Payment API & Webhooks for iGaming Platforms | Documented: The Endpoints, Events, and Signatures Your Engineering Team Will Build Against

A payment API and webhook surface for iGaming platforms is the most honest piece of documentation any payment vendor produces. Marketing pages can be polished; an API reference cannot hide. Either the endpoints make sense as a coherent resource model, the webhook payloads commit to stable shapes, the error responses look designed rather than improvised, and the documentation answers the questions engineers actually ask — or they don't. This page is a working tour of all four for the iGaming context.

Hand any working backend engineer the documentation of three payment platforms and they can tell you within twenty minutes which one is a serious product. Not from the marketing. From the shape of the API itself. The rest of this article is what that engineer would see when they open our docs.

The REST Resource Model

The API exposes a small, opinionated set of resources rather than a sprawling RPC surface. Every interaction maps to one of: a deposit, a withdrawal, a refund, an order, or a player. Endpoints follow conventional REST verbs, and the resource model is consistent enough that an engineer who learns one resource can predict the shape of the others.

API Endpoint Reference v1 · https://api.your-brand.com/v1

Deposits

POST

/deposits

Initiate a new deposit on behalf of a player.

GET

/deposits/{id}

Retrieve the current state of a deposit by ID.

GET

/deposits

List deposits, paginated, filterable by status/market/method/time.

Withdrawals

POST

/withdrawals

Initiate a withdrawal to the player's chosen rail.

GET

/withdrawals/{id}

Retrieve a withdrawal's state.

PATCH

/withdrawals/{id}/release

Release a withdrawal from compliance hold (RBAC-scoped).

Refunds

POST

/deposits/{id}/refunds

Issue a refund against a prior deposit (full or partial).

GET

/refunds/{id}

Retrieve refund state.

Players

POST

/players

GET

/players/{id}

Retrieve a player record and their derived state.

PATCH

/players/{id}/kyc

Update KYC tier or document status.

Initiating a Deposit — Request and Response

The actual shape of a deposit request and response. The contract is deliberately small; the rail-specific routing and risk decisions are made server-side, not pushed onto the integrator.

POST /v1/deposits JSON

{
  "amount": 1500,
  "currency": "INR",
  "player_id": "p_4827",
  "method": "upi",
  "reference": "player-deposit-1747553421",
  "metadata": {
    "vertical": "casino",
    "session_id": "sess_8cd2..."
  }
}

201 Created response

{
  "id": "d_9q3kp2",
  "status": "awaiting_method",
  "amount": 1500,
  "currency": "INR",
  "player_id": "p_4827",
  "method": "upi",
  "redirect_url": "https://pay.your-brand.com/d/9q3kp2",
  "deep_link": "upi://pay?pa=your-brand@...",
  "created_at": "2026-05-18T11:42:18Z",
  "expires_at": "2026-05-18T11:52:18Z"
}

Authentication and Webhook Signatures

Every request is authenticated with a per-tenant API key. Every webhook delivered to your platform carries a signature your platform verifies. Neither piece is optional. The flow:

— Authentication & Signature Flow —

API key in header. Outbound API calls authenticate with Authorization: Bearer pk_live_.... Keys are rotatable; the admin records every rotation in the audit log.

Webhook signature header. Inbound webhooks to your endpoint include X-Signature: t=...,v1=... where v1 is an HMAC-SHA256 of {timestamp}.{raw_body} using the webhook secret.

Timestamp window. Webhooks older than 5 minutes are rejected on the receiver side to prevent replay attacks. The timestamp in the signature header is the canonical value to check against.

Constant-time comparison. Receivers must compare signatures with a constant-time function — not a string equals — to defeat timing-side-channel attacks. Sample code is in every SDK we publish.

Rotation without downtime. Each tenant can hold two active secrets simultaneously during rotation. Signed webhooks are accepted under either secret for the rotation window, then the old secret is retired.

Webhook Event Catalog

Webhook events are versioned, structured, and emit on every meaningful state transition. Your integration subscribes once; we deliver durably (retry on failure with exponential backoff, then queue for manual replay through the admin). The full event surface:

Webhook Events · v1

Deposit lifecycle

deposit.created

A new deposit was initiated. Use this to set player-side pending state.

deposit.authorized

The rail accepted the deposit but settlement is not yet final. Provisional credit may be applied here at operator discretion.

deposit.settled

Funds confirmed by the rail. Credit the player's account and return them to play.

deposit.failed

The deposit attempt failed. Payload includes failure_code and retry_eligible hint.

deposit.expired

The deposit's pending window closed without resolution. Treat as final non-success.

Withdrawal lifecycle

withdrawal.requested

Player initiated a withdrawal; risk review may be required next.

withdrawal.held

Compliance hold placed. Includes hold_reason; admin action may release it.

withdrawal.dispatched

Funds left the operator account and are in transit on the rail.

withdrawal.settled

Funds confirmed at the destination — the loyalty moment for the player.

withdrawal.rejected

Rail-side rejection. Includes rejection_reason; reversal flow may follow.

Refunds & reconciliation

refund.initiated

A refund was created against a settled deposit.

refund.completed

Refund landed at the player's source account.

settlement.batch_closed

Daily settlement batch closed for a market. Triggers downstream reconciliation jobs.

Idempotency — How Duplicate Submission Is Defeated

The single most important quality of a payment API is that an integrator can retry a network failure without accidentally creating a second deposit. Every state-changing endpoint accepts an idempotency key; identical requests with the same key produce identical results without re-running the side effects.

Idempotency Mechanism

Request 1

Idempotency-Key: abc123
POST /deposits

→

Server

Creates deposit
Stores abc123 + result

→

Request 2 (retry)

Idempotency-Key: abc123
Returns prior result

Guarantee: the same idempotency key within a 24-hour window will never produce two side effects. Different keys are treated as different requests; missing keys are accepted for read endpoints but rejected for state-changing ones in strict mode.

Structured Error Responses

Errors are not free-form strings; they're a stable JSON shape with an HTTP status, a machine-readable code, a human-readable message, and a documentation link. Every error code is referenced in this article and in our docs so a competent integrator can build error handling without guessing.

Error response shape JSON

{
  "error": {
    "code": "player_limit_exceeded",
    "message": "Deposit exceeds the player's daily limit.",
    "http_status": 422,
    "docs_url": "https://docs.example/errors/player_limit_exceeded",
    "request_id": "req_8cd2..."
  }
}

The Error Code Table

HTTP	Code	Meaning & Remediation
400	invalid_request	Request is malformed. Check schema; fields missing or of wrong type.
401	authentication_failed	API key missing, invalid, or revoked. Verify `Authorization` header.
403	forbidden_for_tenant	Authenticated but lacks the role to perform this action. Check RBAC mapping.
404	resource_not_found	Resource doesn't exist or isn't visible to this tenant.
409	idempotency_conflict	Idempotency key reused with a different request body. Inspect prior request.
422	player_limit_exceeded	Deposit or withdrawal exceeds player's daily/weekly/monthly limit.
422	method_unavailable	The requested method isn't available for the player's market or KYC tier.
429	rate_limited	Per-tenant rate limit exceeded. Retry-After header included; back off and retry.
503	route_degraded	The chosen rail is temporarily degraded. Smart routing will fall back; retry suggested.

Deposit State Machine — API View

The same state machine described on the player cashier side is exposed through the API. Every state is a string value on deposit.status; every transition emits a webhook; the audit trail records who or what triggered each move.

Deposit Status Transitions

created

→

awaiting_method

→

authorized

→

settled

authorized

→

failed

expired

Sandbox & Production Environments

Every tenant gets a sandbox with full feature parity — same endpoints, same webhook signatures, same error codes. Sandbox transactions use simulated rails so your integration can be tested end-to-end before a single real player exists.

Sandbox

For development & QA

api.sandbox.your-brand.com/v1

Simulated rails, simulated callbacks, controllable failure injection. Test against named scenarios: "deposit succeeds," "deposit declines on first attempt then succeeds," "withdrawal held for KYC," etc.

Production

For real player traffic

api.your-brand.com/v1

Live rails, live callbacks, real money. Same API surface as sandbox; the only thing that changes is the base URL and the API key prefix (pk_test_ vs pk_live_).

Versioning Policy

Stable contract, predictable evolution

API and webhook contracts are versioned in the URL (/v1) and in the event payload. Breaking changes go to a new major version; new fields can be added to existing versions but never removed. Deprecation is announced with a minimum lead time and old versions remain operational during the transition.

2026-05-01

Tenants can pin an explicit API version via the header to lock behaviour. Default routing uses the latest stable.

Where the API Sits in the Larger Picture

This API is the integration surface for the same managed gateway whose player cashier UI and merchant admin and order management back-end are described elsewhere on this site. The three surfaces are deliberate counterparts: the cashier is what the player sees, the admin is what the operations team uses, and this API is what your engineering team builds against. Same data model, same audit trail, three audiences. An integrator can ship against the API while operations works in the admin and players use the cashier — all reading the same source of truth.

Everything Else, Compressed

Scope of this article: The integration surface — REST endpoints, webhook events, authentication, idempotency, error model, state machine, environments, versioning. Cashier UI and operations back-end are covered separately.

What we ship: the full API and webhook surface as part of the managed gateway, plus reference SDKs, an OpenAPI specification, Postman collections, and a sandbox that supports controllable failure injection for end-to-end testing.

Pricing: Flat monthly hosting fee + 0.1–0.4% transaction volume share. API access, SDKs, sandbox, and the documentation site are included — not separate add-ons.

Documentation a competent integrator can ship against in one sitting.

The API and webhook surface your engineering team can evaluate on its own merits.

Request API Documentation →

Integration-Specific Questions Engineers Actually Ask

Do you publish an OpenAPI / Swagger specification?

Yes. The full v1 surface is published as an OpenAPI spec; you can import it into Postman, generate client code in your language of choice, or feed it into your gateway-validation tooling. The spec is the source of truth and the documentation is generated from it.

Which SDKs are available?

Reference SDKs are provided in the languages most commonly used by iGaming platforms. Each SDK is a thin wrapper over the documented HTTP surface — nothing it does that you can't replicate with raw HTTP. The SDKs exist for convenience, not as a black box.

What's the rate limit and how is it enforced?

Per-tenant rate limits, applied per endpoint family rather than globally. Limits are generous for normal traffic and scale upward on request as your volume grows. When a limit is hit, the API returns 429 with a Retry-After header; well-behaved clients implement exponential backoff.

How are webhook retries handled when our endpoint is down?

Failed deliveries are retried with exponential backoff over an extended window (typically 24 hours). After that, the webhook is queued in the admin panel for manual replay. Your endpoint should respond 2xx within 10 seconds; longer responses are treated as failures and retried.

Can we replay or back-fill webhooks for a missed window?

Yes. The admin exposes a replay action that emits historical events to your endpoint with original payloads, marked as replays in a header. Use this when your platform was down and you need to catch up the state transitions you missed.

What's the data model behind player_id — do you persist player records or just pass them through?

We persist a player record keyed on your player_id. The record holds KYC tier, derived risk signals, and a transaction history view. You own the canonical player identity; we keep the payment-side projection of it.

Do you provide a status / uptime feed our monitoring can subscribe to?

Yes. Public status page plus a machine-readable feed of incidents and scheduled maintenance. Your monitoring can subscribe to that feed and surface gateway-side health alongside your own application health in a single view.

The Next Step

A working payment API and webhook surface for iGaming platforms is, in the end, the most honest disclosure a vendor makes. Marketing copy describes intent; the API describes capability. The endpoints, event names, signature scheme, error model, and idempotency mechanism described on this page are the actual contract your engineering team will integrate against — there is no separate, prettier version that lives behind the sales process.

Tell us what your existing platform looks like, which API conventions your team already uses, and what your integration timeline looks like. We will walk through the spec against your specific stack — and your engineering team will form their own opinion of the API on its own merits, not from a marketing demo.

An API that holds up under engineering scrutiny.

Endpoints, events, signatures, idempotency, versioning — documented, stable, evaluable.

Open the Docs →