747.LIVE Agent Platform API

A unified REST API for automating casino agent operations — deposits, withdrawals, rebates, bypass handling, messaging, reports, and webhooks. Built for seamless integration with any tech stack and payment gateway.

Base URL

https://747.innoserver.cloud/api

Key Features

Smart Transfers — One endpoint auto-detects player ownership, calculates rebates, enforces bypass policies
Token Authentication — Login once, use Bearer token for all requests (4h TTL)
Idempotency — Prevent duplicate transactions with X-Idempotency-Key
Webhooks — Real-time event delivery with HMAC-SHA256 signature verification
Standard Envelope — Every response follows {success, data, error, meta}
Payment Gateway Ready — Track payment method, reference, and reconcile across gateways
37 Endpoints across 11 categories with full Swagger/OpenAPI spec

Architecture

The API sits between your application and the 747.LIVE agent panel. It handles session management, transfer logic, and event delivery.

Your App / Gateway

→

747 Platform API

→

747.LIVE Panel

Webhook Event

→

Your Webhook URL

How it works

Your app sends requests to the Platform API. The API authenticates via session cookies to the 747.LIVE panel, executes operations, applies business logic (rebates, bypass), and fires webhook events back to your app.

Quick Start

Get up and running in 3 API calls.

Step 1 — Authenticate

POST /api/auth/login

curl -X POST https://747.innoserver.cloud/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "agentUsername": "your_username",
    "agentPassword": "your_password"
  }'

Save the token from data.token. Use it as Authorization: Bearer <token> for all requests.

Step 2 — Check your balance

POST /api/balance

curl -X POST https://747.innoserver.cloud/api/balance \
  -H "Authorization: Bearer tok_your_token" \
  -H "Content-Type: application/json" -d '{}'

Step 3 — Smart transfer

POST /api/transfer

curl -X POST https://747.innoserver.cloud/api/transfer \
  -H "Authorization: Bearer tok_your_token" \
  -H "Content-Type: application/json" \
  -H "X-Idempotency-Key: unique-uuid" \
  -d '{
    "playerUsername": "PlayerName",
    "type": "deposit",
    "amount": 100,
    "paymentMethod": "gcash",
    "paymentReference": "GC-12345"
  }'

Done!

The API auto-detects player ownership, calculates rebates, logs the transaction, and fires webhooks. The response includes txId, before/after balances, bypass status, and rebate details.

Authentication

Two methods supported. Token auth is recommended for production.

Method 1: Bearer Token (Recommended)

Exchange credentials once for a 4-hour token.

POST /api/auth/login

{
  "agentUsername": "your_username",
  "agentPassword": "your_password"
}

Response:

{
  "success": true,
  "data": {
    "token": "tok_71ea44dfb42f5ddc...",
    "affiliateId": "459343",
    "expiresAt": "2026-03-28T18:53:45Z",
    "ttlSeconds": 14400
  }
}

Use on all subsequent requests:

Authorization: Bearer tok_71ea44dfb42f5ddc...

Refresh before expiry: POST /api/auth/refresh with the token in the header.

Method 2: Body Credentials

Include agentUsername and agentPassword in every request body. Simpler for testing but credentials appear in every request.

Response Format

Every response follows a standardized envelope:

{
  "success": true,
  "data": { ... },         // Payload (null on error)
  "error": null,           // Error details (null on success)
  "meta": {
    "requestId": "req_4e958a2f608ee96b",
    "timestamp": "2026-03-28T14:53:45Z"
  }
}

Field	Type	Description
`success`	boolean	Whether the request succeeded
`data`	object \| null	Response payload on success
`error`	object \| null	`{code, message}` on failure
`meta.requestId`	string	Unique ID for tracing — include in support tickets
`meta.timestamp`	string	ISO 8601 server timestamp

Error Handling

{
  "success": false,
  "data": null,
  "error": {
    "code": "INSUFFICIENT_BALANCE",
    "message": "Need 100 but have 14"
  }
}

Status	Code	Meaning
`200`	—	Success
`400`	`BAD_REQUEST`	Missing or invalid parameters
`401`	`AUTH_ERROR`	Invalid or expired token / credentials
`404`	`NOT_FOUND`	Endpoint or resource not found
`500`	`SERVER_ERROR`	Internal error — report with `requestId`

Idempotency

Prevent duplicate transactions by sending a unique key with transfer requests:

X-Idempotency-Key: 550e8400-e29b-41d4-a716-446655440000

If the same key is sent again within 24 hours, the API returns the original response with _idempotent: true without re-executing.

Best Practice

Always use idempotency keys on: /transfer, /deposit, /withdraw, /agent/deposit, /agent/withdraw. Use UUIDs or your payment gateway's transaction reference as the key.

Supported endpoints: All transfer-type endpoints accept the header or idempotencyKey in the request body.

Rate Limits

The underlying 747.LIVE panel has its own session-based rate limits. The API uses persistent sessions to minimize re-authentication overhead. For best performance:

Use token auth (sessions are cached and reused)
Space transfer requests by at least 500ms to avoid panel-side throttling
Use idempotency keys for retry safety
Monitor /api/health for uptime status

Pagination

List endpoints support start and limit parameters:

{
  "start": 0,    // offset (default: 0)
  "limit": 50    // max records (default: 50, max: 100)
}

Responses include count (records returned) and total (total records) when available.

Smart Transfer

The recommended way to process all player transactions. Wraps raw deposit/withdraw with business logic:

Player ownership detection — Auto-lookup via affiliateId
Rebate calculation — Configurable per sub-agent
Bypass policy — Escalating: free → surcharge → block
Agent notification — In-panel message on first bypass
Payment tracking — paymentMethod + paymentReference
Full audit trail — Every transaction logged with rebate and bypass details

POST /transfer

POST /api/transfer

Request Body

Parameter	Type		Description
`playerUsername`	string	required	Player's username
`type`	string	required	`deposit` or `withdraw`
`amount`	number	required	Amount in PHP
`comment`	string	optional	Transaction note
`paymentMethod`	string	optional	`gcash`, `bank`, `crypto`, `manual`
`paymentReference`	string	optional	External payment reference ID

Response (bypass deposit example)

{
  "txId": "ST-20260328-000003",
  "type": "deposit",
  "playerUsername": "Lykmyk",
  "amount": 100,
  "isBypass": true,
  "owningAgent": { "id": "460346", "username": "doctrinedark" },
  "rebate": { "percent": 2, "amount": 2.00, "owedTo": "doctrinedark" },
  "bypassInfo": { "count": 1, "tier": "free", "surchargePercent": 0 },
  "paymentMethod": "gcash",
  "panelTransactionId": "773441297",
  "agentBalanceBefore": 115,
  "agentBalanceAfter": 15,
  "playerBalanceBefore": 0,
  "playerBalanceAfter": 100
}

Rebate Configuration

Set rebate % per sub-agent. GET returns config + settlement summary (how much you owe each agent).

POST /api/transfer/config — Set

{ "action": "set", "subAgentUsername": "doctrinedark", "rebatePercent": 2.5 }

POST /api/transfer/config — Get (+ settlement)

// Empty body or omit "action"
// Response includes:
"settlement": [{ "username": "doctrinedark", "totalRebateOwed": 45.50, "transactionCount": 23 }]

Bypass Policy

Tier	Condition	Behavior
Free	First N requests in window	Process normally, notify owning agent
Surcharge	N+1 to block limit	Process with surcharge % logged for settlement
Blocked	Beyond block limit	Reject — player told to contact their agent

POST /api/transfer/bypass-policy — Configure

{
  "action": "set",
  "maxFreeBypassesPerWindow": 5,
  "windowHours": 24,
  "surchargePercent": 1.5,
  "blockAfter": 15,
  "notifyOwningAgent": true
}

Transfer History

POST /api/transfer/history

{
  "playerUsername": "Lykmyk",     // optional
  "type": "deposit",              // optional
  "dateFrom": "2026-03-01",        // optional
  "dateTo": "2026-03-28",          // optional
  "bypassOnly": true,             // optional
  "owningAgent": "doctrinedark"   // optional
}

Raw Transfers

Direct transfer endpoints without rebate or bypass logic. Use /transfer for most cases.

POST/api/depositDeposit to player

Parameter	Type
`playerUsername`	string	req
`amount`	number	req
`comment`	string	opt

POST/api/withdrawWithdraw from player

Same parameters as deposit.

POST/api/agent/depositDeposit to sub-agent

Supports REAL (cash now) or CREDIT (cash later) modes.

Parameter	Type
`agentTarget`	string	req
`amount`	number	req
`moneyType`	string	opt `REAL` \| `CREDIT`
`comment`	string	opt

POST/api/agent/withdrawWithdraw from sub-agent

Same parameters as agent deposit.

Players & Agents

POST/api/balance

Returns your agent wallet: balance, credit, creditLine, totalAvailable, bonus, frozenBalance, currency.

POST/api/player/search

Search for a player by username (partial match). Returns playerId, affiliateId (owning agent), registration date, name, currency, phone.

{ "playerUsername": "chubbyme" }

POST/api/player/balance

Get a player's balance by their Player ID.

{ "playerId": "400959205" }

POST/api/players

Paginated list of all players. Pass start and limit. Returns playerId, username, firstname, lastname, affiliateId, currency, registerDate, phoneNumber.

POST/api/agent/search

List sub-agents. Returns affiliateId, username, email, currency, status, parentAffiliateId. Pass optional username to filter.

POST/api/player/create

Register a new player. Required: username, email, password. Optional: firstName, lastName, middleName, mobile, country, birthDate.

POST/api/agent/create

Register a new sub-agent. Required: email, username, password. Optional: firstName, lastName, currency (default PHP).

Reports

All report endpoints accept optional dateFrom and dateTo in YYYY/MM/DD format. Defaults to current month.

POST/api/report/playersPlayer activity

Per-player: bets, wins, deposits, withdrawals, ggr, commission. Filter by playerId, playerName, onlyActive.

POST/api/report/agentsAgent performance

Sub-agent performance: deposits, ftdCount, bets, wins, ggr, commission. Filter by username, affiliateId.

POST/api/report/dailyDaily summary

Day-by-day: deposits, withdrawals, bets, wins, ggr, commission. Ideal for charts.

POST/api/report/productsProduct breakdown

By product type: Slots, Sportsbook, Live Games, Table Games, etc.

Messaging

Internal messaging via the panel's chat system. Use for OTPs, alerts, inter-agent communication.

POST/api/message/send

Parameter	Type	Description
`toAffiliateId`	string	Recipient ID (get from `/message/recipients`)
`message`	string	Content (max 3000 chars)

Other endpoints: /message/chats, /message/chat, /message/recipients, /message/unread

POST/api/notifications

System notifications: transfer alerts, commission changes, balance events. Includes titleKey (event type) and variables (context). Pass start / limit for pagination.

Webhooks

Event	Fired When
`transfer.completed`	Smart transfer succeeds
`transfer.failed`	Smart transfer fails
`bypass.blocked`	Bypass transfer blocked by policy

Register a Webhook

POST /api/webhook/register

{
  "url": "https://yourapp.com/webhook/747",
  "events": ["transfer.completed", "transfer.failed"]
}
// Response includes auto-generated HMAC secret

Signature Verification

Each delivery includes these headers:

Header	Description
`X-Webhook-Signature`	HMAC-SHA256 hex digest of body using your secret
`X-Webhook-Event`	Event type
`X-Webhook-Id`	Your webhook registration ID

Node.js verification

const crypto = require('crypto');

function verifyWebhook(body, signature, secret) {
  const expected = crypto.createHmac('sha256', secret)
    .update(body).digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature), Buffer.from(expected)
  );
}

SDK Examples

Integration examples for popular languages. All examples use token auth.

const BASE = 'https://747.innoserver.cloud/api';

async function api(endpoint, body, token) {
  const res = await fetch(BASE + endpoint, {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      ...(token ? { 'Authorization': `Bearer ${token}` } : {})
    },
    body: JSON.stringify(body)
  });
  return res.json();
}

// Login
const { data } = await api('/auth/login', {
  agentUsername: 'demo', agentPassword: '***'
});
const token = data.token;

// Smart transfer
const result = await api('/transfer', {
  playerUsername: 'Lykmyk',
  type: 'deposit',
  amount: 100,
  paymentMethod: 'gcash'
}, token);

console.log(result.data.txId);  // ST-20260328-000001

import requests

BASE = "https://747.innoserver.cloud/api"

# Login
login = requests.post(f"{BASE}/auth/login", json={
    "agentUsername": "demo",
    "agentPassword": "***"
}).json()
token = login["data"]["token"]
headers = {"Authorization": f"Bearer {token}"}

# Smart transfer
result = requests.post(f"{BASE}/transfer",
    headers=headers,
    json={
        "playerUsername": "Lykmyk",
        "type": "deposit",
        "amount": 100,
        "paymentMethod": "gcash"
    }
).json()

print(result["data"]["txId"])  # ST-20260328-000001

<?php
$base = "https://747.innoserver.cloud/api";

function api($endpoint, $body, $token = null) {
    global $base;
    $headers = ["Content-Type: application/json"];
    if ($token) $headers[] = "Authorization: Bearer $token";

    $ch = curl_init($base . $endpoint);
    curl_setopt_array($ch, [
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => json_encode($body),
        CURLOPT_HTTPHEADER => $headers,
        CURLOPT_RETURNTRANSFER => true,
    ]);
    return json_decode(curl_exec($ch), true);
}

// Login
$login = api("/auth/login", [
    "agentUsername" => "demo",
    "agentPassword" => "***"
]);
$token = $login["data"]["token"];

// Smart transfer
$result = api("/transfer", [
    "playerUsername" => "Lykmyk",
    "type" => "deposit",
    "amount" => 100,
    "paymentMethod" => "gcash",
], $token);

echo $result["data"]["txId"]; // ST-20260328-000001

# Login
TOKEN=$(curl -s -X POST https://747.innoserver.cloud/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"agentUsername":"demo","agentPassword":"***"}' \
  | jq -r '.data.token')

# Smart transfer with idempotency
curl -X POST https://747.innoserver.cloud/api/transfer \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -H "X-Idempotency-Key: $(uuidgen)" \
  -d '{
    "playerUsername": "Lykmyk",
    "type": "deposit",
    "amount": 100,
    "paymentMethod": "gcash",
    "paymentReference": "GC-12345"
  }'

Changelog

v2.0.0 — March 28, 2026

Token-based authentication (/auth/login, /auth/refresh)
Standardized response envelope with requestId tracing
Idempotency keys for all transfer endpoints
Webhook registration and HMAC-signed event delivery
Payment method and reference tracking on smart transfers
Health check endpoint (GET /api/health)
CORS configuration for production deployments

v1.0.0 — March 28, 2026

Initial release with 30 endpoints
Smart Transfer with rebate engine and bypass policy
Agent-to-agent transfers (REAL and CREDIT modes)
7 report endpoints with date range filters
Internal messaging and notification system
Player and agent registration