The Sentinel Network API provides endpoints for device verification, ban management, and publisher policy configuration.

Base URL

https://api.sentineltrustplay.io
The sandbox environment is a fully isolated copy of the production API. Use it for integration testing — data created in sandbox does not affect production. Sandbox API keys are available from the Dashboard.

Authentication

All endpoints (except /health) require authentication. Include your API key as a Bearer token with every request: 
Authorization: Bearer sni_<your-api-key>
Game-scoped operations also require the X-Game-Id header. See Authentication for details on API keys, scopes, and the gateway auth flow.

Endpoints

Device

MethodPathDescription
POST/v1/device/checkVerify device signature and return ban/reputation status

Bans

MethodPathDescription
POST/v1/bansCreate a ban
POST/v1/bans/{ban_id}/revokeRevoke a ban
GET/v1/device/{device_id}/bans/cheatList cheat bans
GET/v1/device/{device_id}/bans/socialList social bans

Policy

MethodPathDescription
GET/v1/policyGet publisher policy
PUT/v1/policyUpdate publisher policy

System

MethodPathDescription
GET/healthHealth check (no auth required)

Error Responses

All errors return a JSON object with an error field containing a machine-readable error code: 
{
  "error": "missing_scope"
}

Rate Limiting

Sentinel API

Rate limiting for the Sentinel API is handled at the APISIX gateway level and is not enforced by the API itself. Contact your account representative for rate limit details.

Dashboard API

The dashboard enforces built-in rate limiting:
ScopeLimitWindowApplies To
Auth60 requests1 minute/api/auth/login/*, /api/auth/callback/*, /api/auth/exchange-token, /api/auth/refresh
Global300 requests per IP1 minuteAll dashboard endpoints
Rate-limited requests receive HTTP 429 Too Many Requests with a Retry-After header: 
{"error": "too_many_requests"}

Security Headers

The dashboard adds the following headers to every response:
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy: strict-origin-when-cross-origin
  • Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https:;
  • Strict-Transport-Security: max-age=31536000; includeSubDomains (production only)