Swishing Demo API
Public demo surface for the Swishing landing page. Single-tenant Lambda,
separate from the multi-tenant Swishing platform — backs the playable
demo at demo.swishing.cards (top-10 scoreboard, nickname checks,
last-challenge timing) plus a contact-lead webhook used by the marketing
site.
Authentication. All endpoints except POST /api/contact-lead require
a shared-secret header X-Game-Token matching the Lambda's GAME_SECRET
env var. This is a low-grade scraper guard — not a real secret — so it
is documented as a header parameter rather than an OpenAPI security scheme.
POST /api/contact-lead is unauthenticated; it forwards the lead payload
to the internal leads-ingest endpoint using a server-side token the
caller never sees.
Audience. Internal docs only.