MeowPlay API Reference

Welcome to the MeowPlay Developer Center. We provide a complete set of RESTful endpoints and JavaScript SDK bindings to integrate your HTML5 games with our cloud saves, leaderboards, and analytics systems effortlessly.

1. Quick Integration SDK

If you just want your game client to obtain cloud save capability without building a backend, importing our SDK is the fastest approach (typically takes under 3 minutes).

html

<!-- Import inside your game.html -->
<script src="https://api.meowplay.com/sdk/meowplay-sdk.js"></script>

javascript

// Save slot data
MeowPlaySDK.save('slot1', { level: 5, score: 1200, gold: 99 })
  .then(res => console.log('Saved successfully', res))

// Load save data
MeowPlaySDK.load('slot1')
  .then(data => {
    console.log('Restored slot data:', data.save.payload)
  })

// Custom Analytics Event Tracking
MeowPlaySDK.track('level_complete', { level: 3, timeSpent: 45 })

Anti-Cheat HMAC Signature Support

If your game maintains a leaderboard and you want to prevent tampering, enable the signature mode via MeowPlaySDK.setSecret('your-secret') (secret is retrievable via admin panel). The SDK will automatically append HMAC-SHA256 authenticated headers.

2. API Authentication (HTTP)

To perform server-to-server operations or direct HTTP calls, all protected endpoints use Bearer Tokens.

Retrieve Token

POST/api/auth/login

json

// Request Body
{
  "username": "developer_studio",
  "password": "your_password"
}

// Response (200 OK)
{
  "token": "eyJhbGciOiJIUzI1...",
  "user": {
    "role": "PLAYER", // Capable of publishing games
    "username": "developer_studio"
  }
}

Token Lifetime

Access tokens are valid for up to 7 days. Append them in the format Authorization: Bearer [token] across all subsequent requests.

3. Game Deployment API

ZIP Automatic Deployment

POST/api/games/upload

Upload your game ZIP directly via multipart/form-data. Must contain index.html at the root.

bash

# CURL Example (Multipart Form)
curl -X POST https://api.meowplay.com/api/games/upload \
  -H "Authorization: Bearer {token}" \
  -F "title=Super Mario" \
  -F "description=Classic jump adventure" \
  -F "file=@/path/to/game.zip"

Deploy via External Domain

POST/api/games

json

// Request Body
{
  "title": "MeowMeow Battle",
  "description": "Auto-hosted shooter game",
  "gameUrl": "https://my-cdn.com/game/index.html",
  "coverImageUrl": "https://my-cdn.com/game/cover.png" // Optional
}

4. Cloud Save API

Allows games to synchronize progress across multiple devices. The maximum payload limit per save is 65KB of JSON data.

Save Game Data

POST/api/sdk/save

json

// Request Body
{
  "gameId": "YOUR_GAME_ID",
  "slotKey": "slot1", // Save slot identifier
  "payload": { "level": 5, "score": 1200 } // Your game state
}

// Response (200 OK)
{
  "message": "Save successful",
  "signed": false,
  "save": { "id": "...", "slotKey": "slot1", "updatedAt": "..." }
}

Load Game Data

GET/api/sdk/save

Query parameters: ?gameId=xxx (get all slots) or ?gameId=xxx&slotKey=slot1 (get specific slot).

json

// Response (200 OK)
{
  "save": {
    "slotKey": "slot1",
    "payload": { "level": 5, "score": 1200 },
    "updatedAt": "2026-04-03T10:00:00Z"
  }
}

5. Analytics API

Track Custom Event

POST/api/sdk/track

json

// Request Body
{
  "gameId": "YOUR_GAME_ID",
  "eventName": "level_complete", // Example: game_start, level_complete, item_purchase
  "eventData": { "level": 3, "time_sec": 42 } // Optional metrics
}

// Response
{ "message": "Event tracked", "eventId": "uuid" }

6. Anti-Cheat Signature Guide

If you are invoking raw HTTP endpoints instead of using the JS SDK, and replay-protection is enabled, you must compute the request signatures manually.

javascript

// Node.js signing example
const crypto = require('crypto');

function signRequest(gameId, slotKey, payload, timestamp, nonce, secret) {
  // 1. Hash the payload first
  const payloadHash = crypto.createHash('sha256').update(JSON.stringify(payload)).digest('hex');
  
  // 2. Build the message: GameID:SlotKey:PayloadHash:Timestamp:Nonce
  const msg = `${gameId}:${slotKey}:${payloadHash}:${timestamp}:${nonce}`;
  
  // 3. HMAC-SHA256 signature
  return crypto.createHmac('sha256', secret).update(msg).digest('hex'); 
}

// Mandatory Headers to attach:
// X-GC-Signature: the output hash
// X-GC-Timestamp: millisecond timestamp
// X-GC-Nonce: 32-character random string

7. Appendix

7.1 Upload Constraints

Max Game File Size	50 MB
Max Files in ZIP	500
Allowed Formats	.html, .htm, .zip
ZIP Structure	Must contain index.html

7.2 Review Guidelines

No illegal or inappropriate content.
Must run properly without significant white screens or crashing errors.
ZIP archives cannot contain executable files (.exe, .sh, .bat).
No malicious scripts allowed (such as mining or unauthorized redirects to phishing sites).