Skip to main content
All requests to the smatvirtual Unified Gateway must be authenticated using a custom HTTP header. This key identifies your merchant account, secures your transactions, and routes your players to the correct operator environment.

The sv-api-key Header

We use a single header for all API interactions:
Header KeyValue
sv-api-keyYour concatenated API key

Constructing your Key

Instead of a single static token, smatvirtual uses a concatenated key format. This allows you to switch between different operators or environments (Staging/Production) by simply modifying the string. The key follows this exact structure: PUBLIC_KEY . OPERATOR_SLUG

Components:

  1. PUBLIC_KEY: Your unique merchant identifier (e.g., SV.pk_live_88234) public key always starts with "SV.".
  2. OPERATOR_SLUG: The unique identifier for your specific brand or region (e.g., smatvirtual-us).
Example Key: SV.pk_live_88234.smatvirtual-us

Example Implementation

Include the key in the headers of your server-side requests. Never expose this key in client-side code (JavaScript/Frontend). 
  curl --request GET \ --url https://api.smatvirtual.com/api/v1.1/operator-api/games
  \ --header 'sv-api-key: SV.pk_live_88234.smatvirtual-us'

Security Best Practices

Server-to-Server Only

Only call our API from your backend. Exposing your sv-api-key in a browser allows anyone to initiate sessions on your behalf.
If you suspect your Public Key has been compromised, please contact the smatvirtual technical team immediately to rotate your credentials.