser logs, referrer-bearing links, or shared caches. Only embed URLs returned by the trusted operator backend.
Never generate signatures in browser code. The operator private key must remain in a protected server-side secret store.
Production readiness checklist
- All wallet mutations are atomic and use decimal-safe arithmetic.
reqIdandtransactionIdrecords survive restarts and deployments.- The operator verifies every signed callback before accessing or changing a wallet.
- The service returns the exact documented business status for every scenario.
- Timeouts and ambiguous results are reconciled instead of blindly repeated with new identifiers.
- Logs correlate
operatorId,userId,reqId,transactionId,roundId, andgameIdwithout recording private keys or session tokens.