Users & Auth

Authentication System

Predictu supports multiple authentication modes to fit different integration scenarios. Whether players access the platform directly or through a casino operator’s embedded iframe, the authentication system provides a seamless, secure experience with minimal friction.

Stateless sessions: Predictu uses token-based authentication. There is no server-side session store. Tokens contain everything needed to identify and authorize the user, and they are validated on every request.

Standalone Authentication

For direct platform access, Predictu supports standard email-and-password login and registration. Players create an account, sign in, and receive a secure session token that grants access to all platform features.

Returning users — Sign in with their existing credentials and receive a fresh session token.
New users — Register with an email and password. Accounts are created instantly with no manual approval required.

Security best practices are built in: generic error messages prevent account enumeration, and passwords are hashed using industry-standard algorithms before storage.

Embedded Authentication (Iframe)

When Predictu is embedded inside a casino operator’s site via an iframe, the authentication experience is completely seamless. The operator sends player information through a secure messaging bridge, and Predictu automatically creates or finds the matching player account — no registration form, no password, no friction.

Operator sends player data — The casino site sends the player’s identity and a signed authentication token through the iframe messaging bridge.

Token is verified — Predictu verifies the operator’s signature to confirm the request is authentic and not forged.

Player account is resolved — The system finds the existing player account or creates a new one, scoped to the operator. Each operator’s players are fully isolated from one another.

Session established — A session token is issued and the player is immediately ready to trade, with the operator’s custom branding applied to the interface.

Zero friction: Players who are already logged into the casino site are automatically authenticated in Predictu. No separate login, no registration form, no additional passwords. The experience is completely invisible to the end user.

Operator Isolation

Players are scoped to their operator. A player who plays on Casino A and Casino B will have two completely independent accounts with separate balances, positions, and trading histories. There is no cross-operator data leakage or account sharing.

Role-Based Access Control

The authentication system supports multiple access levels:

Players — Can browse markets, place trades, and manage their positions.
Operator administrators — Can view analytics, manage markets, and configure integration settings for their casino.
Platform administrators — Full access to all platform management capabilities across all operators.

Each role has strictly scoped permissions. Operator administrators can only see and manage data belonging to their own casino.

Session Management

Sessions are managed through secure, time-limited tokens:

Automatic expiry — Tokens expire after a configurable time period. Players must re-authenticate when their session expires.
Instant ban enforcement — When a player is banned, their existing session is immediately invalidated on the next request. There is no window of continued access.
Iframe refresh handling — When the parent casino page refreshes, the operator re-sends initialization data and a new session is established automatically.

Account Moderation

Operators and platform administrators can ban and unban player accounts at any time. When a player is banned:

Login and embedded authentication are blocked
All API requests are rejected immediately
Open positions are preserved and will settle normally when markets resolve
The player simply cannot place new trades or access the platform

Unbanning a player immediately restores full access. Their account, balance, and positions remain intact throughout the ban period.