Wallet

Mobile Wallet API

Enable digital wallet functionality for guests — balances, top-ups, and transaction history in your own custom application.

Base URLs: https://mobileportal.helixapi.com https://uat.mobileportalapi.helixapi.com (UAT)

The Embed Mobile Wallet API is a REST-based interface that lets you integrate Mobile Wallet functionality directly into your own custom mobile or web application. It gives you full control over the guest-facing experience — from account creation and card registration through to online reloads and Apple/Google Wallet pass generation.

Features and Capabilities

Once registered, guests can perform the following through your integrated application:

Account management

  • Register with an email address and password
  • Reset or change their password
  • Add multiple game cards to one account

Card management

  • View all registered cards (including card type)
  • Give cards a personal nickname
  • Check play balance (in dollars or tokens, depending on location configuration)
  • Check ticket balance
  • View recent transaction history: reloads, game plays, ticket wins, and redemptions

Online reloads

  • Browse available card reload products
  • Purchase reload products via integrated payment gateway
  • Credit is applied to the game card near-instantly via real-time sync

Mobile wallet passes

  • Add a game card to Apple Wallet or Google Wallet
  • Tap phone on a game reader to play — no physical card needed

System Architecture

DataSync Behaviour
Play BalanceNear real-time
Bonus BalanceNear real-time
Ticket BalanceNear real-time
Recent TransactionsNear real-time
Card Status ChangesNear real-time

Key Concepts and Terminology

TermDescription
Operator / CustomerThe business entity that Embed provides systems and services to (e.g. a Family Entertainment Centre).
GuestThe end user — the Operator's customer who plays games and uses the wallet.
TOOLKITEmbed's on-premise platform of software and services used to manage and operate a location.
Mobile WalletA cloud-based, mobile-friendly portal for guests to create accounts, register cards, check balances, and reload online. Works alongside on-premise TOOLKIT.
Mobile Wallet APIThe REST API that exposes Mobile Wallet functionality to custom applications.
Play Card / Game CardA pre-paid card used to play games and purchase items at Operator locations. Must be purchased in-store.
Play BalanceThe monetary value on a game card used to play games. Can be topped up in-store or via Mobile Wallet.
Bonus BalanceA bonus amount added to a card when purchasing card products.
Ticket BalanceTickets earned through game play or product purchase, added to the card used during play.
Card NumberA unique 19-digit identifier linked to a game card. Required for most guest API calls.
Card BarcodeA 10-digit code printed on the game card. Used during registration.
CVV / CVCA 3-digit Card Verification Value printed on the back of the game card. Required during registration.

What is not supported

  • Purchasing new game cards online (physical cards must be obtained in-store)
  • Transferring balances between cards
  • Accessing general location data (game lists, physical products)
  • Reloading a card without a registered account

The Embed Mobile Wallet API is a REST-based interface that allows you to embed game card management, online reloads, and Apple/Google Wallet pass generation into your own custom application.

The system comprises three interconnected layers:

LayerComponentRole
On-premiseTOOLKITRuns location operations. Syncs card data to the cloud in near real time.
CloudMobile WalletCloud service that holds synced card data and exposes it via API.
Your appMobile Wallet APIREST API your application calls to read/write card and guest data.
Balances and recent transactions sync between on-premise locations and the cloud in near real time, so guests always see up-to-date data in your application.

Before You Begin

Before committing to a custom integration, consider Embed's out-of-the-box white-labelled web portal called Mobile Portal. It lets guests create accounts, register cards, check balances, and reload online — with no custom development required. You can customise the branding to match your own. If Mobile Portal meets your requirements, it will be faster and cheaper than a custom integration. Speak to an Embed team member to find out more.

Prerequisites

All three of the following must be in place before you make your first API call.

#RequirementDetails
1TOOLKIT installed at all locationsMinimum version: TOOLKIT 2023.1.0-EAP0. Must be installed and running at every location.
2Mobile Wallet subscriptionSign up for Mobile Wallet with Embed and complete the Mobile Wallet Training.
3Windcave payment gatewayRegister with Windcave (formerly Global Payments Integrated) and integrate your application with their gateway. Required to process online card reloads.

Configure TOOLKIT Portal

TOOLKIT Portal is the administration area for Mobile Wallet. Embed will provision your account. Log in at https://toolkit.helixleisure.net.

Note: Refer to the User Guide in the Embed Help Centre for step-by-step screenshots. Contact Embed if you need Help Centre access.

Step 1 — Payment configuration

  1. Navigate to Mobile Portal > Payment Configuration in the left-hand menu.
  2. Select your payment provider from the options displayed.
  3. Enter the remaining payment configuration fields and save the form.
⚠ Warning: Once a payment provider is saved it cannot be changed or disabled. Choose carefully.

Step 2 — Reload products

  1. Navigate to Product Management > Card Products.
  2. Click Add Products to create reload products. Each product can add play value, or play value plus a bonus balance.
  3. Navigate to Mobile Portal > Quick Reloads.
  4. Drag products from the Product List column into the Quick Reloads column.
  5. Reorder items within Quick Reloads to control the display order guests see.
Note: Products configured for online sale are not available at physical locations, and vice versa.

Step 3 — Apple / Google Wallet (optional)

  1. Navigate to Mobile Portal > Settings.
  2. Set the Mobile Wallet URL — the URL shown inside the guest's Apple or Android wallet pass.
  3. Complete the remaining mandatory fields and save.
  4. Navigate to Mobile Portal > Customization to configure the wallet theme. Use the preview feature before saving.

Get Your Client Secret

The Client Secret is used to obtain admin access tokens for the API. It is provisioned by Embed as part of the Mobile Wallet API setup process.

  1. Log in to TOOLKIT Portal at https://toolkit.helixleisure.net.
  2. Navigate to API Integration in the left-hand menu.
  3. Locate the guest-portal module row and click Show Key.
  4. Copy the key — this is your Client Secret.
🔒 Security: Never store the Client Secret in your application source code or version control. Store it server-side in an environment variable or secrets manager.

First API Call: Register a Guest

All guests must be registered with Embed before using your application. Registration creates a guest account and links it to at least one physical game card.

Requirements

  • Guest email address (used as the username — must be unique)
  • Game card 10-digit barcode and 3-digit CVV
  • The game card must already be activated in TOOLKIT (any in-store activity such as adding a balance activates it automatically)

Password rules

RuleRequirement
Minimum length8 characters
Maximum length20 characters
Must containAt least 1 number, 1 lowercase letter, 1 uppercase letter
Special charactersAllowed

Sign-up request

POST /api/v1/admin/signup
Authorization: Bearer <admin_jwt_token>

{
  "username":     "guest@example.com",
  "password":     "SecurePass1",
  "firstName":    "Jane",
  "lastName":     "Smith",
  "cardBarcode":  "1234567890",
  "cardCvv":      "123",
  "cardNickname": "My Blue Card"
}
Note: If your app has its own authentication system, contact Embed to arrange mapping between your guest identifiers and Embed Guest identifiers.

Next Steps

With configuration complete and your first guest registered, you are ready to build out the remaining flows:

FeatureEndpoint
Guest loginPOST /api/v1/admin/login
List guest cardsGET /api/v1/card
Get card balanceGET /api/v1/card/{cardNumber}/balance
Get card activityGET /api/v1/card/{cardNumber}/activity
List reload productsGET /api/v1/quickreload
Record a salePOST /api/v1/sale
Apple Wallet passPUT /api/v1/pass/apple/{cardNumber}
Google Wallet passPUT /api/v1/pass/google/{cardNumber}
Password resetPUT /api/v1/admin/{email}/reset

Overview

The Mobile Wallet API uses Bearer Authentication with JWT (JSON Web Tokens). Every API request must include a valid access token in the Authorization header:

Authorization: Bearer <access_token>

There are two distinct token levels — an admin access token and a guest (Cognito) access token — each used for different operations. You must obtain them in sequence before any guest-level API calls can be made.

⚠ Embed does not provide development support for Mobile Wallet API integrations. Developers must rely on this guide and the Swagger documentation.

Token Types

TokenScopeUsed forHow to obtain
Admin access tokenSystem-levelGuest sign-up and guest login endpoints onlyPOST Client Secret to /api/v1/token
Guest (Cognito) access tokenGuest-levelAll card, balance, activity, sale, and wallet pass endpointsReturned after a successful call to /api/v1/admin/login
Refresh tokenGuest-levelRenewing an expired Cognito access token without re-loginReturned alongside the Cognito access token at login
The admin access token is not used for card or balance operations. Once the guest is logged in, all subsequent calls must use the Cognito access token.

Step 1 — Get Your Client Secret

The Client Secret is provisioned by Embed as part of the Mobile Wallet API setup. It is available in TOOLKIT Portal once your account has been configured.

  1. Log in to TOOLKIT Portal at https://toolkit.helixleisure.net
  2. Navigate to API Integration in the left-hand menu
  3. Locate the guest-portal module row
  4. Click Show Key to reveal the Client Secret value
  5. Copy the key for use in your server-side environment
🔒 Security: Never store the Client Secret in your application source code or a client-side environment. Store it securely server-side — for example in an environment variable, a secrets manager, or a vault service. Do not commit it to version control.

Step 2 — Get an Admin Access Token

Before a guest can sign up or log in, your server must obtain an admin access token by posting the Client Secret to the token endpoint.

POST /api/v1/token
Content-Type: application/json

{
  "clientSecret": "<your_client_secret>"
}

// Response
{
  "accessToken": "<admin_jwt_token>"
}
The admin access token is short-lived. Your server should obtain a fresh token before making sign-up or login calls rather than caching it indefinitely.

Step 3 — Register a Guest (Sign-up)

All guests must be registered with Embed before they can log in. Registration links a guest account to at least one physical game card.

Requirements

  • Guest's email address — used as the username and must be unique
  • Game card 10-digit barcode and 3-digit CVV
  • The game card must already be activated in the on-premise TOOLKIT system

Password rules

RuleRequirement
Minimum length8 characters
Maximum length20 characters
Must containAt least 1 number, 1 lowercase letter, 1 uppercase letter
Special charactersAllowed
POST /api/v1/admin/signup
Authorization: Bearer <admin_jwt_token>
Content-Type: application/json

{
  "username":     "guest@example.com",
  "password":     "SecurePass1",
  "firstName":    "Jane",
  "lastName":     "Smith",
  "cardBarcode":  "1234567890",
  "cardCvv":      "123",
  "cardNickname": "My Blue Card"
}

// Response 201 Created
{ "message": "Guest account created successfully" }

Step 4 — Guest Login

Once a guest is registered, they log in using their email address and password. A successful login returns both a Cognito access token and a refresh token.

POST /api/v1/admin/login
Authorization: Bearer <admin_jwt_token>
Content-Type: application/json

{
  "username": "guest@example.com",
  "password": "SecurePass1"
}

// Response 200 OK
{
  "accessToken":  "<cognito_access_token>",
  "refreshToken": "<refresh_token>"
}

Step 5 — Refresh an Expired Token

POST /api/v1/admin/token
Content-Type: application/json

{
  "refreshToken": "<refresh_token>"
}

// Response 200 OK
{ "accessToken": "<new_cognito_access_token>" }
If the refresh token itself has also expired, the guest will need to log in again via /api/v1/admin/login.

Step 6 — Reset a Guest Password

// Step 6a — Trigger reset email
PUT /api/v1/admin/{emailAddress}/reset
// Returns 204 No Content. Guest receives email with confirmation code.

// Step 6b — Submit new password
PUT /api/v1/admin/{emailAddress}/confirmReset
Content-Type: application/json

{
  "confirmationCode": "123456",
  "newPassword":      "NewSecurePass1"
}
// Returns 204 No Content.

Authentication Flow Summary

1. Server  →  POST /api/v1/token               (Client Secret)
              ← 200: admin_access_token

2. Server  →  POST /api/v1/admin/signup         (admin_access_token + guest details + card)
              ← 201: Guest account created

3. Server  →  POST /api/v1/admin/login          (admin_access_token + email + password)
              ← 200: cognito_access_token + refresh_token

4. App     →  GET  /api/v1/card                 (cognito_access_token)
              ← 200: Guest card list

       [Token expires]

5. Server  →  POST /api/v1/admin/token          (refresh_token)
              ← 200: new cognito_access_token

Error Reference

HTTP StatusLikely CauseRecommended Action
400 Bad RequestMalformed request body or missing required fieldsCheck field names, types, and that all required fields are present
401 UnauthorizedMissing, expired, or invalid Bearer tokenObtain a fresh token via /api/v1/token (admin) or /api/v1/admin/token (guest refresh)
403 ForbiddenUsing the wrong token type for the endpointEnsure admin token is used for sign-up/login, Cognito token for guest operations
404 Not FoundGuest account or card not foundVerify the email address or card details are correct
409 ConflictUsername already existsUse a different email address or check if the guest is already registered
422 Unprocessable EntityPassword does not meet rules, or card is not activatedCheck password rules; ensure the game card has been activated in-store
500 Internal Server ErrorServer-side errorRetry the request; if the issue persists, contact Embed support