Launcher API
The /gamelauncher/* endpoints we expose
These are the endpoints we expose. Aggregators and direct integrators both call the same surface. Authentication is HTTP Basic Auth on all endpoints.
POST /gamelauncher/play
Create a session and return a launch URL.
Request
{
"operator": "casino_abc",
"mode": "REAL",
"gamecode": "BINGO25",
"currency": "EUR",
"language": "en",
"externalsessionid": "sess_xyz_789",
"playerid": "player_42",
"brand": "brand_1",
"channel": "web",
"country": "MT",
"ipaddress": "203.0.113.10",
"testaccount": false
}mode: "DEMO" uses the same shape — currency is still required. In DEMO
mode, playerid may be synthetic.
Field reference
Required
| Field | Description |
|---|---|
operator | Your operator identifier with us |
mode | REAL for real money, DEMO for sandbox |
gamecode | Which game to launch. We give you the value at onboarding |
currency | ISO 4217 alphabetic code (e.g. USD, EUR, JPY) |
language | BCP 47 language tag (the IETF standard for language identifiers, e.g. en, en-GB). Today only en is supported; behaviour with other tags is undefined |
externalsessionid | Your session identifier. Idempotency key when paired with operator |
Recommended
| Field | Description |
|---|---|
playerid | Your stable identifier for the player |
brand | Brand within the operator. Set equal to operator if you don't run multiple brands |
channel | Free-form channel marker for analytics. The values listed in the allowed-values reference are guidance — we don't validate the field |
country | ISO 3166-1 alpha-2 player country |
ipaddress | Player's IP address. Note: the field is named ipaddress, not ip |
testaccount | true marks the session as internal/test. Use during integration; flip to false in production |
Optional (passed through to the player session)
| Field | Description |
|---|---|
displayname | Display name to show for the player inside the game |
segmentation | Free-form segment marker (VIP tier, marketing cohort, etc.) |
exiturl | URL the game can redirect the player back to on exit |
depositurl | URL the game can offer the player to top up their wallet |
historyurl | URL the game can offer for transaction history |
jurisdiction | Override the regulatory jurisdiction for this session. Affects RTP profile and replay retention if your operator config has per-jurisdiction settings |
Response
{
"sessionid": "<our-session-id>",
"launchurl": "https://bingo.lpmbackstagedevelop.com/?launchCode=<code>"
}Behaviour
- Idempotent on
(operator, externalsessionid). Calling with the same pair returns the samesessionidand a freshlaunchCode. launchCodeis single-use and expires after 10 minutes by default.- The session itself has a 24 hour absolute lifetime by default (configurable per operator). It is not refreshed by activity; expiry is fixed at creation.
countryandipaddressare persisted on the session for audit. We don't enforce geo-rules from these fields by default — geo-rule enforcement is opt-in per operator at onboarding.- The
currencyyou send must be in the configured currency list for that game instance. If it isn't,/gamelauncher/playreturns HTTP 400 witherrorcode: 101and message"Currency does not match instance configuration". We give you the supported list at onboarding.
About /gamelauncher/resolve-launch-code
You may notice an unauthenticated POST /gamelauncher/resolve-launch-code
endpoint in network traffic from the iframe. It is an internal frontend
bootstrap call: the iframe exchanges its short-lived launchCode (which
is itself the credential) for a session token before the game starts.
Casinos do not call this endpoint and don't need to.
POST /gamelauncher/replay
Return a URL that renders a past round for player or regulator review.
Request
Only roundid is required. Other fields are accepted-but-ignored today.
{
"roundid": "<round-id-we-issued>"
}Response
{
"launchurl": "https://replay.lpmbackstagedevelop.com/?launchCode=<code>"
}The replay frontend exchanges the embedded launchCode for a session token
internally — you don't need to know about that. From your side, just embed
the URL we return. Replay launch URLs are short-lived. Don't cache them. See
Replay for the full flow.
Game catalogue
We don't currently expose a programmatic /gamelist endpoint. The list of
games available to your operator (along with stakes, currencies, and
languages) is provided in writing during onboarding and updated whenever it
changes. If you need a programmatic feed for an internal admin panel, ask
your account manager.
Errors
Launcher API errors use integer error codes, matching the underlying seamless-wallet provider convention:
{ "errorcode": 101, "errormessage": "bad request" }errorcode | HTTP status | Meaning |
|---|---|---|
101 | 400 | Bad request — missing or malformed field |
101 | 500 | Server-side internal failure on /gamelauncher/play (the play handler reuses code 101; the HTTP status differentiates from 400) |
201 | 401 | Access denied — bad or missing Basic Auth |
206 | 404 | Game / round not found (replay only) |
500 | 500 | Internal server error on /gamelauncher/replay — safe to retry |
Classify by HTTP status, not just errorcode. The two endpoints handle
internal errors slightly differently: replay returns errorcode: 500 with
HTTP 500; play returns errorcode: 101 with HTTP 500.
Note: this is different from the wallet-side error envelope used in
direct integration,
where the codes you return to us are strings (NOT_SUFFICIENT_FUNDS, etc.).
Two separate surfaces, two separate code conventions.
Rate limits
We don't currently enforce a per-operator throttle on the launcher API. The only effective ceiling is the AWS API Gateway account-level default. Talk to us before sending sustained traffic above ~20 requests per second per operator so we can provision a dedicated usage plan if needed.
Versioning
Versioning today: the launcher API is unversioned and shared across all
integrators. Treat the current shape as v1. We will announce breaking
changes in advance and version per integrator at that point — likely as
/v1/gamelauncher/... or via per-operator subpaths.