Skip to main content

Overview

The Connect API enables third-party marketplaces to access LootRush user data through an OAuth-style consent flow. Users explicitly grant permission for your application to access their profile, email, wallet, and KYC information.

Prerequisites

Before implementing the Connect API, you must register your integration with LootRush:
  1. Contact LootRush at [email protected] to request integration access
  2. Provide your redirect URI(s) - The URL(s) where users will be redirected after granting consent
  3. Specify required scopes - The data access permissions your integration needs
Once approved, LootRush will provide you with:
  • Integration ID - Your unique integration identifier
  • API Key - For authenticating API requests
All redirect URIs and scopes are preconfigured by LootRush during the registration process and cannot be modified via the API.

Integration Flow

Step 1: Redirect User to Consent Page

Redirect the user to the LootRush Connect page: 
https://www.lootrush.com/connect?integration_id=<your-integration-id>
ParameterRequiredDescription
integration_idYesYour unique integration identifier (provided by LootRush)
The user reviews the requested permissions and clicks “Allow” to grant access. Only business admins can grant consent on behalf of their organization. After consent, the user is redirected to your preconfigured redirect URI with the consent ID: 
https://your-app.com/callback?consent_id=<uuid>
If the user denies consent: 
https://your-app.com/callback?error=access_denied

Step 4: Fetch User Data

Use the consent ID to retrieve the user’s data via the API.

Authentication

All API requests must include your API key in the x-api-key header: 
x-api-key: your-api-key-here
Requests with invalid or missing API keys will return a 401 Unauthorized response.

Scopes

The following scopes can be configured for your integration:
ScopeDescription
profileUser’s name and profile information
emailUser’s email address and verification status
walletConnected wallet addresses (Base and Polygon)
kycIdentity verification information (name, document, tax ID)
Scopes are configured by LootRush during integration registration. Contact [email protected] to modify your integration’s allowed scopes.

Get User Data

Retrieves the user data for a given consent.

Path Parameters

ParameterTypeRequiredDescription
consentIdstringYesThe consent ID received after user authorization

Example Request

curl -X GET "https://third-party.lootrush.com/api/v1/consent/550e8400-e29b-41d4-a716-446655440000/user" \
  -H "x-api-key: your-api-key-here"

Response

consent_id
string
The consent identifier
integration_id
string
Your integration identifier
granted_at
string
ISO 8601 timestamp of when consent was granted
scopes
array
List of granted scopes
user
object
User data object containing the following fields based on granted scopes:
profile
object
Profile information (requires profile scope):
name
string
Full name
given_name
string
First name
family_name
string
Last name
email
object
Email information (requires email scope):
address
string
Email address
verified
boolean
Whether email is verified
wallet
object
Wallet information (requires wallet scope):
addresses
array
Array of wallet addresses, each with:
chain
string
Blockchain network (“base” or “polygon”)
address
string
Wallet address
is_business
boolean
Whether this is a business account
kyc
object
KYC information (requires kyc scope):
email
string
Verified email from KYC
entity_type
string
Account type: “individual” or “business”
first_name
string
Legal first name
last_name
string
Legal last name
legal_name
string
Business legal name (null for individuals)
document_type
string
ID document type (e.g., “PASSPORT”)
document_number
string
ID document number
tax_id
string
Tax identification number

Example Response

{
  "consent_id": "550e8400-e29b-41d4-a716-446655440000",
  "integration_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "granted_at": "2024-01-15T10:30:00Z",
  "scopes": ["profile", "email", "wallet", "kyc"],
  "user": {
    "profile": {
      "name": "John Doe",
      "given_name": "John",
      "family_name": "Doe"
    },
    "email": {
      "address": "[email protected]",
      "verified": true
    },
    "wallet": {
      "addresses": [
        {
          "chain": "base",
          "address": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"
        },
        {
          "chain": "polygon",
          "address": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"
        }
      ],
      "is_business": false
    },
    "kyc": {
      "email": "[email protected]",
      "entity_type": "individual",
      "first_name": "John",
      "last_name": "Doe",
      "legal_name": null,
      "document_type": "PASSPORT",
      "document_number": "AB1234567",
      "tax_id": "123-45-6789"
    }
  }
}

Error Responses

Status CodeError MessageDescription
401Unauthorized: Business ID not foundInvalid or missing API key
403Forbidden: Consent does not belong to your businessThe consent was granted to a different integration
404Consent not foundThe consent ID does not exist
410Gone: Consent has been revokedThe user has revoked this consent

Example Error Response

{
  "error": "Gone: Consent has been revoked",
  "revoked_at": "2024-01-20T15:00:00Z"
}
Users can revoke consent at any time from their LootRush account settings. When a consent is revoked:
  • API requests with that consent ID will return 410 Gone
  • Your application should handle this gracefully and prompt the user to reconnect

Best Practices

  1. Store the consent ID securely: Associate the consent ID with the user in your system for future API calls.
  2. Handle revocation: Check for 410 responses and provide a way for users to reconnect.
  3. Request only necessary scopes: When registering your integration, only request the scopes you actually need to build trust with users.
  4. Cache responsibly: User data can change. Consider refreshing data periodically rather than caching indefinitely.

Support

For API support, please contact: