Appearance
Testing & Sign-off
Testing checklist (Tap-specific, run against staging)
| # | Test | Pass criterion |
|---|---|---|
| 1 | Step-1 GET returns iFrame URL only after Step-2 returns status:"Ok" | In your logs, /authenticate POST timestamps strictly before the Step-1 200 response |
| 2 | iFrame loads, player is logged in anonymously | Tap a cell — no further login required |
| 3 | /getbalance is called before every /opentrade | Inspect log order |
| 4 | /opentrade debits correctly | Balance reduces by exactly amount |
| 5 | /opentrade is idempotent | Replay same externalTradeId → same response, balance unchanged |
| 6 | /closetrade settles win correctly | Balance increases by stake + payout (the amount TS sent) |
| 7 | /closetrade settles loss correctly | Balance unchanged (TS sends amount: "0") |
| 8 | /closetrade settles tie correctly | Balance increases by stake |
| 9 | /closetrade is idempotent | Replay same externalTradeId → same response, balance unchanged |
| 10 | HMAC signature validation accepts ±60 s skew, rejects beyond | Set X-Timestamp ±59 s → accept; ±61 s → reject |
| 11 | Nonce replay rejected within 180 s | Re-send same X-Nonce within window → reject |
| 12 | Error paths return documented statuses | Insufficient funds → InsufficientFunds; bad signature → InvalidDigest; unknown token → Unauthorized |
| 13 | Multi-currency: separate userId per (player, currency) | Two userIds (e.g. 1_usd, 1_jpy) maintained separately; balances don't bleed between them |
| 14 | High-frequency burst tolerance | Drive a burst of 50 /closetrade calls in 10 s → all process, no drops, no double-application |
| 15 | Language switch via postMessage updates UI | {type:"languageSelect", payload:"ja"} → iFrame switches to Japanese |
What TS provides / what you provide
Tradesmarter provides:
- The iFrame URL (staging:
https://s11.taptrading.com; production assigned later). - HMAC shared secret for callback signing/verification (sent via secure channel).
- Outbound IP ranges to allowlist on your wallet API.
- A Postman collection covering all four callbacks.
- Test users + scenarios for the checklist above.
- A staging account so you can integrate before production.
You provide:
- The 4 wallet endpoints (
/authenticate,/getbalance,/opentrade,/closetrade) over HTTPS. - HMAC-SHA256 signature verification on
/getbalance,/opentrade,/closetrade(/authenticateis unsigned by design). - IP allowlisting on the wallet API to restrict to TS's outbound IPs.
- A parent page with a "Play" button that mints a launch token, sets the launch cookies, and embeds the iFrame URL TS returns.
- Test user accounts on your side (USD, JPY, plus any additional currencies you want enabled).
Glossary
- External Wallet Provider — you (operator). Hold user identity + funds.
- Tradesmarter (TS) — runs the trading games inside the iFrame.
- Launch token — UUID you mint per Play click. Echoed back on
/authenticate. - Wallet token — opaque token you mint on
/authenticate. TS sends it on every wallet callback. - externalTradeId — TS's trade ID, sent on
/opentradeand matching/closetrade. Idempotency key. - Cell — a single
(tStart, tEnd, pMin, pMax)rectangle on the Tap grid the player taps to commit a stake. - Tap size — the time width of cells the player chose (2 / 4 / 8 s).
- payoutRatio — profit multiplier shown on the cell at tap time. Locked at open.