Predictu
API

Authentication

Predictu’s authentication system supports two distinct access modes, ensuring a secure and seamless experience whether users access the platform directly or through a casino partner’s embedded integration.

Flexible by design. The authentication layer adapts to your integration model. Direct users register and log in with credentials. Embedded users are authenticated transparently through your existing casino session, with no additional sign-up required.

Two Authentication Flows

Direct Authentication

For users accessing Predictu as a standalone platform. Players register with an email and password, then log in to receive a secure session token used for all subsequent interactions.

1
Register — User creates an account with their credentials
2
Login — User authenticates and receives a session token
3
Trade — Session token authorizes all platform activity
4
Verify — Session validity can be checked at any time

Embedded Authentication

For users accessing Predictu through a casino operator’s iframe integration. This flow enables completely frictionless player onboarding: users who are already logged into the casino site are automatically authenticated within the Predictu embed, with no separate registration or login step required.

1
Casino authenticates user — Player logs into the casino using the casino’s own authentication
2
Casino generates a signed token — The casino server creates a short-lived, cryptographically signed token containing the player’s identity
3
Embed loads with token — The token is passed to the iframe during initialization
4
Predictu initializes session — The token is verified, the player account is found or created automatically, and a platform session is established
5
Ready to trade — The player can immediately start trading without any additional steps
Zero-friction onboarding. Embedded users never see a registration or login screen. Their first interaction with Predictu is the trading experience itself. New accounts are created transparently on first visit, and returning users are recognized automatically.

Session Management

Authenticated sessions are managed through secure, time-limited tokens. After authentication, a session token is issued that authorizes all subsequent platform activity. Tokens have a defined lifetime and must be refreshed by re-authenticating when they expire.

Session verification is available at any time to confirm that a token is still valid and to retrieve the latest user profile, including current tier, balance, and activity summary.

Intelligent User Matching

For embedded integrations, Predictu automatically matches incoming players to existing accounts or creates new ones as needed. The system uses the operator identity combined with the player identifier from the casino’s system to ensure each player has exactly one Predictu account per operator. This process is fully idempotent, so repeated authentication calls for the same player are safe and efficient.

Role-Based Access Control

The platform supports three access tiers, each with appropriate permissions:

  • Players: Can trade, view positions, check balances, and manage their own account
  • Operators: Can manage their player base, view analytics, configure their integration, and track revenue
  • Administrators: Full platform access for internal Predictu team members

Security Features

Authentication is built with security best practices at every layer:

  • Industry-standard password hashing: Credentials are protected using modern, high-iteration cryptographic hashing
  • Brute-force protection: Rate limiting on login attempts prevents credential stuffing and brute-force attacks
  • Enumeration prevention: Login error messages are intentionally generic to prevent email enumeration
  • Short-lived embed tokens: Operator-generated tokens for embedded authentication must expire within minutes to prevent replay attacks
  • Origin verification: Embedded authentication requests are validated against the operator’s authorized domain list
  • Cryptographic signature verification: All operator-generated tokens are cryptographically signed and verified before acceptance