The Aleacc Web API documentation is provided in two parts, this document where
authenticating, calling, signing and using the API is described. The other part is an
interactive part where you can test all the methods in the API from a webpage.
In order to use the interactive API documentation you need to have received the following:
URL - The URL to the interactive documentation
API endpoint - The URL to the API endpoint
API id - A public id for this API instance
API secret - A private, shared key used to sign requests.
Once you receive these you can open the URL in your browser and enter API id and API secret in the header. Once this is done you can use the interactive documentation.
To generate a session Id you call the /player/signin method with a registered players credentials. If you don't have any credentials, simply call the /player/signup method to create a new player. Once the session is collected, enter it in the Session Id field in the header part. Once entered, this will be included in all following requests.
The API is called using a REST-like http API. Method parameters can be encoded as a query string and/or POST parameters depending on the method that is called. The encoding of the POST data is dependant on the Content-type header
where application/json is the official encoding.
Each request to the Web API should be signed using a hmac-sha256 signature. The signature is provided in a custom authorization header. The format of the authorization header is:
Authorization: amx api_id:signature:request_id:timestamp
Where amx is a constant string, api_id is your API id as setup in the Aleacc Admin and signature is the calculated signature. request_id is a unique identifier for the request and timestamp is the unix timestamp when the request was issued.
The request id must be unique for each request. The timestamp has to be in sync with the receiving server. The id together with the timestamp is used to prevent replay attacks.
If the authorization is deemed to be invalid then a 403 Forbidden response will be issued.
The signature is calculated by concatenating all the signed field values separated by a Unix newline \n and the signing them using the hmac-sha256 algorithm using your API secret that is generated in the Aleacc Admin together with your API id. The list below contains all the various fields and the explicit order in which they should be concatenated.
X-Player-Session-Id - Optional, only required if it is present in the request
X-Client-Ip - Optional, only required if present in the request
Path - Request path including query string, i.e.
Request body - Request body for POST requests, empty string for others.
Content-Type: application/json; charset=UTF-8
Authorization: amx 12345678901234567890123456789012:pYEt3GtOHzf1Y16hb3fSlnbpGTB+cdXo6EEx9WgfR 1w=:1:1433313039
This signature for this request was calculated with the following values & secret.
"Username": "test", "Password": "testar"
Some methods require an active player session (i.e. a signed in player). These methods are marked as such in the interactive API documentation and it is also required to submit the players session id (as acquired from
the /player/signin method). The session id is set using the X-Player-Session- Id http header.
Any request that is considered a "player action" (i.e. anything issued by the player like registration, sign in, sign out etc) should send the players client IP in the X- Client-Ip. The IP can be either in v4 or v6 format. The IP is used for the fraud detection and various blacklists in Aleacc.
If any of the headers are missing from a method that requires them then a 401 Unauthorized response will be returned.