API Documentation
Base URL: https://api.oluye.example/v1
Includes pre-request HMAC signing. Set apiKey + apiSecret after import.
Overview
The Oluye Operator API is a REST interface secured with HMAC-SHA256. Every request is signed with your shared secret and includes a millisecond timestamp.
- JSON over HTTPS only
- Single-wallet model (player balance lives on your side)
- Idempotency keys required for all monetary writes
Authentication
Sign every request with the following header:
X-Operator-Key: <api_key>
X-Timestamp: 1715731200000
X-Signature: HMAC_SHA256(secret, "<method>\n<path>\n<timestamp>\n<body>")POST /sessions/launch
Create a play session for a logged-in player on your side.
{
"player_ref": "p_8821",
"currency": "USD",
"return_url": "https://casino.example/back"
}Response:
{
"session_id": "sess_abc123",
"launch_url": "https://play.oluye.example/?token=...",
"expires_at": 1715734800000
}POST /bets/reserve
{
"session_id": "sess_abc123",
"round_id": "rnd_2569",
"selected_stocks": ["NDL", "BER"],
"stake": 25.00,
"idempotency_key": "bet_8e9f1c"
}POST /bets/settle
Called by Oluye after each round resolves.
{
"bet_id": "bet_8e9f1c",
"winner": "NDL",
"pct": 1.8421,
"payout": 70.50,
"idempotency_key": "stl_8e9f1c"
}Webhooks
Configured per operator in the Partner Dashboard. Events:
round.openedround.closedbet.settledcompliance.flag
Signed with the same HMAC scheme. Retry policy: 5 attempts with exponential backoff.
Errors
HTTP 4xx { "error": "INVALID_SIGNATURE", "message": "..." }
HTTP 5xx { "error": "INTERNAL", "trace_id": "..." }Rate limits
200 req/sec per operator key. Burst up to 500. Contact support for higher tiers.