Mobile Wallet API
Enable digital wallet functionality for guests — balances, top-ups, and transaction history in your own custom application.
The Embed Mobile Wallet API is a REST-based interface that lets you integrate Mobile Wallet functionality directly into your own custom mobile or web application. It gives you full control over the guest-facing experience — from account creation and card registration through to online reloads and Apple/Google Wallet pass generation.
Features and Capabilities
Once registered, guests can perform the following through your integrated application:
Account management
- Register with an email address and password
- Reset or change their password
- Add multiple game cards to one account
Card management
- View all registered cards (including card type)
- Give cards a personal nickname
- Check play balance (in dollars or tokens, depending on location configuration)
- Check ticket balance
- View recent transaction history: reloads, game plays, ticket wins, and redemptions
Online reloads
- Browse available card reload products
- Purchase reload products via integrated payment gateway
- Credit is applied to the game card near-instantly via real-time sync
Mobile wallet passes
- Add a game card to Apple Wallet or Google Wallet
- Tap phone on a game reader to play — no physical card needed
System Architecture
| Data | Sync Behaviour |
|---|---|
| Play Balance | Near real-time |
| Bonus Balance | Near real-time |
| Ticket Balance | Near real-time |
| Recent Transactions | Near real-time |
| Card Status Changes | Near real-time |
Key Concepts and Terminology
| Term | Description |
|---|---|
| Operator / Customer | The business entity that Embed provides systems and services to (e.g. a Family Entertainment Centre). |
| Guest | The end user — the Operator's customer who plays games and uses the wallet. |
| TOOLKIT | Embed's on-premise platform of software and services used to manage and operate a location. |
| Mobile Wallet | A cloud-based, mobile-friendly portal for guests to create accounts, register cards, check balances, and reload online. Works alongside on-premise TOOLKIT. |
| Mobile Wallet API | The REST API that exposes Mobile Wallet functionality to custom applications. |
| Play Card / Game Card | A pre-paid card used to play games and purchase items at Operator locations. Must be purchased in-store. |
| Play Balance | The monetary value on a game card used to play games. Can be topped up in-store or via Mobile Wallet. |
| Bonus Balance | A bonus amount added to a card when purchasing card products. |
| Ticket Balance | Tickets earned through game play or product purchase, added to the card used during play. |
| Card Number | A unique 19-digit identifier linked to a game card. Required for most guest API calls. |
| Card Barcode | A 10-digit code printed on the game card. Used during registration. |
| CVV / CVC | A 3-digit Card Verification Value printed on the back of the game card. Required during registration. |
What is not supported
- Purchasing new game cards online (physical cards must be obtained in-store)
- Transferring balances between cards
- Accessing general location data (game lists, physical products)
- Reloading a card without a registered account
The Embed Mobile Wallet API is a REST-based interface that allows you to embed game card management, online reloads, and Apple/Google Wallet pass generation into your own custom application.
The system comprises three interconnected layers:
| Layer | Component | Role |
|---|---|---|
| On-premise | TOOLKIT | Runs location operations. Syncs card data to the cloud in near real time. |
| Cloud | Mobile Wallet | Cloud service that holds synced card data and exposes it via API. |
| Your app | Mobile Wallet API | REST API your application calls to read/write card and guest data. |
Before You Begin
Before committing to a custom integration, consider Embed's out-of-the-box white-labelled web portal called Mobile Portal. It lets guests create accounts, register cards, check balances, and reload online — with no custom development required. You can customise the branding to match your own. If Mobile Portal meets your requirements, it will be faster and cheaper than a custom integration. Speak to an Embed team member to find out more.
Prerequisites
All three of the following must be in place before you make your first API call.
| # | Requirement | Details |
|---|---|---|
| 1 | TOOLKIT installed at all locations | Minimum version: TOOLKIT 2023.1.0-EAP0. Must be installed and running at every location. |
| 2 | Mobile Wallet subscription | Sign up for Mobile Wallet with Embed and complete the Mobile Wallet Training. |
| 3 | Windcave payment gateway | Register with Windcave (formerly Global Payments Integrated) and integrate your application with their gateway. Required to process online card reloads. |
Configure TOOLKIT Portal
TOOLKIT Portal is the administration area for Mobile Wallet. Embed will provision your account. Log in at https://toolkit.helixleisure.net.
Step 1 — Payment configuration
- Navigate to Mobile Portal > Payment Configuration in the left-hand menu.
- Select your payment provider from the options displayed.
- Enter the remaining payment configuration fields and save the form.
Step 2 — Reload products
- Navigate to Product Management > Card Products.
- Click Add Products to create reload products. Each product can add play value, or play value plus a bonus balance.
- Navigate to Mobile Portal > Quick Reloads.
- Drag products from the Product List column into the Quick Reloads column.
- Reorder items within Quick Reloads to control the display order guests see.
Step 3 — Apple / Google Wallet (optional)
- Navigate to Mobile Portal > Settings.
- Set the Mobile Wallet URL — the URL shown inside the guest's Apple or Android wallet pass.
- Complete the remaining mandatory fields and save.
- Navigate to Mobile Portal > Customization to configure the wallet theme. Use the preview feature before saving.
Get Your Client Secret
The Client Secret is used to obtain admin access tokens for the API. It is provisioned by Embed as part of the Mobile Wallet API setup process.
- Log in to TOOLKIT Portal at
https://toolkit.helixleisure.net. - Navigate to API Integration in the left-hand menu.
- Locate the
guest-portalmodule row and click Show Key. - Copy the key — this is your Client Secret.
First API Call: Register a Guest
All guests must be registered with Embed before using your application. Registration creates a guest account and links it to at least one physical game card.
Requirements
- Guest email address (used as the username — must be unique)
- Game card 10-digit barcode and 3-digit CVV
- The game card must already be activated in TOOLKIT (any in-store activity such as adding a balance activates it automatically)
Password rules
| Rule | Requirement |
|---|---|
| Minimum length | 8 characters |
| Maximum length | 20 characters |
| Must contain | At least 1 number, 1 lowercase letter, 1 uppercase letter |
| Special characters | Allowed |
Sign-up request
POST /api/v1/admin/signup
Authorization: Bearer <admin_jwt_token>
{
"username": "guest@example.com",
"password": "SecurePass1",
"firstName": "Jane",
"lastName": "Smith",
"cardBarcode": "1234567890",
"cardCvv": "123",
"cardNickname": "My Blue Card"
}
Next Steps
With configuration complete and your first guest registered, you are ready to build out the remaining flows:
| Feature | Endpoint |
|---|---|
| Guest login | POST /api/v1/admin/login |
| List guest cards | GET /api/v1/card |
| Get card balance | GET /api/v1/card/{cardNumber}/balance |
| Get card activity | GET /api/v1/card/{cardNumber}/activity |
| List reload products | GET /api/v1/quickreload |
| Record a sale | POST /api/v1/sale |
| Apple Wallet pass | PUT /api/v1/pass/apple/{cardNumber} |
| Google Wallet pass | PUT /api/v1/pass/google/{cardNumber} |
| Password reset | PUT /api/v1/admin/{email}/reset |
Overview
The Mobile Wallet API uses Bearer Authentication with JWT (JSON Web Tokens). Every API request must include a valid access token in the Authorization header:
Authorization: Bearer <access_token>
There are two distinct token levels — an admin access token and a guest (Cognito) access token — each used for different operations. You must obtain them in sequence before any guest-level API calls can be made.
Token Types
| Token | Scope | Used for | How to obtain |
|---|---|---|---|
| Admin access token | System-level | Guest sign-up and guest login endpoints only | POST Client Secret to /api/v1/token |
| Guest (Cognito) access token | Guest-level | All card, balance, activity, sale, and wallet pass endpoints | Returned after a successful call to /api/v1/admin/login |
| Refresh token | Guest-level | Renewing an expired Cognito access token without re-login | Returned alongside the Cognito access token at login |
Step 1 — Get Your Client Secret
The Client Secret is provisioned by Embed as part of the Mobile Wallet API setup. It is available in TOOLKIT Portal once your account has been configured.
- Log in to TOOLKIT Portal at
https://toolkit.helixleisure.net - Navigate to API Integration in the left-hand menu
- Locate the
guest-portalmodule row - Click Show Key to reveal the Client Secret value
- Copy the key for use in your server-side environment
Step 2 — Get an Admin Access Token
Before a guest can sign up or log in, your server must obtain an admin access token by posting the Client Secret to the token endpoint.
POST /api/v1/token
Content-Type: application/json
{
"clientSecret": "<your_client_secret>"
}
// Response
{
"accessToken": "<admin_jwt_token>"
}
Step 3 — Register a Guest (Sign-up)
All guests must be registered with Embed before they can log in. Registration links a guest account to at least one physical game card.
Requirements
- Guest's email address — used as the username and must be unique
- Game card 10-digit barcode and 3-digit CVV
- The game card must already be activated in the on-premise TOOLKIT system
Password rules
| Rule | Requirement |
|---|---|
| Minimum length | 8 characters |
| Maximum length | 20 characters |
| Must contain | At least 1 number, 1 lowercase letter, 1 uppercase letter |
| Special characters | Allowed |
POST /api/v1/admin/signup
Authorization: Bearer <admin_jwt_token>
Content-Type: application/json
{
"username": "guest@example.com",
"password": "SecurePass1",
"firstName": "Jane",
"lastName": "Smith",
"cardBarcode": "1234567890",
"cardCvv": "123",
"cardNickname": "My Blue Card"
}
// Response 201 Created
{ "message": "Guest account created successfully" }
Step 4 — Guest Login
Once a guest is registered, they log in using their email address and password. A successful login returns both a Cognito access token and a refresh token.
POST /api/v1/admin/login
Authorization: Bearer <admin_jwt_token>
Content-Type: application/json
{
"username": "guest@example.com",
"password": "SecurePass1"
}
// Response 200 OK
{
"accessToken": "<cognito_access_token>",
"refreshToken": "<refresh_token>"
}
Step 5 — Refresh an Expired Token
POST /api/v1/admin/token
Content-Type: application/json
{
"refreshToken": "<refresh_token>"
}
// Response 200 OK
{ "accessToken": "<new_cognito_access_token>" }
/api/v1/admin/login.Step 6 — Reset a Guest Password
// Step 6a — Trigger reset email
PUT /api/v1/admin/{emailAddress}/reset
// Returns 204 No Content. Guest receives email with confirmation code.
// Step 6b — Submit new password
PUT /api/v1/admin/{emailAddress}/confirmReset
Content-Type: application/json
{
"confirmationCode": "123456",
"newPassword": "NewSecurePass1"
}
// Returns 204 No Content.
Authentication Flow Summary
1. Server → POST /api/v1/token (Client Secret)
← 200: admin_access_token
2. Server → POST /api/v1/admin/signup (admin_access_token + guest details + card)
← 201: Guest account created
3. Server → POST /api/v1/admin/login (admin_access_token + email + password)
← 200: cognito_access_token + refresh_token
4. App → GET /api/v1/card (cognito_access_token)
← 200: Guest card list
[Token expires]
5. Server → POST /api/v1/admin/token (refresh_token)
← 200: new cognito_access_token
Error Reference
| HTTP Status | Likely Cause | Recommended Action |
|---|---|---|
| 400 Bad Request | Malformed request body or missing required fields | Check field names, types, and that all required fields are present |
| 401 Unauthorized | Missing, expired, or invalid Bearer token | Obtain a fresh token via /api/v1/token (admin) or /api/v1/admin/token (guest refresh) |
| 403 Forbidden | Using the wrong token type for the endpoint | Ensure admin token is used for sign-up/login, Cognito token for guest operations |
| 404 Not Found | Guest account or card not found | Verify the email address or card details are correct |
| 409 Conflict | Username already exists | Use a different email address or check if the guest is already registered |
| 422 Unprocessable Entity | Password does not meet rules, or card is not activated | Check password rules; ensure the game card has been activated in-store |
| 500 Internal Server Error | Server-side error | Retry the request; if the issue persists, contact Embed support |