Fortuna Compliance API

DGA Go-Live Testing

Before a casino can go live under a Danish Gambling Authority (DGA) licence, DGA requires evidence that the casino's integration with two regulated services is working correctly:

  • TamperToken — the digital-signature service used to seal SAFE reports.
  • ROFUS — the self-exclusion and CSRP register.

DGA provides three test-case spreadsheets that the casino must fill in and return:

Spreadsheet What it covers
Testcases til Tamper Token 6 complete open + close token cycles, each spaced 1 hour apart
Testcases til ROFUS Gambler-check, CSRP-check, and commercial-check calls against test CPRs
Description of attributes Attribute definitions for the data fields in your submissions

Fortuna Compliance automates all three. The sections below walk through each one.


Test 1 — TamperToken cycles

What DGA expects

Six complete TamperToken open + close cycles, separated by at least one hour each, showing the SOAP request and response for every call. DGA verifies that your licence-certificate ID and credentials are correct and that the digital signatures are well-formed.

How to run the test

  1. Log in to the Admin portal.
  2. Navigate to DGA Tests in the left-hand menu.
  3. Select the SafeConfiguration that holds the DGA credentials (DgaUsername / DgaPassword) for the licence you are testing.
  4. Click Start TamperToken test.

The platform immediately runs cycle 1 and schedules the remaining five cycles, one per hour. A progress bar shows how many cycles have completed. The page polls automatically — no manual refresh is needed.

The test takes approximately 5 hours to complete from start to finish. Plan accordingly before a DGA submission deadline.

Downloading the spreadsheet

Once all 6 cycles show Completed:

  1. Click Download DGA test-case XLSX on the DGA Tests page. The file is pre-filled with the SOAP XML, timestamps, and MAC values from your 6 cycles in the layout DGA expects.
  2. Open the file, review the rows, and add any casino-owned fields (test-case ID, expected result, comments) that DGA asks you to fill in.
  3. Submit the completed file to DGA.

DGA's official ROFUS test CPRs

DGA's Testcases til ROFUS spreadsheet specifies fixed CPR numbers, set up in the ROFUS demo environment, that must produce specific responses. These are not arbitrary — they only resolve correctly against the real ROFUS demo service (the staging environment, which uses RofusHttpClient). They will not work against the local development mock (MockRofusClient), which derives results from the CPR's last digit instead and knows nothing about these specific numbers.

Purpose CPR
Invalid CPR number 1210653014
Person under 18 0505114175
Not registered in ROFUS 1110700012
Registered temporarily in ROFUS 1110664016
Registered indefinitely in ROFUS 1110910017
"No thanks to marketing" set (4 CPRs) 1211800050, 1211800085, 1211800107, 1211800093

Keep the leading zero. 0505114175 must be sent as a 10-character string, not as a number — dropping the leading zero produces a different (invalid) CPR.


Test 2 — ROFUS gambler check (self-exclusion)

What DGA expects

DGA's test plan requires six calls to the gambler/self-exclusion check (GamblerCheck) — three simulating account creation, three simulating login — each against a fixed CPR with a fixed expected response.

DGA # Scenario CPR Expected status Consequence
3 Account creation — not registered 1110700012 NotRegistered Account creation may continue
4 Account creation — registered temporarily 1110664016 RegisteredTemporarily Account creation must be refused
5 Account creation — registered indefinitely 1110910017 RegisteredIndefinitely Account creation must be refused
7 Login — not registered 1110700012 NotRegistered Login may continue
8 Login — registered temporarily 1110664016 RegisteredTemporarily Login must be refused
9 Login — registered indefinitely 1110910017 RegisteredIndefinitely Login must be refused

How to run the test

Call the gambler check endpoint once per row above. Use the DGA test number in externalReference so the audit trail (and the exported XLSX) lines up with DGA's own table.

Example request — DGA test #4:

POST /api/rofus/gambler/check
X-Api-Key: <your-key>
Content-Type: application/json

{
  "audit": {
    "externalReference": "dga-rofus-test-4"
  },
  "cpr": "1110664016"
}

Expected response: {"status": "RegisteredTemporarily"}.

Downloading the spreadsheet

After running all 6 calls:

  1. In the Admin portal go to Audit Logs, filter by Category = ROFUS and the date range of your test.
  2. Click Export ROFUS test cases to download the pre-filled XLSX.
  3. The file contains one row per call, with the CPR, request timestamp, and the raw ROFUS response status in DGA's column layout.
  4. Add any casino-owned columns and submit to DGA.

Test 3 — ROFUS CSRP/CPR validation and marketing checks

What DGA expects

DGA's test plan also requires three calls to the CPR validation service (GamblerCSRPValidation) and one bulk marketing check (GamblerMultiReklameCheck_I / our commercial bulk check).

DGA # Scenario CPR Expected (raw ROFUS value) Consequence
1 Account creation — invalid CPR 1210653014 CPRIsNotRegistered Account creation must be refused
2 Account creation — person under 18 0505114175 AgeIs17OrBelow (isMinor = true) Account creation must be refused
6 Account creation — valid CPR 1110700012 CPRIsRegistered Account creation may continue

How to run the test — CSRP/CPR validation

Example request — DGA test #2:

POST /api/rofus/csrp/check
X-Api-Key: <your-key>
Content-Type: application/json

{
  "audit": {
    "externalReference": "dga-rofus-test-2"
  },
  "cpr": "0505114175"
}

Expected response: {"status": "NotRegistered", "isMinor": true} (the raw AgeIs17OrBelow value maps to isMinor = true in our API).

How to run the test — marketing ("no thanks to advertising")

DGA test #10 uses all 4 CPRs from the "no thanks to marketing" set in a single bulk call. Marketing must not be sent to 1211800050 and 1211800093; marketing may be sent to 1211800085 and 1211800107.

POST /api/rofus/commercial/check-bulk
X-Api-Key: <your-key>
Content-Type: application/json

{
  "persons": [
    { "audit": { "externalReference": "dga-rofus-test-10-a" }, "cpr": "1211800050" },
    { "audit": { "externalReference": "dga-rofus-test-10-b" }, "cpr": "1211800085" },
    { "audit": { "externalReference": "dga-rofus-test-10-c" }, "cpr": "1211800107" },
    { "audit": { "externalReference": "dga-rofus-test-10-d" }, "cpr": "1211800093" }
  ]
}

Expected response: marketingAllowed = false for 1211800050 and 1211800093; marketingAllowed = true for 1211800085 and 1211800107.

Downloading the spreadsheet

The ROFUS export XLSX (same file as Test 2) includes all ROFUS operations — gambler checks, CSRP/CPR validation, and marketing checks — in separate sections matching DGA's template. Download it once after completing all 10 calls.


Description of attributes

The Description of attributes spreadsheet documents the data fields in your SAFE and ROFUS submissions. This file does not require you to run any API calls — it describes the schema of the data you produce.

A full attribute reference is available at /help/dgaattributes. Use it to look up field names, types, and value mappings when filling in the DGA spreadsheet.


Tips

  • Use DGA's own test numbers in externalReference (e.g. dga-rofus-test-4) so you can filter the audit log precisely and map exported rows straight back to DGA's table.
  • Run all ROFUS test calls before downloading the export — the XLSX is generated from the audit log at the moment you click Export. Calls made after the download will not be included.
  • The TamperToken test and ROFUS test are independent — you can run them in parallel. Start the TamperToken test first (it takes 5 hours) and run ROFUS tests while you wait.
  • Staging credentials are required — your SafeConfiguration must have valid DgaUsername and DgaPassword values pointing at the ROFUS demo server (rofusdemo.spillemyndigheden.dk) before any real calls will succeed. Contact Fortuna Compliance support if these are not yet configured.

Error reference

Status Cause Action
400 No SAFE configuration linked to this client Your API key's client has no SafeConfiguration with DGA credentials Contact support to link a SafeConfiguration
400 on ROFUS call Malformed CPR or missing required fields Ensure CPR is exactly 10 digits
403 ROFUS feature not enabled for your account Contact support
TamperToken test stuck on cycle 1 Credentials invalid or demo server unreachable Verify DgaUsername / DgaPassword in the Admin portal SafeConfiguration screen