CRYPTOFLIGHT X
B2B Casino Integration

Embed Crypto Flight X in your lobby

Run Crypto Flight X inside your crypto casino, just like Aviator. Embed via iframe or launch URL, white-label the theme, and track sessions, wager volume and revenue share.

Get your API key — freeOperator login

Integration Kit & API Reference

Everything to launch from your own lobby in minutes. The kit is copy/paste-ready: API docs, sandbox credentials, launch script, wallet & webhook endpoints, an iframe snippet, a browser SDK, and a full self-contained casino-lobby demo page.

Download integration kit
.zip — docs, SDK & lobby demo
OpenAPI 3.1 spec
Import to Postman / Insomnia
Webhook test console
Send signed test calls
Sandbox: operator op_sandbox_demo · key cfx_test_sk_sandbox_demo_key_001 · simulated wallet mode.

Embed Mode

Drop this into your lobby to launch the game:

<iframe src="https://crypto-flight-x.lovable.app/embed?operator=YOUR_ID&theme=34e3c4&player=PLAYER_ID&bet=100" allow="autoplay; fullscreen"
  width="100%" height="720" frameborder="0"></iframe>

Game launch URL:

https://crypto-flight-x.lovable.app/embed?operator=YOUR_ID&theme=34e3c4&player=PLAYER_ID&bet=100

The embedded game posts events to your lobby via window.postMessage so you can track every play and calculate revenue share. Listen for them:

window.addEventListener("message", (e) => {
  if (e.data?.source !== "crypto-flight-x") return;
  // Demo events:       "session_ready" | "round_end"
  // Real-money events: "round_committed" | "round_settled" | "round_error"
  // round_committed -> { roundId, bet, currency, fairness }
  // round_settled   -> { roundId, crashPoint, cashoutTarget, win, winAmount, fairness }
  // common fields   -> { operator, sessionId, token, player, ts }
  console.log(e.data.type, e.data);
});

Signed Launch Session (recommended)

For real-money play, don't trust raw URL params. Your backend requests a launch session signed with your secret API key. We mint a single-use token tied to the operator_id, player_id and wager, then you embed /embed?token=…. The token is resolved server-side, so the player's identity is verified and cannot be spoofed.

  1. Sign `${timestamp}.${jsonBody}` with HMAC-SHA256 + your API key.
  2. POST it to /api/public/casino/session with the signature headers.
  3. Drop the returned launchUrl into your iframe — valid for 10 minutes, one launch.
import { createHmac } from "crypto";

const OPERATOR_ID = "op_your_id";        // from your operator console
const API_KEY     = "cfx_live_sk_...";   // secret — server-side only

async function launchGame(playerId, bet) {
  const ts = Date.now().toString();
  const body = JSON.stringify({ playerId, bet, currency: "USDT" });
  const signature = createHmac("sha256", API_KEY)
    .update(`${ts}.${body}`)
    .digest("hex");

  const res = await fetch(
    "https://crypto-flight-x.lovable.app/api/public/casino/session",
    {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
        "x-cfx-operator": OPERATOR_ID,
        "x-cfx-timestamp": ts,
        "x-cfx-signature": signature,
      },
      body,
    },
  );
  const { launchUrl } = await res.json();
  return launchUrl; // -> /embed?token=cfx_ls_...  put this in your iframe src
}

Get your operator_id and secret API key from the operator console.

Provider Dashboard

Game Rounds
Player Sessions
Active Players
$ —
Wager Volume
— %
Avg Revenue Share
$ —
Platform Revenue
cfx_live_sk_••••••••••••••••

White-Label

#34e3c4
Preview
Your Casino · Crypto Flight X

Real-Money Rounds (seamless wallet + provably fair)

Each play runs commit → settle. On commit we debit the bet from your wallet and lock a provably-fair commitment; on settle we decide the crash point server-side and credit any win. Every wallet call and webhook is signed with your API key and carries an idempotency key, so retries never double-charge.

1. Your wallet endpoint (debit / credit)

import { createHmac, timingSafeEqual } from "crypto";

// Your endpoint, set as "Wallet API URL" in the operator console.
app.post("/cfx/wallet", express.raw({ type: "*/*" }), (req, res) => {
  const raw = req.body.toString("utf8");
  const ts  = req.header("x-cfx-timestamp");
  const sig = req.header("x-cfx-signature");

  // Verify the call really came from Crypto Flight X.
  const expected = createHmac("sha256", API_KEY)
    .update(`${ts}.${raw}`)
    .digest("hex");
  if (!timingSafeEqual(Buffer.from(sig), Buffer.from(expected)))
    return res.status(401).json({ ok: false, error: "bad signature" });

  const { type, playerId, amount, currency, idempotencyKey } = JSON.parse(raw);
  // type = "debit" (bet) | "credit" (win). Use idempotencyKey to dedupe.
  const balance = applyToWallet({ type, playerId, amount, currency, idempotencyKey });

  res.json({ ok: true, balance, providerRef: idempotencyKey });
});

2. Your webhook + fairness verification

// Your "Webhook URL" receives signed round.settled events.
app.post("/cfx/webhook", express.raw({ type: "*/*" }), (req, res) => {
  const raw = req.body.toString("utf8");
  const ts  = req.header("x-cfx-timestamp");
  const sig = req.header("x-cfx-signature");
  const expected = createHmac("sha256", API_KEY).update(`${ts}.${raw}`).digest("hex");
  if (sig !== expected) return res.sendStatus(401);

  const e = JSON.parse(raw); // { event:"round.settled", roundId, win, winAmount, crashPoint, fairness }
  recordRoundResult(e);
  res.sendStatus(200);
});

// Provably fair: after a session ends, reveal the server seed and re-derive
// every crash point yourself (or call /round/reveal):
//   serverSeedHash === sha256(serverSeed)
//   h = first 52 bits of HMAC_SHA256(serverSeed, clientSeed + ":" + nonce)
//   crashPoint = floor((100*2^52 - h)/(2^52 - h))/100 * (1 - houseEdge)

Operator API & Webhooks

POST /api/public/casino/session ✓ live · signed launchPOST /api/public/casino/session/resolve ✓ live · embed resolves tokenPOST /api/public/casino/round/commit ✓ live · debit bet + fair commitPOST /api/public/casino/round/settle ✓ live · decide + credit winPOST /api/public/casino/round/reveal ✓ live · provably-fair verifyPOST /api/public/casino/track ✓ live · records each roundWHK -> your webhook_url round.settled ✓ live · signed callbackPOST -> your wallet_url debit / credit ✓ live · signed, idempotent

Go-Live Checklist

  1. Sign in and open the operator console — your operator_id and secret API key are provisioned automatically.
  2. Set your Wallet API URL, Webhook URL, min/max bet and currency, then Save go-live settings. (Leave the wallet URL blank to run in simulated mode first.)
  3. Implement your /wallet endpoint (debit/credit) and /webhook endpoint, verifying the HMAC signature on every call.
  4. From your backend, sign a request and POST /api/public/casino/session to mint a launch token per player.
  5. Embed /embed?token=… in your lobby iframe. The game debits on commit and credits wins on settle automatically.
  6. After a session ends, call /round/reveal to expose the server seed and verify every crash point was provably fair.

B2B Revenue Share Tracking

Live totals across all partner casinos. Your platform share is calculated from real wager volume and stored per operator.

Partner Casinos
Game Rounds
Active Players
$ —
Wager Volume
— %
Avg Share
$ —
Platform Revenue
$ —
Casino Share
Sessions
Home Play Dashboard Tournaments Leaderboard