Setup & provisioning
Before you can mint a session, your operator needs a handful of things in place. This is a one-time checklist; the pages in this section cover each in depth.
Checklist
- API keys & secrets — an inbound key to sign your S2S calls, plus the outbound secret LootBox Solutions uses to sign calls to you.
- Operator configuration — your wallet URL, webhook URL, enabled games, supported currencies and locales.
- Security & branding — the origins allowed to embed the iframe (CSP), and your brand colors / theme tokens.
What lives where
| Setting | Set in | Notes |
|---|---|---|
| API keys | Admin → Integration → API keys | Secret shown once at creation. |
| Outbound secret | Settings → Integration | HMAC secret for calls to you. Encrypted at rest. |
| Wallet URL | Settings → Integration | Empty disables spending. |
| Webhook URL | Settings → Integration | Async bonus/fulfillment + observational events. |
| Allowed origins (CSP) | Settings → Integration | Until set, browsers refuse to embed. |
| Enabled games | Settings → Integration | Today: mystery_box. |
| Currencies & locales | Settings → Integration | See Localization & currency. |
| Brand color / theme | Settings → Branding | Applied to the game app. |
Once these are in place, follow the Quickstart.