Lucky Mermaid Merchant API Integration Guide
This is the primary Lucky Mermaid (LM) merchant integration document for technical teams.
1. Integration Flow
Merchant provides onboarding data
-> LM creates Merchant / Agent
-> LM configures Agent currencies, games, wallet mode, and IP whitelist
-> LM issues the Agent API key
-> Merchant calls LM APIs using the documented signature rules
-> Both sides verify player creation, transfer, game login, betting, balance, records, and reports
-> Production switch uses production domains, IP whitelist, and API keysLucky Mermaid provides an independent merchant API. Merchants should integrate using the /api/v1 paths, the LM signature model, and the multi-currency player rules described below.
2. Merchant Inputs
| Item | Required | Description |
|---|---|---|
| Company name | Yes | Used for business and back-office identification. |
| Merchant name | Yes | Used to create the Merchant. |
| Agent name | Yes | The agentName used in API requests. LM creates and provides it. |
| Currencies | Yes | For example CNY, USD, THB. Every business API request must include currency. |
| Game scope | Yes | Game IDs to enable, or all games. |
| Wallet mode | Yes | transfer wallet or single wallet. |
| Wallet callback URL | Required for single wallet | HTTPS callback URL for single-wallet mode. |
| Wallet crypto parameters | Required for single wallet | AES Key and AES IV for callbacks. Key length must be 16/24/32 characters; IV length must be 16 characters. |
| Merchant server outbound IPs | Recommended | Used for API whitelist. Provide server outbound IPs, not player IPs. |
| Technical contact | Yes | Used for integration, signature, transfer, and game-login troubleshooting. |
If the merchant uses multiple servers or NAT, provide every possible outbound public IP. A single IP should normally be written as CIDR /32, for example 203.0.113.4/32.
3. Platform Configuration
| Configuration | Description |
|---|---|
| Merchant | The merchant entity. |
| Agent | The integration channel under the merchant. Request field agentName maps to this record. |
| Agent API Key | The identity used in request header KEY. The key may be independent from agentName. |
| Agent currencies | Controls which currency values this Agent can use. |
| Game authorization | Controls which games this Agent can open. |
| Wallet mode | Controls the funds model. The first version supports transfer and single. |
| IP whitelist | Limits which merchant outbound IPs can call the API. |
| Single-wallet callback | Configure the merchant callback URL, AES Key, and AES IV in the admin UI. The internal wallet JSON is generated automatically. |
| Currency exchange / bet rate | Internal platform configuration for reports and game limits. Merchant APIs return original-currency amounts. |
4. Environments and Base URL
| Environment | Base URL | Description |
|---|---|---|
| Test | To be assigned | LM test environment. |
| Production | To be assigned before launch | Provided by LM before production release. |
POST <base>/api/v1/...
Content-Type: application/json5. Common Rules
5.1 Request Format
- All requests and responses use UTF-8 JSON.
- Unless explicitly stated, business APIs use
POST. - All business APIs require
currency. currencymust be an uppercase ISO-style currency code, such asCNY,USD, orTHB.- Amounts are decimals in the requested original currency.
5.2 Request Headers
| Header | Required | Description |
|---|---|---|
KEY | Yes | Agent API key assigned by LM. |
timestamp | Yes | Unix timestamp in seconds. |
sign | Yes | Request signature. See section 6. |
5.3 Common Response
{ "code": 200, "data": {}, "msg": "success" }code=200means success.code!=200means business failure. Checkmsgand the error-code table.- For signed business APIs,
datais AES encrypted. Examples in this document show the decrypted structure for readability. - Public catalog APIs return plain JSON and do not encrypt
data.
5.4 Time Rules
- Request header
timestampis Unix seconds. - Business time fields use
yyyy-MM-dd HH:mm:ss. - Business dates use
yyyy-MM-dd. - Merchant API business time is interpreted in GMT+8 unless otherwise agreed.
6. Authentication and Signature
6.1 Signature Flow
- Prepare the JSON request body.
- Sort business parameters by key in ascending ASCII order.
- Serialize as compact JSON.
- Encrypt the serialized string with the Agent secret using AES.
- Concatenate the encrypted string with
timestamp. - Calculate MD5 to produce
sign. - Send
KEY,timestamp,sign, and the encrypted request body.
currency is a business parameter and must participate in the signature.
6.2 AES Rules
- AES key and exact mode are assigned by LM with the Agent API key.
- The encrypted payload should be transmitted as the agreed encoded string.
- The same canonical JSON rules must be used on both sides.
6.3 Signature Example: Create Player
{
"agentName": "agent01",
"loginName": "player001",
"currency": "USD"
}canonical JSON -> AES encrypt -> encrypted + timestamp -> MD5 sign6.4 Common Signature Errors
| Cause | Description |
|---|---|
Missing currency | currency is required and must be included in the signature. |
| Wrong key order | Both sides must use the same canonical parameter order. |
| Whitespace mismatch | Use compact JSON without unstable formatting. |
| Timestamp expired | The timestamp must be close to the current server time. |
| Wrong API key | KEY must match the Agent secret used for signing. |
7. Multi-currency Player Model
- A player wallet is identified by
agentName + loginName + currency. - The same
loginNamecan exist under multiple currencies, and balances are separated. - Transfers, balances, reports, records, login, and test-play requests all use the requested
currency. - If a currency is disabled for the Agent, business APIs should return an unsupported-currency error.
8. Wallet Modes
8.1 Transfer Wallet
In transfer-wallet mode, the merchant transfers funds into or out of the LM player wallet. LM maintains the in-game balance.
- Transfer in before game entry.
- Game bets and settlements update the LM wallet.
- Transfer out after the player leaves the game or when allowed by business rules.
orderNomust be idempotent underagentName + currency + orderNo.
8.2 Single Wallet
In single-wallet mode, the merchant owns the source of funds. LM calls merchant callbacks using action codes for balance, bet, settlement, cancel-bet, and combined bet-settle requests.
- Merchant callback must be public HTTPS.
- Merchant must provide callback AES Key and AES IV. Key length must be 16/24/32 characters; IV length must be 16 characters.
- Merchant must verify callback signatures against the encrypted outer envelope.
- Merchant must handle retry and idempotency by
transferId. - Balance must stay synchronized after betting and settlement.
Admin configuration:
- Select the wallet mode when creating or editing an Agent.
- Transfer wallet does not require wallet callback configuration.
- Single wallet shows structured fields for callback URL, AES Key, and AES IV.
- The admin UI generates the internal wallet JSON automatically; operators should not edit JSON by hand.
9. API Flows
9.1 Transfer Wallet Flow
createPlayer -> transfer(type=1) -> getBalance -> login -> game bet/settle -> gameRecord -> transferRecord -> transfer(type=2)9.2 Demo Play Flow
testPlay -> open returned URL -> play with demo funds9.3 Single Wallet Flow
createPlayer -> login/testPlay -> action=6 balance callback -> action=9 bet callback -> action=10/11/8 settlement callback -> gameRecord10. API List
10.0 Public Catalog APIs
| API | Purpose | Required | Description |
|---|---|---|---|
GET /api/v1/public/currencyList | Current supported currencies | Recommended | Returns currency and name. |
GET /api/v1/public/gameList | Current available games | Recommended | Returns gameId, gameName, gameType, and gameTypeName. |
POST /api/v1/public/hotGameTop10 | Previous-month hot game ranking | Optional | Requires merchant signature; encrypted data; ranks by previous calendar month reporting-currency turnover and supports gameType filtering. |
The currency and game list APIs are plain JSON APIs for documentation, configuration checks, and operational synchronization. Hot Game Top10 is merchant-only: it requires KEY, timestamp, and sign, and returns encrypted data. The live visual catalog is shown in the appendix.
10.1 Transfer Wallet APIs
| API | Purpose | Required | Key fields |
|---|---|---|---|
POST /api/v1/createPlayer | Create player wallet | Yes | agentName, loginName, currency |
POST /api/v1/transfer | Transfer in/out | Transfer mode | orderNo, type, amount, currency |
POST /api/v1/getBalance | Query balance | Yes | agentName, loginName, currency |
POST /api/v1/login | Get real-game URL | Yes | gameId, language, currency |
POST /api/v1/testPlay | Get demo-game URL | Optional | gameId, language, currency |
POST /api/v1/transferRecord | Query transfer order | Recommended | orderNo, currency |
POST /api/v1/gameRecord | Query game records | Yes | startTime, endTime, currency |
POST /api/v1/gameRecordLink | Get record detail URL | Optional | recordId |
POST /api/v1/dayReport | Daily detail report | Optional | date, currency |
POST /api/v1/summaryReport | Multi-day summary report | Optional | startDate, endDate, currency |
POST /api/v1/playerInfo | Query player info | Optional | loginName, currency |
POST /api/v1/kickPlayer | Force player offline | Optional | loginName, currency |
10.2 Single Wallet APIs
| API | Single-wallet rule |
|---|---|
createPlayer | Still required before game entry. |
login / testPlay | LM opens the game and performs wallet callbacks during play. |
getBalance | May trigger merchant-side balance verification depending on configuration. |
transfer | Normally not used in single-wallet mode. |
gameRecord | Still used to query game records. |
11. API Details
11.1 Query Supported Currencies
GET /api/v1/public/currencyList| Field | Description |
|---|---|
currency | Currency code used by business APIs. |
name | Display name. |
11.2 Query Game List
GET /api/v1/public/gameList| Field | Description |
|---|---|
gameId | Game ID used in login and testPlay. |
gameName | Game display name. |
gameType | Game type code. |
gameTypeName | Game type display name. |
11.2.1 Query Hot Game Top10
POST /api/v1/public/hotGameTop10This merchant-only API requires the same KEY, timestamp, and sign rules as business APIs, and returns encrypted data. It ranks real-account game turnover for the previous calendar month. For example, on 2026-07-03, the ranking period is 2026-06-01 to 2026-06-30.
| Parameter | Required | Description |
|---|---|---|
gameType | Yes | Game type ID. Send 0 to query the platform-wide Top10. |
Request example:
{
"gameType": 2
}Response example:
{
"code": 200,
"data": "AES_ENCRYPTED_DATA",
"msg": "Success"
}Decrypted data example:
[
{
"rank": 1,
"gameId": 1000,
"gameName": "Flying Dragon Fishing+",
"gameType": 2,
"gameTypeName": "Fishing"
}
]| Field | Description |
|---|---|
rank | Ranking number, starting from 1. |
gameId | Game ID. |
gameName | Game display name. |
gameType | Game type ID. |
gameTypeName | Game type display name. |
11.3 Create Player
POST /api/v1/createPlayer| Parameter | Required | Description |
|---|---|---|
agentName | Yes | Agent account. |
loginName | Yes | Merchant player account. |
currency | Yes | Player wallet currency. |
nickname | No | Display nickname. |
11.4 Login Game
POST /api/v1/login| Parameter | Required | Description |
|---|---|---|
agentName | Yes | Agent account. |
loginName | Yes | Player account. |
currency | Yes | Player wallet currency. |
gameId | Yes | Game ID. |
language | Yes | Language code. |
backUrl | No | Return URL. |
11.5 Get Demo URL
POST /api/v1/testPlay returns a demo-game URL. Parameters are similar to login, but use demo funds.
11.6 Wallet Transfer
POST /api/v1/transfer is used in transfer-wallet mode. type=1 transfers in, type=2 transfers out. orderNo is idempotent by agentName + currency + orderNo.
11.7 Query Transfer Order
POST /api/v1/transferRecord queries an existing transfer by orderNo and currency. Use it after timeout before retrying with a new order.
11.8 Query Balance
POST /api/v1/getBalance returns the player balance in the requested currency.
11.9 Query Game Records
POST /api/v1/gameRecord returns game records by time range, page, and currency. Amounts are original-currency amounts.
11.10 Get Record Detail Link
POST /api/v1/gameRecordLink returns a URL for viewing a specific game record when supported by the game.
11.11 Daily Detail Report
POST /api/v1/dayReport returns daily detail metrics for the requested currency.
11.12 Multi-day Summary Report
POST /api/v1/summaryReport returns aggregated metrics over a date range.
11.13 Query Player Info
POST /api/v1/playerInfo returns player information for agentName + loginName + currency.
11.14 Force Player Offline
POST /api/v1/kickPlayer requests LM to disconnect a player session.
12. Single Wallet Callback Requirements
For single-wallet mode, merchants must provide a public callback URL. LM sends POST JSON requests using the Lucky Mermaid single-wallet wire format. The HTTP body is an encrypted envelope with dc, x, and parent. The x field contains the encrypted business payload; merchants should verify the outer envelope signature first, then decrypt x, then dispatch by the decrypted action.
The platform admin configuration requires the following fields:
| Field | Required | Description |
|---|---|---|
| Callback URL | Yes | Merchant wallet service endpoint. HTTPS is recommended; test environments may use http/ws/wss as agreed. |
| AES Key | Yes | Callback signing/encryption key. Length must be 16/24/32 characters. |
| AES IV | Yes | Callback encryption IV. Length must be 16 characters. |
The admin UI uses these fields to generate the internal wallet configuration automatically. Do not require operators to edit JSON directly. For troubleshooting, the internal shape is {"type":"default","data":{"url":"...","key":"...","iv":"..."}}.
12.1 HTTP Body Envelope
The outer HTTP body format is fixed:
{
"dc": "",
"x": "ENCRYPTED_PAYLOAD",
"parent": ""
}| Field | Required | Description |
|---|---|---|
dc | Yes | Domain marker. It is usually an empty string in the test environment. |
x | Yes | Business request encrypted with the configured AES Key and AES IV. |
parent | No | Parent marker. It is usually empty or omitted in the test environment. |
The decrypted x payload contains the business fields. Balance query example:
{
"action": 6,
"ts": 1783080000000,
"uid": "player001",
"currency": "HKD",
"gType": 3,
"mType": 3006,
"transferId": 1522700686997852160
}12.2 Callback Actions
action | When | Merchant action | Idempotency |
|---|---|---|---|
6 | Before login or settlement check | Return current balance without changing funds. | Repeatable. |
9 | Player bet deduction | Deduct amount. | Idempotent by transferId. |
10 | Settlement or payout | Add amount and record the round. | Idempotent by transferId. |
11 | Cancel bet | Reverse the referenced deduction by refTransferIds. | Must be idempotent. |
8 | Bet and settle in one request | Handle deduction and payout atomically. | Idempotent by transferId. |
12.3 Callback Headers
LM calls merchant callbacks using KEY, timestamp, and sign. The sign is calculated from the outer envelope, not from decrypted business fields: sort dc, x, and parent; serialize compact JSON; encrypt that string with AES/ECB/PKCS5 and standard Base64; append timestamp; then MD5 the result.
Fields such as currency, uid, and action are inside the decrypted x payload. They are protected indirectly because the encrypted x value is part of the signed envelope.
12.4 Decrypted Business Fields
| Field | Required | Description |
|---|---|---|
action | Yes | Action code: 6 balance, 9 bet, 10 settle, 11 cancel bet, 8 bet and settle. |
ts | Yes | Business timestamp in milliseconds. |
uid | Yes | Player account, equivalent to LM loginName. |
currency | Yes | Wallet currency. |
gType | Yes | Game type. |
mType | Yes | Game ID. |
transferId | Yes | LM callback transaction ID and merchant idempotency key. |
amount | Required for fund actions | Deduction, payout, or reversal amount. |
refTransferIds | Required for cancel/settlement actions | Referenced transaction IDs. |
gameRoundSeqNo | Required for game-round actions | Game round ID. |
12.5 Callback Response
Merchant responses use the single-wallet callback response format, not the LM merchant API code/data/msg format:
{ "status": "0", "balance": 99.00, "err_text": "", "transferId": 1522700686997852160 }- Return
status="0"orstatus=0on success. - Successful responses must return the current
balance. - Return
transferIdunchanged when possible for reconciliation. - Insufficient balance must not deduct funds and should return a non-zero status with clear
err_text. - Repeated
transferIdmust return an equivalent result.
13. Error Codes
| Code | Description |
|---|---|
| 200 | Success. |
| 503 | System maintenance. |
| 4000 | Agent does not exist. |
| 4001 | IP is not in API whitelist. |
| 4002 | Invalid parameter. |
| 4004 | Game is not enabled. |
| 4005 | User login failed. |
| 4006 | User does not exist. |
| 4007 | Transfer failed. |
| 4008 | Query time range exceeds limit. |
| 4009 | Invalid time format. Expected yyyy-MM-dd HH:mm:ss. |
| 4014 | User already exists. |
| 4015 | Order does not exist. |
| 4016 | Order exists or order parameters conflict. |
| 4017 | Invalid amount. |
| 4018 | Insufficient amount. |
| 4019 | Signature error. |
| 4020 | Timestamp expired. |
| 4024 | Game is still in progress; funds cannot be transferred out. |
| 4100 | currency is required. |
| 4101 | Unsupported currency. |
| 4102 | Agent has not enabled this currency. |
| 4103 | Player currency does not exist or does not match. |
| 4104 | Currency exchange rate is not configured. |
| 4105 | Currency bet rate is not configured. |
| 4110 | Single-wallet callback failed. |
| 4111 | Single-wallet balance is insufficient. |
| 4112 | Single-wallet callback signature error. |
14. IP Whitelist and Security
- Merchant server outbound IPs should be added to the LM whitelist.
- Do not submit player IPs as merchant server IPs.
- Agent API keys must be stored server-side only.
- Production and test keys should be separated.
- After a network timeout, use
/api/v1/transferRecordto query the original order before deciding whether to retry. - Single-wallet callback secrets must be stored server-side and must not be mixed with merchant-to-LM API keys.
15. Integration Checklist
15.1 Basic Checks
- Agent has been created.
- Agent API key has been delivered.
- Agent has at least one enabled currency.
- Agent has at least one authorized game.
- Merchant outbound IP is whitelisted.
- Merchant can generate
KEY,timestamp, andsigncorrectly.
15.2 Multi-currency Checks
- Create
agent01 + player001 + CNYsuccessfully. - Create
agent01 + player001 + USDsuccessfully. - Balances in different currencies are independent.
- A
USDplayer cannot use aCNYwallet to enter a game. - Transfers, balances, records, and reports return original-currency amounts according to request
currency.
15.3 Transfer Wallet Checks
type=1transfer-in succeeds.- Balance query is correct.
- Game login succeeds.
- In-game betting updates the balance correctly.
- Game records can be queried by currency.
type=2transfer-out succeeds.- Timeout scenarios can be resolved with
transferRecord. - Repeated
orderNodoes not duplicate fund changes.
15.4 Single Wallet Checks
- Merchant callback URL is publicly reachable over HTTPS.
- Merchant verifies LM callback signatures against the encrypted outer envelope.
action=6returns the correct balance.action=9deducts once and is idempotent bytransferId.- Insufficient balance fails without deduction.
action=10adds payout once and is idempotent bytransferId.action=11reverses referenced transactions idempotently byrefTransferIds.- Game entry, bet, settlement, and game-record query pass end to end.
16. Appendix: Currency and Game Catalog
The catalog below is loaded live from public APIs. It helps integration teams look up the current currency codes and gameId values.