Debit & Credit Users

Server to Server Callbacks

To receive messages on when to deduct and credit user balances based on the outcomes of matches, you should implement the following endpoints.

Pay Entry Fee

Method: POST /thndr/pay Description: When you receive this post request from us:

  • Deduct the bet amount from the user's balance.

  • Associate the depositId with the amount in your database to allow for potential refunds.

  • Use depositId as the idempotency key to ensure the same payment is not processed twice.

Body:

{
  "userId": "123",
  "depositId": "abc",
  "amount": 50
}

Handle Match Results

Method: POST /thndr/results Description: Upon receiving this POST request from us, take the appropriate action based on the match outcome:

  • WIN or DRAW: Credit the user's balance by amount.

  • LOSE: No action required.

  • REFUND: Retrieve the amount from your database and refund the user.

NOTE: Use depositId as the idempotency key to ensure the same result is not processed twice.

Body (WIN or DRAW):

{
  "result": "WIN" | "DRAW"",
  "userId": "123",
  "depositId": "abc",
  "roomId": "xyz",
  "gameId": "solitaire" | "blocks" | "blackjack",
  "amount": 100
}

Body (LOSE):

{
  "result": "LOSE",
  "userId": "123",
  "depositId": "abc",
  "gameId": "solitaire" | "blocks" | "blackjack",
  "roomId": "xyz"
}

Body (REFUND):

{
  "result": "REFUND",
  "userId": "123",
  "depositId": "abc",
  "gameId": "solitaire" | "blocks" | "blackjack" | null,
  "roomId": "xyz" | null
}

Request Signing

To ensure the integrity and authenticity of API requests, our system signs each request payload using an HMAC (Hash-based Message Authentication Code) with the SHA-256 algorithm. Integrators must verify the signature to authenticate requests and prevent tampering.

Verification Process

To verify the request's authenticity, the integrator should:

  1. Recompute the signature using the shared secret and the received payload.

  2. Compare the computed signature with the x-server-authorization header value.

  3. Reject the request if the signatures do not match.

Example Verification in Node.js:

const crypto = require("crypto");

function verifySignature(receivedSignature, requestPayload, SERVER_SECRET) {
    const computedSignature = crypto
        .createHmac("sha256", SERVER_SECRET)
        .update(requestPayload)
        .digest("hex");

    return computedSignature === receivedSignature;
}

The SERVER_SECRET is a pre-shared secret key known only to Clinch server and the integrator.

Example Signed Payload

Server secret: DUMMY_SECRET
Payload: {"userId":"alice","depositId":"depositA","amount":100}
x-server-authorizaion: 1bb9edf6131931e29957844f176dc9eaf090e9ccee5ece6ab5fb4c4fa7389513
PreviousAuthenticate UsersNextGo Live

Last updated