All calls to MG+ APIs must be authenticated and secured.
Player Token
Each API request must include the player token in the following HTTP header:
Authorization: Bearer {playerToken}
HMAC
Each API request must include an HMAC SHA-256 hash generated over the request payload using a shared secret key. This hash must be sent in the following header:
X-HMAC-Signature: {calculated HMAC hash}
The server will validate the HMAC to verify the integrity and authenticity of the request.
Request ID
Each API request must include a unique request ID in the form of a GUID/UUID.
X-Request-ID: {guid/uuid}
HTTPS
All endpoints must be accessed via HTTPS.
IP Whitelisting
API access is restricted to authorized client IP addresses.
Response Headers
All API responses include
X-Request-ID: {echo of request-ID}
Content-Type: application/json
Cache-Control: no-cache, no-store