S2S Protocol

Cryptographic Security

Every S2S callback from Predictu is cryptographically signed using industry-standard public-key cryptography. This ensures that your backend can verify that each request genuinely originated from Predictu and has not been tampered with in transit.

Signed and verifiable. Predictu signs each callback with a private key unique to your operator account. You verify signatures using the corresponding public key we provide. This asymmetric approach means only Predictu can create valid signatures, while anyone with the public key can verify them.

How Request Signing Works

Every outbound callback goes through a multi-step signing process that binds the cryptographic signature to the specific request being sent:

Predictu builds the request — The callback payload is assembled with all relevant data for the operation (player, amount, market context, etc.).

A digest of the request body is computed — A cryptographic hash of the entire request body is generated. This digest is included in the signed token, binding the signature to the specific request content.

Predictu signs the token — A secure token is created containing the request digest, a unique identifier, an expiration timestamp, and the callback method. This token is signed using your operator's private key.

The callback is sent — The signed token is included in the request header alongside the callback body.

Your backend verifies the signature — Using Predictu's public key, you verify the token's authenticity, check the expiration, confirm the request has not been replayed, and validate that the body matches the signed digest.

Key Pair Management

When your operator account is onboarded, Predictu generates a unique cryptographic key pair exclusively for your integration:

Private key — stored securely on Predictu's servers and used exclusively to sign outbound callbacks to your endpoint. You never see this key.
Public key — provided to you for signature verification. You can fetch it through the Operator Dashboard or retrieve it programmatically at any time.

Each operator gets a unique key pair. Your keys are not shared with any other operator. A compromise of one operator's keys does not affect any other integration.

What Verification Proves

When you verify a callback's signature, you confirm three critical properties:

Property	What It Means
Authenticity	The request was genuinely created and signed by Predictu. No third party can forge a valid signature without Predictu's private key.
Integrity	The request body has not been modified in transit. The signed digest ensures that any tampering with the request content will cause verification to fail.
Non-repudiation	Predictu cannot deny having sent the request. The signature serves as proof of origin for audit and dispute resolution purposes.

Multi-Layer Security

The signing mechanism includes multiple layers of protection beyond basic signature verification:

Short-Lived Tokens

Signed tokens expire shortly after creation. This limits the window during which an intercepted token could theoretically be misused. Your verification should reject expired tokens, with a small tolerance window to account for normal clock differences between servers.

Replay Protection

Each signed token includes a unique identifier. By tracking which identifiers you have already processed, you can detect and reject replay attacks — where an attacker captures a legitimate request and attempts to re-send it.

Body Binding

The signed token includes a cryptographic digest of the request body. This means an attacker cannot take a valid token from one request and attach it to a different request body. The signature is bound to the exact content it was created for.

Key Rotation

Predictu supports key rotation for operators who need to periodically refresh their cryptographic credentials. When keys are rotated:

A new key pair is generated for your operator account.
All subsequent callbacks are signed with the new private key.
You fetch the new public key and update your verification logic.

Coordinate rotations carefully. During the brief rotation window, in-flight requests signed with the old key may still arrive. If verification starts failing after a rotation, re-fetch the public key and retry verification.

Verification Checklist

Ensure your integration covers each of these verification steps:

Step	Importance	Description
Signature verification	Required	Verify every incoming request using the public key. Never skip this in production.
Issuer validation	Required	Confirm the token was issued by Predictu.
Expiration check	Required	Reject expired tokens, with a small clock tolerance to account for server time differences.
Replay protection	Required	Track processed token identifiers and reject duplicates.
Body digest verification	Strongly recommended	Verify that the request body matches the digest embedded in the signed token.
Operator identity check	Recommended	Confirm the token's subject matches your operator account.
HTTPS only	Required for production	Your callback endpoint must use HTTPS to protect data in transit.
Public key caching	Recommended	Cache the public key locally. Re-fetch if verification starts failing (indicates key rotation).

Broad Language Support

The cryptographic standards used by Predictu are supported by mature libraries in every major programming language. Whether your backend is built in Node.js, Python, Go, Java, PHP, Ruby, or .NET, well-maintained libraries are available to handle signature verification with just a few lines of code.

Key Benefits

Tamper-proof — any modification to the request body invalidates the signature, making man-in-the-middle attacks detectable.
Verifiable origin — only Predictu can produce valid signatures for your integration, preventing spoofed callbacks.
Non-repudiation — signed requests serve as cryptographic proof of origin for audit and compliance.
Replay-resistant — unique token identifiers and short expiration windows protect against replay attacks.
Per-operator isolation — each operator has their own unique key pair, limiting the blast radius of any potential compromise.