Use this page to integrate your app or website with Midasbuy System. Send POST requests with JSON bodies as described below. You receive a client API key from the operator.
Every action below lists both request and example success response (HTTP 200). The HTTP responses section lists the same success shapes again next to all error codes, so integrators can copy one place.
This value is generated from the current site (protocol, host, and folder). After you upload to your server, open this page again — URLs will match your domain automatically. If your host uses a reverse proxy and links are wrong, set the environment variable PUBLIC_BASE_URL (e.g. https://example.com/myapp). Avoid exposing the client key in public front-end code when possible — prefer a backend that adds the header.
| Header | Value |
|---|---|
Content-Type |
application/json |
X-Api-Key required |
Client key issued to you (format like gw_...) |
POST only?action= one of the values belowFull URL example: https://weecard.almirsystem.cloud/gateway.php?action=getPlayer
On HTTP 200, the response body is JSON from the upstream service. The gateway does not rewrite it — you get the same structure the provider returns.
success (boolean) — overall outcome of the business callmessage (string) — short summary (often "Ok" on success)data (object) — action-specific payload; always inspect data.status (and messages inside data) for the real resultSuccess rule: treat the call as fully successful only when the HTTP status is 200 and the parsed JSON has success === true. Any other combination is not successful; show message and any relevant fields inside data.
Real values (timestamps, UC amounts, optional login fields, etc.) depend on the upstream. The examples below are illustrative so you can wire parsers and UI; run your own test calls for exact payloads.
client_ref is required for reconciliation and auditing, especially for activate actions. Send a unique value from your system for every request (for example, your order ID, invoice ID, or UUID). The gateway stores it in the operations log even when the request is blocked, fails quota checks, fails upstream transport, or returns a business error.
The client_ref value is used by this gateway only; it is removed before forwarding the request to the upstream provider.
Primary endpoints: getPlayer, checkCode, activate. Optional: bulkActivate (short reference only).
getPlayer — player infoRequest body (JSON):
{"client_ref": "YOUR_UNIQUE_ID", "player_id": 555555555}
Example success response (HTTP 200, illustrative):
{
"success": true,
"message": "Ok",
"data": {
"status": "success",
"message": "Player found",
"player_id": 555555555,
"player_name": "PlayerName"
}
}
checkCode — UC code statusRequest body (JSON):
{"client_ref": "YOUR_UNIQUE_ID", "uc_code": "YOUR_CODE"}
Example success response (HTTP 200, illustrative):
{
"success": true,
"message": "Ok",
"data": {
"status": "activated",
"uc_code": "YOUR_CODE",
"amount": 60,
"activated_at": 1631817600,
"activated_to": 555555554
}
}
activate — redeem code for a playerRequest body (JSON):
{"client_ref": "YOUR_UNIQUE_ID", "player_id": 555555555, "uc_code": "YOUR_CODE"}
Example success response (HTTP 200, illustrative):
{
"success": true,
"message": "Ok",
"data": {
"status": "success",
"message": "Code activated",
"player_id": 555555555,
"player_name": "PlayerName",
"code_activated": "YOUR_CODE",
"activated_at": 1763891643000,
"activated_to": 555555554,
"account_login": "login@example.com",
"account_password": "…"
}
}
account_login / account_password may be absent depending on provider and product.
bulkActivate — optionalRedeem up to 5 codes in one call; each code counts toward the client’s daily quota. Same JSON envelope as other actions; data.results is an array of per-code outcomes. Request example:
{"client_ref": "YOUR_UNIQUE_ID", "player_id": 555555555, "uc_codes": ["CODE1", "CODE2"]}
Full success sample omitted here; shape matches upstream bulk-activate docs when you need it.
Same style as upstream OpenAPI: each row is Code, Description, and an example JSON body. When your call reaches the provider, status and body usually match their API. When the gateway stops the request (client key, quota, install), you get the gateway examples instead.
200 — SuccessHTTP status is 200 and the body is JSON from the upstream (gateway forwards it unchanged). All three main actions share success, message, and data; only data changes.
?action=getPlayer — example value
{
"success": true,
"message": "Ok",
"data": {
"status": "success",
"message": "Player found",
"player_id": 555555555,
"player_name": "PlayerName"
}
}
?action=checkCode — example value
{
"success": true,
"message": "Ok",
"data": {
"status": "activated",
"uc_code": "rX7rASS72a25qdVcg0",
"amount": 60,
"activated_at": 1631817600,
"activated_to": 555555554
}
}
?action=activate — example value
{
"data": {
"account_login": "login@gmail.com",
"account_password": "password",
"activated_at": 1763891643000,
"activated_to": 555555554,
"code_activated": "rX7rASS72a25qdVcg0",
"message": "Code activated",
"player_id": 555555555,
"player_name": "PlayerName",
"status": "success"
},
"message": "Ok",
"success": true
}
The provider may still answer with HTTP 200 but "success": false when the request was understood but the business operation failed (e.g. unknown player, bad code). Treat that as a logical error in your UI:
{
"success": false,
"message": "Player not found",
"data": {
"status": "error",
"message": "Player not found",
"player_id": 555555555
}
}
Exact strings and data fields depend on the upstream; always branch on success and data.status after checking HTTP status.
400 — Bad requestInvalid body or unknown action. Upstream-style example:
{
"message": "Invalid request data",
"success": false
}
Gateway may instead return, for example:
{
"success": false,
"message": "Invalid action",
"allowed": ["activate", "bulkActivate", "checkCode", "getPlayer"]
}
{
"success": false,
"message": "Invalid request body for this action"
}
401 — UnauthorizedMissing/invalid API key. Upstream-style example:
{
"message": "Api key required",
"success": false
}
Gateway (client key) examples:
{
"success": false,
"message": "X-Api-Key required (client key)"
}
{
"success": false,
"message": "Invalid API key"
}
403 — ForbiddenClient disabled on this gateway (not from upstream).
{
"success": false,
"message": "Client disabled"
}
405 — Method not allowedOnly POST is accepted.
{
"success": false,
"message": "Method not allowed"
}
429 — Too many requestsDaily quota for this client or global upstream cap.
{
"success": false,
"message": "Daily operation limit reached for this client",
"limit": 1000,
"used": 1000,
"day": "2026-05-12"
}
{
"success": false,
"message": "Global upstream daily quota reached",
"limit": 50000,
"used": 50000
}
500 — Server errorUpstream or gateway internal error.
{
"message": "Server error",
"success": false
}
{
"success": false,
"message": "Database error"
}
{
"success": false,
"message": "Missing master API key on server"
}
502 — Bad gatewayCould not complete the upstream HTTP call (network/timeout).
{
"success": false,
"message": "Upstream request failed",
"detail": "Connection timed out"
}
503 — Service unavailableSystem not installed or not configured.
{
"success": false,
"message": "Midasbuy System is not installed. Run install.php"
}
Always use res.status together with await res.json(): check HTTP code first, then success / message / data inside the body.
If you never get a success sample in real traffic, the response body usually tells you which layer failed:
Invalid API key, X-Api-Key required, Client disabled, Daily operation limit reached, or Upstream request failed (502). Fix client key, admin limits, or server/network to midasbuy-api.com."success": false, or 4xx/5xx JSON from the provider. Fix player_id, uc_code, or contract with the upstream; ensure the server master API key in config is valid.Use gateway-test.html or proxy-test.html on the same host with a known-good client key and minimal body (e.g. getPlayer with a real player id) to separate “gateway blocked” from “upstream rejected”.
const url = "https://weecard.almirsystem.cloud/gateway.php?action=getPlayer";
const res = await fetch(url, {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-Api-Key": "YOUR_CLIENT_KEY"
},
body: JSON.stringify({ client_ref: "YOUR_UNIQUE_ID", player_id: 555555555 })
});
const data = await res.json();
// On HTTP 200: check data.success, then data.data (and data.data.status when present)
curl -X POST "https://weecard.almirsystem.cloud/gateway.php?action=getPlayer" ^
-H "Content-Type: application/json" ^
-H "X-Api-Key: YOUR_CLIENT_KEY" ^
-d "{\"client_ref\":\"YOUR_UNIQUE_ID\",\"player_id\":555555555}"
On Linux/mac, use \ for line continuation instead of ^.