Player Authenticate API

Player Authenticate API - Operator API

Authenticates a player and establishes a gaming session with JWT tokens.

post

Authenticates player, creates session if needed, and generates JWT access and refresh tokens.

Flow: Verify player existence → Create if needed → Generate tokens

Sample request:

{
    "playerId": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
}

Sample response:

{
    "sessionId": "550e8400-e29b-41d4-a716-446655440000",
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "tokenType": "Bearer",
    "expiresIn": 3600
}

Authorizations

AuthorizationstringRequired

REQUIRED - JWT Authorization header using the Bearer scheme. All API endpoints require authentication, except for authentication endpoints (Connect/authentication). Example: "Authorization: Bearer {token}"

Query parameters

api-versionstringOptional

Header parameters

X-Transaction-Idstring · uuidOptional

Unique transaction identifier for request tracking

Example: 0e33f671-f582-4dc4-8d14-52fd2f722fef

Body

playerIdstring · uuidRequired

Responses

200

Player authenticated successfully with new session and tokens generated.

400

Invalid request data or malformed player identifier.

401

Authentication failed due to invalid credentials or token.

403

Player account is blocked or access is forbidden.

404

Player not found and could not be created in Identity service.

502

External Identity service is unavailable or returned an error.

503

External Identity service timeout or temporarily unavailable.

post

/player/authentication

POST /player/authentication HTTP/1.1
Host: operator-api.mgm.bingaodobrasil.com.br
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 51

{
  "playerId": "123e4567-e89b-12d3-a456-426614174000"
}

{
  "sessionId": "123e4567-e89b-12d3-a456-426614174000",
  "accessToken": "text",
  "refreshToken": "text",
  "tokenType": "text",
  "expiresIn": 1,
  "expiresAt": "text"
}

Refreshes an expired access token using a valid refresh token.

post

Enables token renewal without re-authentication. Validates refresh token, verifies session status, and generates new access and refresh tokens.

Process: Validate refresh token → Check session → Generate new tokens

Sample request:

{
    "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Sample response:

{
    "sessionId": "550e8400-e29b-41d4-a716-446655440000",
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "tokenType": "Bearer",
    "expiresIn": 3600
}

Authorizations

AuthorizationstringRequired

Query parameters

api-versionstringOptional

Header parameters

X-Transaction-Idstring · uuidOptional

Unique transaction identifier for request tracking

Example: 7a0c6c9b-5ffd-4db9-a39d-c017bf49b666

Body

refreshTokenstring · min: 1Required

Responses

200

Tokens refreshed successfully with extended session expiration.

400

Invalid request format or malformed refresh token.

401

Refresh token is invalid, expired, or has invalid signature.

403

Player account is blocked or session access is forbidden.

502

External service dependency is unavailable or returned an error.

503

External service timeout or temporarily unavailable.

post

/player/refresh-token

POST /player/refresh-token HTTP/1.1
Host: operator-api.mgm.bingaodobrasil.com.br
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 23

{
  "refreshToken": "text"
}

{
  "sessionId": "123e4567-e89b-12d3-a456-426614174000",
  "accessToken": "text",
  "refreshToken": "text",
  "tokenType": "text",
  "expiresIn": 1,
  "expiresAt": "text"
}

PreviousConnect API NextSession Manager API

Last updated 4 months ago

hashtagAuthenticates a player and establishes a gaming session with JWT tokens.

hashtagRefreshes an expired access token using a valid refresh token.

Authenticates a player and establishes a gaming session with JWT tokens.

Refreshes an expired access token using a valid refresh token.