FAQs - Architecture & Authentication

What are the two API gateways Operators need to integrate, and why do both exist?

The Platform API Gateway connects your backend to ingest data (bulk + real-time). The Frontend API Gateway authenticates players and powers widgets/real-time UI. Operators will generally use Platform for server - server ingestion/sync and Frontend for player-scoped reads/UI.

Which auth flow should my backend use for Platform API calls?

OAuth 2.0 Client Credentials to obtain a JWT access token; use the published token URL and include the token when calling Platform REST/RX/Data Fetch endpoints.

How do players authenticate to the Frontend API Gateway?

Your FE calls {PEP_FE}/api/auth/v1/player with your clientId and your identityToken (e.g., your casino session ID). PEP calls your /api/auth/v1/player to validate, then issues a JWT the widgets/FE use (via x-authorization).

Do Operators need to build an Operator endpoint for player validation?

Yes, implement POST {operator}/api/auth/v1/player that validates the identityToken and returns playerId (+ optional expiresAt). PEP relies on this to mint the player JWT.

Where do Operators put the player JWT when calling PEP FE endpoints directly?

In the x-authorization header (widgets handle this for you if you use them).

Can Operators skip Frontend auth if they only use widgets?

No. Operators still must provide an identity token so PEP can validate the player and issue its JWT; the widgets simplify, but don’t eliminate, the auth requirement.

What’s the difference between “ingestion” and “reactive” APIs?

Ingestion is for bulk/periodic sync (e.g., initial loads); reactive is real-time event feeds that instantly drive missions/segments/triggers. You’ll need both for a complete integration.

Is there a single token for all Platform APIs?

Yes. Obtain a Platform OAuth token and reuse it across Platform REST, RX (reactive), and Data Fetch calls until expiry.

Does the Platform auth flow return a JWT?

Yes. The Client Credentials flow yields a JWT access token Operators include on subsequent Platform calls.

Do Operators need to define OAuth Clients in PEP Admin?

Yes. Create Client Credentials in Admin to call Platform/Data Fetch; Operators can also create FE client IDs there.