Phylax iG · Developers

Webhook integration reference

Back to console

Integrate in four steps

Phylax sends signed, idempotent webhook events to your PAM. You build one receiver endpoint, verify the signature, and map each event type to a wallet action. Phylax never holds player funds — your PAM remains the system of record.

  1. 01

    Download the OpenAPI spec + verification snippet

  2. 02

    Stand up one receiver endpoint

  3. 03

    Verify HMAC, map event_type → PAM action

  4. 04

    Test against our Sandbox PAM, then flip to production

Download OpenAPI 3.1 spec

Event catalog

event_typeLabelPAM action
profit_shieldProfit Shield LockLock funds in a time-boxed vault
p2p_swapP2P Loyalty SwapTransfer loyalty points between players
instant_claimInstant Claim InsuranceCredit insurance payout to player wallet
karma_reseedSession Karma ReseedRotate provably-fair seed token
win_certificateWin Certificate MintMint a permanent win certificate record
piggybankPiggybank SweepSweep rounding remainder into savings vault

Signed payload

Headers: X-Phylax-Signature (HMAC-SHA256 of the raw body) and X-Phylax-Event-Id (idempotency key).

{
  "id": "evt_3f9a2b8c1d",
  "type": "profit_shield",
  "operator": "aurora",
  "player_hash_id": "au_9f1c20",
  "provider": "NetEnt",
  "amount_eur": 25.00,
  "fee_eur": 0.10,
  "pam_action": "Lock funds in a time-boxed vault",
  "pii_processed": false,
  "created_at": "2026-06-06T14:32:07.000Z",
  "data": {}
}

Receiver verification snippet

// Spring Boot receiver — verify signature, then map to your PAM
@PostMapping("/phylax/webhook")
public ResponseEntity<String> receive(
        @RequestBody String raw,
        @RequestHeader("X-Phylax-Signature") String sig,
        @RequestHeader("X-Phylax-Event-Id") String eventId) throws Exception {

    Mac mac = Mac.getInstance("HmacSHA256");
    mac.init(new SecretKeySpec(SIGNING_SECRET.getBytes(), "HmacSHA256"));
    String expected = "sha256=" + HexFormat.of().formatHex(mac.doFinal(raw.getBytes()));
    if (!MessageDigest.isEqual(expected.getBytes(), sig.getBytes()))
        return ResponseEntity.status(401).body("invalid_signature");

    if (alreadyProcessed(eventId)) return ResponseEntity.ok("duplicate");

    PhylaxEvent e = objectMapper.readValue(raw, PhylaxEvent.class);
    switch (e.type) {
        case "profit_shield":   pam.lockFunds(e.player_hash_id, e.amount_eur); break;
        case "instant_claim":   pam.credit(e.player_hash_id, e.amount_eur);    break;
        // ... map remaining event types
    }
    return ResponseEntity.ok("applied");
}

Live sandbox round-trip

Fire a real signed event at the in-app Sandbox PAM simulator and watch the round-trip complete — exactly what your engineers test against.