Security Headers & Message Integrity
This document describes the required HTTP headers and message integrity mechanism for Klas Gaming Casino integration. All requests and responses must comply with these requirements to ensure secure and validated communication.
Required HTTP Headers
Each HTTP request and response must include the following headers:
| Header | Type | Mandatory | Description |
|---|---|---|---|
X-Signature | string | Yes | The HMAC signature header used to validate message integrity. |
- The
X-Signatureheader contains the HMAC-SHA256 signature of the entire request/response body.
Signature Calculation (HMAC-SHA256)
Overview
- The HMAC signature is calculated using a
SecretID(shared key) provided to the operator by Klas Gaming. - The signature is calculated over the entire JSON request/response body.
- The HMAC algorithm used is HMAC-SHA256.
- The result is hex encoded and sent as the value of the
X-Signatureheader.
How to Calculate the Signature
- Take the entire request/response body as raw JSON bytes (payload).
- Calculate the HMAC-SHA256 using the shared
SecretIDand the payload. - Hex encode the resulting hash.
- Set the
X-Signatureheader with the hex-encoded value.
Go Implementation Example
func GenerateHMACSignature(secret string, payload []byte) string {
mac := hmac.New(sha256.New, []byte(secret))
mac.Write(payload)
return hex.EncodeToString(mac.Sum(nil))
}
Usage Example
Suppose the request body is:
{
"request_id": "bf6bff7c-708c-4d6f-a25c-29134988011a",
"timestamp": 1586828615399,
"player_id": "1101",
"currency": "EUR",
"session_id": "4811430036867072"
}
The signature is calculated as:
signature = HMAC-SHA256(SecretID, entire_json_body)
X-Signature: hex_encode(signature)
Signature Validation
If the signature validation fails, the operator system must respond with:
- HTTP Status 200
- Body:
{ "status_code": "ERR_INTEGRITY_CHECK_FAILED" }
Response Signature
- The same
X-Signatureheader must be provided in the response for Klas Gaming RGS to verify the integrity of the response body. - The operator must calculate the HMAC-SHA256 signature of the response body and include it in the
X-Signatureheader.
Content-Type
- All requests and responses must use the following header:
Content-Type: application/json
HTTP Status Codes & Response Bodies
RGS expects HTTP Status code 200 for all requests, whether successful or not. All other HTTP status codes are treated as unsuccessful.
| HTTP Status | Response Body | Reason |
|---|---|---|
| 200 | status_code: OK | Request successful |
| 200 | status_code: ERR_INVALID_TOKEN | Request unsuccessful |
| 200 | status_code: ERR_INTEGRITY_CHECK_FAILED | Signature validation failed |
| 500 | INTERNAL_SERVER_ERROR | Internal server error |
| 504 | GATEWAY_TIMEOUT | Gateway timeout |
Additional Notes
- For more details on the signature and security, refer to the official Klas Gaming documentation or contact your Klas Gaming integration representative.
- Always keep your
SecretIDsecure and never expose it in client-side code or logs. - The signature must be calculated on the raw JSON body bytes, not on a stringified or formatted version.