Games — Aggregator Harness

Provision operators, mint launch tokens via your aggregator API key, and play the result

aggregator not verified

1 Aggregator credentials

X-Aggregator-Key (prefix.secret — dev only in a browser!)

Never embed a real aggregator key in production client code — your backend calls these APIs server-side. This harness stores it in localStorage so it survives the /launch round-trip.

Backoffice API base URL (provisioning) games-backend base URL (token minting + game session) CDN URL (currency icons, avatars)

2 Operators

Operator (owned by your aggregator)

Created via the Backoffice API; the selected operator's code is used for token minting below.

Create a new operator (POST /bo/aggregator/operators)

Code (slug, a-z 0-9 -)

Name

Wallet base URL (receives /auth, Bet/Win/Rollback)

For local dev, casino-wallet-mock works: go run . -port 8095.

Game frontend base URL (/launch redirects here)

Pre-filled with this page's own URL so the post-launch redirect lands back here and auto-mounts the game.

Wallet timeout ms (optional, default 5000)

⚡ One-time secrets — store them now Returned exactly once; they cannot be retrieved again, only rotated by the platform admin. jwtSharedSecret walletHmacSecret

3 Operator config

Config JSON (enabledGames, currencies, featureFlags…)

Bets are enforced against this — a game not in enabledGames or a currency not in currencies is rejected, and token minting fails for them too.

4 Mint launch token & play

Player id (sub)

Currency

Game

TTL seconds (max 600)

Language (optional)

Return URL (optional, lobby link)

Mount seeds & library bundle

Min bet

Max bet

Balance

Seeds only — after launch the game fetches real balance/limits via the session cookie.

ES bundle manifest.json assets base

✓ Token minted launchUrl jti · expiresIn token

CORS, locally: games-backend's Access-Control-Allow-Headers doesn't include X-Aggregator-Key, and the backoffice allows it only if your cors.allowedHeaders / allowedOrigins config says so — browser calls from this page may fail preflight until you add the header (and this page's origin) to each service's CORS config in dev. In production this is a non-issue: minting is server-to-server. Also set the operator's gameFrontendBaseUrl to this page's URL so the post-/launch 302 lands back here.

No game mounted yet — verify your key, pick an operator, mint a token, launch.
“Play offline (demo mode)” works with no backend.

Activity log