Operator API

These are the endpoints you must implement on your side. 155.io will call these endpoints to manage player balances and transactions.

Required Endpoints

Security Requirements

Required

Verify the X-Marbles-Signature header on every incoming request using 155.io's public key. Reject requests where verification fails by returning INVALID_SIGNATURE (with HTTP 200).

Verify incoming requests — every call from 155.io to your /balance, /bet, /win, or /rollback endpoint includes X-Marbles-Signature (RSA-SHA256 over the raw request body, BASE64-encoded). Use the 155.io public key shared at onboarding to verify.
Sign outgoing responses with your private key in the X-Marbles-Signature header. We don't currently verify your response signatures, but signing now is forward-compatible.
Whitelist 155.io outbound IPs at your firewall so our requests reach your endpoints.

See Security for code samples and the full direction-aware picture.

Idempotency

All endpoints must be idempotent. If a request is executed multiple times, it should return the same response (even if the request ID differs).

If the same transactionId is received with a different payload, return DUPLICATE_TRANSACTION_ERROR.

Response Format

All responses must include:

{
  "status": "SUCCESS",
  "requestId": "original-request-id",
  "clientPlayerId": "player-id",
  "currency": "USD",
  "balance": 1000000
}

Balance and amount values use 5-digit precision: $10.00 = 1000000. All amount and balance fields are 64-bit integers (int64 / long).

All responses must use HTTP 200, including error responses. The error status is communicated in the JSON body's status field. Non-200 HTTP status codes may trigger retries or rollbacks on our side.

Need help implementing?

Download our llms-full.txt and feed it into your AI coding tool (Claude Code, Cursor, Windsurf, etc.) for instant help with implementing these endpoints.

Required Endpoints

/balance

/bet

/rollback

/win

Security Requirements

Idempotency

Response Format

On this page