# Login API

# Overview {% #overview %}

* **Version:** 1.0.0
* **Servers**: `https://login.xsolla.com/api`
* **Protocols**: https
* **Accepts**: application/json
* **Responds with**: application/json
* **[Contact us by email](mailto:integration@xsolla.com)**
* **Contact URL:** https://xsolla.com/

This section describes API calls for working with [Login](https://developers.xsolla.com/doc/login). [Set up](/doc/login/integration-guide/integrate-solution/#login_guide_integration_api) your Login project in [Publisher Account](https://publisher.xsolla.com/) before sending requests.

# IP addresses {% #ip-addresses %}
The full list of IP addresses that login.xsolla.com may use:
* 34.94.0.85
* 34.94.14.95
* 34.94.25.33
* 34.94.115.185
* 34.94.154.26
* 34.94.173.132
* 34.102.48.30
* 35.235.99.248
* 35.236.32.131
* 35.236.35.100
* 35.236.117.164

# Glossary {% #glossary %}
You have access to the following Login project types in Publisher Account:
* Standard Login project
* Shadow Login project

To find more information on it, see [Cross-platform account](https://developers.xsolla.com/doc/login/features/cross-platform-account/) feature.

## Rate limits {% #glossary-rate-limits %}
Are the restrictions applied by Xsolla API on the frequency of access by a user within a defined timeframe.

## Standard Login project {% #glossary-standard-login-project %}
Is a Login project that is used to store main accounts.

## Shadow Login project {% #glossary-shadow-login-project %}
Is a Login project that is used to store platform accounts.

## Main account {% #glossary-main-account %}
Is an account type that is created in a standard Login project and linked to platform accounts. The main account is used to identify the player on different platforms.

## Platform account {% #glossary-platform-account %}
Is an account type that is created in a shadow Login project and connected to a definite publishing platform. The platform account can't be linked to another platform account. Also, you can't unlink the accounts from a main account.

## Publishing platform {% #glossary-publishing-platform %}
Is a game platform that is used for game distribution (e.g. Steam, PlayStation, Xbox, etc.).

# Authentication {% #authentication %}
Login API supports the following token types:
* User token. It is used for sending requests to the following user resources:
    * profile
    * friends
    * attributes
* Server token. It is used for sending requests to application resources such as settings or user data. The following requests are available:
    * [Create platform accounts](https://developers.xsolla.com/api/login/operation/auth-by-custom-id)
    * [Get user data](https://developers.xsolla.com/api/login/operation/get-users-ids-by-social-id-and-platform)
    * [Link accounts](https://developers.xsolla.com/api/login/operation/link-accounts-by-code)
    * [Link user accounts via external ID](https://developers.xsolla.com/api/login/operation/link-user-ids-via-external-id)

## Authentication schemes {% #authentication-schemes %}
You can determine whether an API call is client or server-side by the scheme of authentication:

- Client-side — are called without authentication or with the `Authorization` header: `Bearer <user_JWT>` header, where `<user_JWT>` — is the user token.
- Server-side API calls for implementing the user flow — are called with the header: `X-SERVER-AUTHORIZATION: <server_JWT>`, where `<server_JWT>` — is the server token.

## Getting a user token {% #getting-user-token %}
To get the token, send one of the following requests:
* user registration ([JWT](https://developers.xsolla.com/api/login/operation/jwt-register-new-user) or [OAuth 2.0](https://developers.xsolla.com/api/login/operation/oauth-20-register-new-user))
* authentication by username and password ([JWT](https://developers.xsolla.com/api/login/operation/auth-by-username-and-password), [OAuth 2.0](https://developers.xsolla.com/api/login/operation/oauth-20-auth-by-username-and-password), or [JWT auth by username and password](https://developers.xsolla.com/api/login/operation/jwt-auth-by-username-and-password))
* authentication via social networks ([JWT](https://developers.xsolla.com/api/login/operation/jwt-auth-via-social-network) or [OAuth 2.0](https://developers.xsolla.com/api/login/operation/oauth-20-auth-via-social-network))
* silent authentication ([JWT](https://developers.xsolla.com/api/login/operation/jwt-silent-authentication) or [OAuth 2.0](https://developers.xsolla.com/api/login/operation/oauth-20-silent-authentication))
* [authentication via a social network access token](https://developers.xsolla.com/api/login/operation/jwt-auth-via-access-token-of-social-network)
* [authentication via a publishing platform](https://developers.xsolla.com/api/login/operation/auth-by-custom-id)

After JWT authentication, the user is redirected to the Callback URL with a token in a query-parameter: `<Callback URL>?token=<User token (JWT)>`.

After OAuth 2.0 protocol-based authentication, send the [Generate JWT](https://developers.xsolla.com/api/login/operation/generate-jwt) `POST` request to the Xsolla Login server to exchange the received `code` parameter for a user token (`access_token`).

When the access token expires, the client sends [Generate JWT](https://developers.xsolla.com/api/login/operation/generate-jwt) `POST` request endpoint on the Xsolla Login server. The request body must include the following parameters:
- `grant_type` — JWT grant type, pass the `refresh_token` value.
- `client_id` — OAuth 2.0 client ID.
- `refresh_token` — refresh token received in response to the user authorization request.

## Getting a server token {% #getting-server-token %}

To get a server token:
1. [Set up server OAuth 2.0 client](#set-up-server-oauth-20-client).
2. [Generate server JWT](#generate-server-jwt).

### Set up server OAuth 2.0 client {% #set-up-server-oauth-20-client %}
1. Open your project in [Publisher Account](https://publisher.xsolla.com/) and go to the **Login section**.
2. Click **Configure** in the panel of a **Login** project.
3. Go to the **Security** block and select the **OAuth 2.0** section.
4. Click **Add OAuth 2.0 Client**.
5. Check the **Server (server-to-server connection)** box.
6. Specify **Token lifetime**.
7. Click **Connect**.
8. Copy and save the client ID and secret key.

### Generate server JWT {% #generate-server-jwt %}
On the back end of your application, implement a method to get the server JWT using the [Generate JWT API](https://developers.xsolla.com/api/login/operation/generate-jwt/) call. The request must contain the following parameters:
* `grant_type` is the type of getting JWT, pass the `client_credentials` value.
* `client_secret` is the secret key that is received when you set up the server OAuth 2.0 client.
* `client_id` is the client ID received when you set up the server OAuth 2.0 client.

When the server token expires, generate a new token using the [Generate JWT API](https://developers.xsolla.com/api/login/operation/generate-jwt/) call. The request body must include the following parameters:
- `grant_type` — JWT grant type, pass the `client_credentials` value.
- `client_id` — OAuth 2.0 client ID.
- `client_secret` — OAuth 2.0 client secret key.

# Rate limits {% #rate-limits %}
To prevent Xsolla system overloads and protect against sudden spikes in incoming traffic, Xsolla limits the number of requests received by the Xsolla API within a specified period of time. If the limit is exceeded, the Xsolla API returns an HTTP response with the `429` status code.

Rate limits vary by method, IP-address, authentication scheme, and other factors.

Rate limits for server-side methods are applied to methods with server-side authentication — methods that are called with the `X-SERVER-AUTHORIZATION: <server_JWT>` header, where `<server_JWT>` is the server token.

Rate limits for client-side methods are applied to methods without authentication or with client-side authentication — methods that are called with the `Authorization: Bearer <user_JWT>` header, where `<user_JWT>` is the user token.

**Example of a method with server-side authentication:**
![Example of a method with server-side authentication](https://cdn.xsolla.net/developers/current/images/api_docs/login-rate-limits-1.png)
**Example of a method with client-side authentication:**
![Example of a method with server-side authentication](https://cdn.xsolla.net/developers/current/images/api_docs/login-rate-limits-2.png)

Rate limits for client-side methods do not change and are necessary to prevent brute-force attacks. The maximum request rate for server-side methods is higher than for client-side methods.
You can refer to the recommendations on how to manage rate limits in the [documentation](https://developers.xsolla.com/api/getting-started/#api_rate_limits).

{% html name="div" attrs={"class": "note"} %}
**Note**

In certain cases, it is possible to adjust the rate limits by request. To request the rate limits adjustment, contact your Customer Success Manager or email [csm@xsolla.com](mailto:csm@xsolla.com).
{% /html %}

# JWT structure {% #jwt-structure %}
Every token has a [JWT](https://jwt.io/) format and contains a definite information in a payload.

## User JWT {% #user-jwt %}
User JWT is a token received as a result of authentication or registration. A token payload contains information about the user and authentication call.

Getting a user token via the OAuth 2.0 protocol requires an OAuth 2.0 client. The user token is passed in the `Authorization: Bearer <JWT>` header.

## Main claims {% #jwt-main-claims %}
A token will contain the main claims after authentication or email address confirmation. Presence of these claims does not depend on the user database and authentication call.

| Claim | Type | Required | Description |
|---|---|---|---|
| `exp` | [Unix Timestamp](https://www.unixtimestamp.com/) | Yes | Date and time of token expiration. Default expiration time is 24 hours. You can change expiration time for every Login project. |
| `iss` | string | Yes | Service that signed the token: `https://login.xsolla.com`. |
| `iat` | [Unix Timestamp](https://www.unixtimestamp.com/) | Yes | Date and time of giving the token. |
| `sub` | string (UUID) | Yes | User ID written on the Xsolla Login server side. |
| `groups` | array | Yes | List of groups the user is in. Each group: `id` — group ID; `name` — group name; `is_default` — whether the group is default (`true` or `false`). There can be only one default group, which initially includes all users before they are distributed into different groups. |
| `xsolla_login_project_id` | string (UUID) | Yes | Login project ID. |
| `type` | string | | Authentication option: `xsolla_login` — login via username/email and password; `social` — social login; `email` — passwordless login via one-time code by email; `phone` — by SMS; `firebase` — Firebase storage; `playfab` — PlayFab storage; `proxy` — custom storage; `device` — device ID; `server_custom_id` — custom ID. |
| `avatar` | string | | User avatar URL. |
| `username` | string | | Username. |
| `publisher_id` | integer | | ID of a merchant who owns a Login project. |
| `email` | string | | User email address. |
| `payload` | string | | Additional information that is passed in the payload parameter during authentication. |
| `promo_email_agreement` | boolean | | `true` if the user agrees to receive a newsletter, `false` otherwise. Default: `true`. To add to the [Login widget](https://developers.xsolla.com/doc/login/integration-guide/integrate-solution/#login_guide_integration_widget) registration form: contact your Account Manager (Widget 2.0) or add the `fields` parameter with the `promo_email_agreement` value to the [initialization code](https://github.com/xsolla/xsolla-login-js-sdk#step-2-initializing-widget) (previous widget version). |
| `connection_information` | string | | Shows whether the user confirmed their birth date or not. Confirmation is made via the [okname](https://www.ok-name.co.kr/) service. |

## PlayFab storage {% #playfab-storage %}
Claims that are contained in the token after authentication if you use [PlayFab storage](https://developers.xsolla.com/doc/login/integration-guide/connect-users-storage/).

| Claim | Type | Required | Description |
|---|---|---|---|
| `external_account_id` | string | Yes | User PlayFab ID. |
| `session_ticket` | string | Yes | A **SessionTicket** parameter received during an authentication request or requests to the [PlayFab API](https://api.playfab.com/documentation/client). A token contains the claim if you authenticate users via the OAuth 2.0 protocol and pass the `playfab` value to the `scope` parameter. |
| `entity_token` | string | Yes | An **EntityToken.EntityToken** parameter. |
| `entity_type` | string | Yes | An **EntityToken.Entity.Type** parameter. Can have only the `title_player_account` value. |
| `entity_id` | string | Yes | An **EntityToken.Entity.Id** parameter. |

## Custom storage {% #custom-storage %}
Claims that are contained in the token after authentication if you use [custom storage](https://developers.xsolla.com/doc/login/integration-guide/connect-users-storage/).

| Claim | Type | Required | Description |
|---|---|---|---|
| `provider` | string | Yes | Name of a social network used for authentication. If the user authenticates via username and password, the claim has the `xsolla` value. |
| `external_account_id` | string | | User ID on your server side. |
| `partner_data` | | | Data of any type returned by your server in the response body during authentication. To enable the transmission of this claim, contact your Customer Success Manager or email [csm@xsolla.com](mailto:csm@xsolla.com). |
| `social_access_token` | | | Access token of the social network through which the user was authenticated. To enable the transmission of this claim, contact your Customer Success Manager or email [csm@xsolla.com](mailto:csm@xsolla.com). |

## Social authentication {% #social-authentication %}
Claims that are contained in the token after authentication via a social network.
Presence of these claims does not depend on the user database.

| Claim | Type | Required | Description |
|---|---|---|---|
| `provider` | string | Yes | Name of a social network used for authentication. |
| `id` | string | Yes | User ID in a social network. |
| `is_cross_auth` | boolean | | Shows that the silent authentication request is in progress. |
| `social_access_token` | string | | Social network account `access_token` parameter used for authentication. Contact your Account Manager to set up the feature. |
| `picture` | string (URL) | | Link to the user profile picture in a social network. |
| `birthday` | date ([RFC3339](https://www.ietf.org/rfc/rfc3339.txt)) | | User birth date in a social network. |
| `gender` | string | | User gender in a social network. |
| `name` | string | | User nickname in a social network. |

## Authentication via the OAuth 2.0 protocol {% #authentication-via-oauth-protocol %}
Claims that are contained in the token after OAuth 2.0 authentication.

| Claim | Type | Required | Description |
|---|---|---|---|
| `jti` | string | Yes | Unique token ID. |

## Authentication via a phone number {% #authentication-via-phone-number %}
Claim which is contained in the token after authentication via a phone number.

| Claim | Type | Required | Description |
|---|---|---|---|
| `phone_number` | string | Yes | User's phone number used for authentication. The phone number format based on the country code, area code, and line number without any dividers. |

## Server JWT {% #server-jwt %}
The server token is passed in the `X-SERVER-AUTHORIZATION` header.

The token payload contains information about resources owned by the OAuth 2.0 client. The token has access to calls with server-based authentication for these resources.

| Claim | Type | Required | Description |
|---|---|---|---|
| `xsolla_login_project_id` | string (UUID) | Yes | ID of a Login project that owns the OAuth 2.0 client. |
| `resources` | array | Yes | List of resources owned by an OAuth 2.0 client. Possible types: `publisher_id` — resources of a merchant who owns the Login project; `publisher_project_id` — resources of a project in [Publisher Account](https://publisher.xsolla.com/). Each resource: `name` — resource type; `value` — resource ID. |
| `jti` | string | Yes | Unique token ID. |

# JWT validation {% #jwt-validation %}
To validate the JWT, use the following Login API calls:
 - [User JWT validate](/api/login/operation/validate-jwt) — for a user token.
 - [Server JWT validate](/api/login/operation/validate-server-jwt) — for a server token.



{% html name="div" attrs={"class": "notice"} %}
**Notice**

Do not reveal your secret key to anyone. If it was compromised, please update it.
{% /html %}

# Errors {% #errors %}

Refer to the [documentation](/doc/login/references/errors/) for information about Xsolla Login API errors.


Version: v1

## Servers

```
https://login.xsolla.com/api
```

## Security

### APIKey

access key from JWT user token

Type: apiKey
In: header
Name: Authorization

### AttributesBearer

Type: apiKey
In: header
Name: Authorization

### AttributesServer

[Server token authorization](/api/login/overview/#section/Authentication/Getting-a-server-token).

Type: apiKey
In: header
Name: X-SERVER-AUTHORIZATION

### Bearer

Bearer authentication. ```Bearer <JWT>```.

Type: apiKey
In: header
Name: Authorization

### BearerCallback

Bearer authentication. ```Bearer <JWT>```.

Type: apiKey
In: header
Name: Authorization

### ExternalBearer

Type: apiKey
In: header
Name: Authorization

### Server

[Server token authorization](/api/login/overview/#section/Authentication/Getting-a-server-token).

Type: apiKey
In: header
Name: X-SERVER-AUTHORIZATION

## Download OpenAPI description

[Login API](https://developers.xsolla.com/_bundle/api/login/index.yaml)

## Age restrictions

### Delete age restriction for country

 - [DELETE /projects/{project_id}/age_rating](https://developers.xsolla.com/api/login/product-configuration-age-restrictions/delete-age-restriction.md): Deletes age restriction for a selected country in a project.

### List age restrictions for project

 - [GET /projects/{project_id}/age_rating](https://developers.xsolla.com/api/login/product-configuration-age-restrictions/list-age-restrictions.md): Returns a list of countries with age restrictions in a project.

### Create age restriction for country

 - [POST /projects/{project_id}/age_rating](https://developers.xsolla.com/api/login/product-configuration-age-restrictions/create-age-restriction.md): Creates or updates existing age restriction for a selected country in a project.

### Manage age restrictions for countries

 - [POST /projects/{project_id}/age_rating/batch](https://developers.xsolla.com/api/login/product-configuration-age-restrictions/batch-age-restrictions.md): Updates, deletes, or creates age restrictions for all countries in a project. You may set default restrictions for all countries and set country-specific restrictions, if any. NoticeEach new call overrides previous settings.

## Custom email templates

### Get custom email template

 - [GET /projects/{project_id}/templates/email/{template_id}/{locale}/{template_type}](https://developers.xsolla.com/api/login/custom-email-templates/get-custom-email-template.md): Gets all information about the specific template.

### Create custom email template

 - [POST /projects/{project_id}/templates/email/{template_id}/{locale}/{template_type}](https://developers.xsolla.com/api/login/custom-email-templates/create-custom-email-template.md): Creates an email template with custom structure, styles, and texts. You can add the variables for some texts to the template. To add the relevant texts for these variables, use the Send email based on template call.

### Update custom email template

 - [PUT /projects/{project_id}/templates/email/{template_id}/{locale}/{template_type}](https://developers.xsolla.com/api/login/custom-email-templates/update-custom-email-template.md): Updates the specific custom email template.

### Switch off welcome email

 - [DELETE /projects/{project_id}/welcome_email](https://developers.xsolla.com/api/login/custom-email-templates/switch-off-welcome-email.md): Switches off a welcome email.

### Switch on welcome email

 - [POST /projects/{project_id}/welcome_email](https://developers.xsolla.com/api/login/custom-email-templates/switch-on-welcome-email.md): Switches off a welcome email.

### Send email based on template

 - [POST /templates/email/send](https://developers.xsolla.com/api/login/custom-email-templates/send-email-based-on-template.md): Sends an email based on a custom template and data that you provided to the specified email address.

## RSA keys

### Get JSON Web Key Set

 - [GET /projects/{project_id}/jwks.json](https://developers.xsolla.com/api/login/product-configuration-rsa/json-web-key-set.md): Gets a JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array of JWKs.

### Delete all project keys

 - [DELETE /projects/{project_id}/keys](https://developers.xsolla.com/api/login/product-configuration-rsa/delete-projects-keys.md): Deletes all project RSA keys. After that all tokens are signed by HS256 algorithm.

### Get project keys

 - [GET /projects/{project_id}/keys](https://developers.xsolla.com/api/login/product-configuration-rsa/get-projects-keys.md): Gets a list of the public RSA project keys.

To validate user JWT, choose the library and pass an appropriate public key from the response to this call to the validation function.

### Generate RSA key

 - [POST /projects/{project_id}/keys](https://developers.xsolla.com/api/login/product-configuration-rsa/post-projects-key.md): Generates new RSA key and returns public key.
To validate user JWT, choose the library and pass an appropriate public key from the response to this call to the validation function.

## Social

### Change settigns for connected social provider

 - [PUT /projects/{project_id}/social/provider_token](https://developers.xsolla.com/api/login/product-configuration-social/put-social-provider-token.md): Configure social provider token in Login JWT.

### Change scope settigns for connected social provider

 - [PUT /projects/{project_id}/social/{provider_name}/custom_scope](https://developers.xsolla.com/api/login/product-configuration-social/put-social-provider-custom-scope.md): Manage custom Oauth2 scopes for provider.

## User groups

### Get project groups

 - [GET /projects/{project_id}/user_groups](https://developers.xsolla.com/api/login/product-configuration-groups/get-project-user-groups.md): Gets a list of user groups in project.

### Add new group to project

 - [POST /projects/{project_id}/user_groups](https://developers.xsolla.com/api/login/product-configuration-groups/post-project-user-group.md): Adds a new user group to a project.

### Delete group from project

 - [DELETE /projects/{project_id}/user_groups/{group_id}](https://developers.xsolla.com/api/login/product-configuration-groups/del-project-user-group.md): Deletes a user group. NoticeA user group can't be deleted if it contains users.

### Update group name

 - [PUT /projects/{project_id}/user_groups/{group_id}](https://developers.xsolla.com/api/login/product-configuration-groups/put-project-user-group.md): Changes a user group name.

## Multi-factor authentication

### Get project two-factor authentication settings

 - [GET /projects/{project_id}/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/get-project-two-factor-authentication-settings.md): Gets project two-factor authentication settings.

### Update project two-factor authentication settings

 - [PUT /projects/{project_id}/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/update-project-two-factor-authentication-settings.md): Updates project two-factor authentication settings. The user must confirm the changes by entering a one-time code.

### Get user's two-factor authentication settings

 - [GET /projects/{project_id}/users/{user_id}/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/get-server-mfa.md): Gets user's two-factor authentication settings.

### Update user's two-factor authentication settings

 - [POST /projects/{project_id}/users/{user_id}/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/update-server-mfa.md): Updates user's two-factor authentication settings from server.

### Get user’s two-factor authentication settings

 - [GET /users/me/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/get-users-two-factor-authentication-settings.md): Gets user’s two-factor authentication settings. You must enable two-factor authentication for the Login project. Contact your Customer Success Manager to enable it.

### Update user’s two-factor authentication settings

 - [POST /users/me/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/update-users-two-factor-authentication-settings.md): Updates user’s two-factor authentication settings. The user must confirm the changes by entering a one-time code.

The workflow of using this call:
1. The user enables or disables two-factor authentication.
2. The application sends the request to the Xsolla Login server.
3. The Xsolla Login server sends the one-time confirmation code to the user and returns the URL of the two-factor authentication page.
4. The application redirects the user to the URL.
5. The user enters the one-time code.
6. New two-factor authentication settings are applied.

You must enable two-factor authentication for the Login project. Contact your Customer Success Manager to enable it.

## Webhooks

### Get webhooks for event

 - [GET /projects/{project_id}/events/{event_type}/webhooks](https://developers.xsolla.com/api/login/webhooks/get-webhooks-for-event.md): Gets the list of webhooks information for the specified type of events.

### Add webhook for event

 - [POST /projects/{project_id}/events/{event_type}/webhooks](https://developers.xsolla.com/api/login/webhooks/add-webhook-for-event.md): Creates a webhook for the specified event. The webhook has the following format:

{
    "event_type": "Event type",
    "event_time": "Date and time when the event occurred in the ISO 8601 format",
    "project_id": "Login project ID",
    "data": {
         // Some other data, can be different for different events and include nested objects
     }
}

### Delete webhook for event

 - [DELETE /projects/{project_id}/events/{event_type}/webhooks/{webhook_id}](https://developers.xsolla.com/api/login/webhooks/delete-webhook-for-event.md): Deletes a webhook with the specified ID.

## User profile

### [OAuth2.0] Resend account confirmation email

 - [POST /oauth2/user/resend_confirmation_link](https://developers.xsolla.com/api/login/user-profile/oauth-20-resend-account-confirmation-email.md): Resends an account confirmation email to a user. To complete account confirmation, the user should follow the link in the email.

### Unban user

 - [DELETE /projects/{project_id}/users/{user_id}/ban](https://developers.xsolla.com/api/login/user-profile/del-projects-users-ban.md): Removes the ban from the user.

### Ban user

 - [POST /projects/{project_id}/users/{user_id}/ban](https://developers.xsolla.com/api/login/user-profile/post-projects-users-ban.md): Add a ban to the user, either for a specific period or permanently.

### Update server custom ID for user

 - [PUT /projects/{project_id}/users/{user_id}/server_custom_id](https://developers.xsolla.com/api/login/user-profile/put-user-custom-id.md): Updates server custom ID for a user.

### [JWT] Resend account confirmation email

 - [POST /user/resend_confirmation_link](https://developers.xsolla.com/api/login/user-profile/jwt-resend-account-confirmation-email.md): Resends an account confirmation email to a user. To complete account confirmation, the user should follow the link in the email.

### Check user age

 - [POST /users/age/check](https://developers.xsolla.com/api/login/user-profile/check-users-age.md): Checks user’s age for a particular region. The age requirements depend on the region. Service determines the user’s location by the IP address.

### Get user details

 - [GET /users/me](https://developers.xsolla.com/api/login/user-profile/get-user-details.md): Gets details of the user authenticated by the JWT.

### Update user details

 - [PATCH /users/me](https://developers.xsolla.com/api/login/user-profile/update-user-details.md): Updates the details of the authenticated user by JWT.

### Get user devices

 - [GET /users/me/devices](https://developers.xsolla.com/api/login/user-profile/get-users-devices.md): Gets a list of user’s devices.

### Link device to account

 - [POST /users/me/devices/{device_type}](https://developers.xsolla.com/api/login/user-profile/link-device-to-account.md): Links the specified device to the user account. To enable authentication via device ID and linking, use the instruction.

### Unlink device from account

 - [DELETE /users/me/devices/{id}](https://developers.xsolla.com/api/login/user-profile/unlink-device-from-account.md): Unlinks the specified device from the user account. To enable authentication via device ID and unlinking, contact your Customer Success Manager.

### Get user email

 - [GET /users/me/email](https://developers.xsolla.com/api/login/user-profile/get-user-email.md): Gets the email of the authenticated user by JWT.

### Add username/email auth to account

 - [POST /users/me/link_email_password](https://developers.xsolla.com/api/login/user-profile/add-username-email-auth-to-account.md): Adds the username/email and password authentication to the existing user account. This call is used if the account is created via device ID or phone number.

### Get links for social auth

 - [GET /users/me/login_urls](https://developers.xsolla.com/api/login/user-profile/get-links-for-social-auth.md): Gets links for authentication via the social networks enabled in your Login project > General settings > Social Networks section of Publisher Account. The links are valid for 10 minutes.

You can get the link by this call and add it to your button for authentication via the social network.

### Get user phone number

 - [GET /users/me/phone](https://developers.xsolla.com/api/login/user-profile/get-user-phone-number.md): Gets the phone number of the authenticated user by JWT.

The phone number in this call is used only for passing the two-factor authentication.

### Update user phone number

 - [POST /users/me/phone](https://developers.xsolla.com/api/login/user-profile/update-user-phone-number.md): Updates the phone number of the authenticated user by JWT.

The phone number in this call is used only for passing the two-factor authentication.

### Delete user phone number

 - [DELETE /users/me/phone/{phoneNumber}](https://developers.xsolla.com/api/login/user-profile/delete-user-phone-number.md): Deletes the phone number of the authenticated user by JWT.

The phone number in this call is used only for passing the two-factor authentication.

### Confirmation of request to link phone number to user

 - [POST /users/me/phone_link/confirm](https://developers.xsolla.com/api/login/user-profile/confirm-phone-number.md): 1. Call the method /users/me/phone_link/request
2. Put your phone number in the body of the request
3. Then u will receive the sms code
4. Call method /users/me/phone_link/confirm with the code

### Request to link phone number to user as new method of authorization

 - [POST /users/me/phone_link/request](https://developers.xsolla.com/api/login/user-profile/link-phone-number.md): 1. Call the method /users/me/phone_link/request
2. Put your phone number in the body of the request
3. Then u will receive the sms code
4. Call method /users/me/phone_link/confirm with the code

### Delete user picture

 - [DELETE /users/me/picture](https://developers.xsolla.com/api/login/user-profile/delete-user-picture.md): Deletes the profile picture of the authenticated user by JWT.

### Upload user picture

 - [POST /users/me/picture](https://developers.xsolla.com/api/login/user-profile/upload-user-picture.md): Uploads the profile picture of the authenticated user by JWT.

## Account linking

### Create code for linking accounts

 - [POST /users/account/code](https://developers.xsolla.com/api/login/account-linking/create-code-for-linking-accounts.md): Creates the code for linking the platform account to the existing main account when the user logs in to the game via a gaming console.

The call is used with Link accounts by code request.

### Link accounts by code

 - [POST /users/account/link](https://developers.xsolla.com/api/login/account-linking/link-accounts-by-code.md): Links the platform account to the existing main account by the code.

To link accounts, the game server uses this call with the response from the Create code for linking accounts request.

### Link user IDs via external ID

 - [POST /users/account/link_external_id](https://developers.xsolla.com/api/login/account-linking/link-user-ids-via-external-id.md): Links a user from your game to a user from your Login project via an external ID. You will not be able to link the same external ID to different users and update the external ID of a user if they already have it.

You can find an external ID in:
* a user JWT after successful authentication as a value of the external_account_id claim,
* a response of the Get user details call as a value of the external_id parameter.

## Password reset

### Confirm password reset

 - [POST /password/reset/confirm](https://developers.xsolla.com/api/login/password-reset/confirm-password-reset.md): Confirms the user password reset.

You can reset user password if you use Login widget forms or your own password reset forms. If you use your own forms, contact your Customer Success Manager and specify the URL of your password reset form.

The workflow of using this call with your own forms:
1. The application opens a form so the user can enter their email or username.
2. The user enters their email or username.
3. The application sends the Reset password request to the Xsolla Login server.
4. The Xsolla Login server sends a confirmation email to the user.
5. The user follows the link in the email and proceeds to the form for setting a new password.
6. The user enters a new password and clicks Set new password.
7. The application or Login widget sends this request to the Xsolla Login server.

### Reset password

 - [POST /password/reset/request](https://developers.xsolla.com/api/login/password-reset/reset-password.md): Resets the user password with user confirmation. If the user data is kept in the Xsolla data storage or on your side, users receive a password change confirmation email. If the user data is kept in the PlayFab storage, password reset is done on PlayFab’s side. To get more information, see the Comparison of user data storages page.

The workflow of using this call:
1. The application opens a form so the user can enter their email or username.
2. The user enters their email or username.
3. The application sends this request to the Xsolla Login server.
4. The Xsolla Login server sends a confirmation email to the user.
5. The user follows the link in the email and proceeds to the form for setting a new password.
6. The user enters a new password and clicks Set new password.
7. The application sends the Confirm password reset request to the Xsolla Login server.

If you use your own password reset form, use the Confirm password reset call to reset the user password.

## User search

### Get user by ID for project

 - [GET /projects/{project_id}/users](https://developers.xsolla.com/api/login/search/get-user-for-project.md): Gets user data by user ID.

### Search users

 - [GET /projects/{project_id}/users/search](https://developers.xsolla.com/api/login/search/search-users-by-filter.md): Searches users by criteria. Returns results with pagination and ordering.

### Get user by ID

 - [GET /projects/{project_id}/users/search/by_id/{user_id}](https://developers.xsolla.com/api/login/search/get-user.md): Gets user data by user ID.

### Get social profiles

 - [GET /projects/{project_id}/users/{user_id}/social_profile](https://developers.xsolla.com/api/login/search/get-all-users-social-profiles.md): Gets all user's social profiles.

### Get user IDs by social ID and platform

 - [POST /users/linking_info](https://developers.xsolla.com/api/login/search/get-users-ids-by-social-id-and-platform.md): The call will return:
* user ID if the user has linked the main account.
* user ID if the user has linked the platform account.
* xl_uid=null if the user does not have a linked account.

### Search users by nickname

 - [GET /users/search/by_nickname](https://developers.xsolla.com/api/login/search/search-users-by-nickname.md): Searches users by the nickname parameter and gets a list of them. Search can be performed instantly when the user starts entering the search parameter.

The workflow of using this call:
1. The user enters a nickname or tag, or nickname and tag.
2. The Xsolla Login server searches for users in the Login project data of the user who initiated a search.

The current user can execute this call only one time per second.

## Social networks

### Get linked networks

 - [GET /users/me/social_providers](https://developers.xsolla.com/api/login/social-networks/get-linked-networks.md): Gets a list of the social networks linked to the user account.

### Delete linked network

 - [DELETE /users/me/social_providers/{providerName}](https://developers.xsolla.com/api/login/social-networks/delete-linked-networks.md): Deletes social network linked to the user account.

### Link social network to account

 - [GET /users/me/social_providers/{providerName}/login_redirect](https://developers.xsolla.com/api/login/social-networks/link-social-network-to-account.md): Links the social network, which is used by the player for authentication, to the user account.

The linking flow:
1. The user authenticates on the game website.
2. The UI offers to link the social network to the user account.
3. The Xsolla Login server redirects the user to the social network.
4. The user authenticates in the social network.
5. The Xsolla Login server links the social network to the user account.
6. The Xsolla Login server redirects the user to the game website.

### Get URL to link social network to account

 - [GET /users/me/social_providers/{providerName}/login_url](https://developers.xsolla.com/api/login/social-networks/get-url-to-link-social-network-to-account.md): Gets the URL to link the social network to the user’s account. The social network should be used for authentication.

The linking flow:
1. The user authenticates on the game website.
2. The UI offers to link the social network to the user account.
3. The Xsolla Login server returns social network URL.
4. The game website redirects the user to the social network.
5. The user authenticates in the social network.
6. The Xsolla Login server links the social network to the user account.
7. The Xsolla Login server redirects the user to the game website.

## User friends

### Get user friends

 - [GET /users/me/relationships](https://developers.xsolla.com/api/login/user-friends/get-users-friends.md): Gets a list of users added as friends of the authenticated user.

### Update user friends

 - [POST /users/me/relationships](https://developers.xsolla.com/api/login/user-friends/update-users-friends.md): Updates the friend list of the authenticated user.

### Get social account friends

 - [GET /users/me/social_friends](https://developers.xsolla.com/api/login/user-friends/get-social-account-friends.md): Gets a list of user’s friends from a social provider.

### Update social account friends

 - [POST /users/me/social_friends/update](https://developers.xsolla.com/api/login/user-friends/update-social-account-friends.md): Begins data processing to update a list of user’s friends from a social provider. Note that there may be a delay in data processing because of the Xsolla Login server or provider server high loads.

### Get user public profile

 - [GET /users/{user_id}/public](https://developers.xsolla.com/api/login/user-friends/get-user-public-profile.md): Gets the user information from their public profile by the user ID.

## User groups

### Delete user groups

 - [DELETE /projects/{project_id}/users/{user_id}/user_groups](https://developers.xsolla.com/api/login/user-management-groups/delete-user-groups.md): Deletes user groups. NoticeA Default group cannot be passed to this method.This method automatically updates user tags in Mailchimp if you have connected it.

### Get user groups

 - [GET /projects/{project_id}/users/{user_id}/user_groups](https://developers.xsolla.com/api/login/user-management-groups/get-user-groups.md): Gets all user's groups.

### Update user groups

 - [PATCH /projects/{project_id}/users/{user_id}/user_groups](https://developers.xsolla.com/api/login/user-management-groups/update-user-groups.md): Updates user's groups. NoticePass IDs of all groups where the users should be, other groups will be automatically deactivated for this user.This method automatically updates user tags in Mailchimp if you have connected it.

### Manage groups for user

 - [PUT /projects/{project_id}/users/{user_id}/user_groups](https://developers.xsolla.com/api/login/user-management-groups/manage-user-groups.md): Manages groups for a user. A default group cannot be passed to this method. NoticeA Default group cannot be passed to this method.This method automatically updates user tags in Mailchimp if you have connected it.

## Export/Import

### Export user data

 - [POST /projects/{project_id}/export_users](https://developers.xsolla.com/api/login/bulk-user-management/export-users.md): Exports user data (personal information and attributes) from the Login project to an archive of CSV files. You will receive the archive of user data to the specified email address.

The call can be requested 1 time per hour.

### Import user data

 - [POST /projects/{project_id}/user_import](https://developers.xsolla.com/api/login/bulk-user-management/upload-import-file.md): Imports user data from a CSV format file to the Login project.

## Via server custom ID

### [JWT] Auth by custom ID

 - [POST /users/login/server_custom_id](https://developers.xsolla.com/api/login/server-custom-id/auth-by-custom-id.md): Authenticates a user by a particular custom ID. If the user does not exist, they are created.

## User and server token management

### [OAuth2.0] Generate JWT

 - [POST /oauth2/token](https://developers.xsolla.com/api/login/token-management/generate-jwt.md): Use this call:
* To get a user JWT.
* To refresh the JWT when it expires. Works only if scope=offline is passed in the registration or authentication call.
* To get a server JWT. The user participation isn’t needed.
* To exchange user JWT for a new one with different scope.

Usage of this call depends on the value of the grant_type parameter.

### [OAuth2.0] Revoke Token

 - [POST /oauth2/token/revoke](https://developers.xsolla.com/api/login/token-management/revoke-jwt.md): Revokes an obtained access token

### Validate Server JWT

 - [POST /server/token/validate](https://developers.xsolla.com/api/login/token-management/validate-server-jwt.md): Validates a server JWT. Checks the following criteria:
- the lifetime of the token
- existence of the Login project
- presence of an authentic signature from the login.xsolla.com server
- value of the request_type field: gateway_token

### Validate user JWT

 - [POST /token/validate](https://developers.xsolla.com/api/login/token-management/validate-jwt.md): Validates a user JWT based on the following criteria:
- the lifetime of the token
- existence of the Login project
- presence of an authentic signature from the login.xsolla.com server
- user existence
- Validates the user JWT.

## Via device ID

### [JWT] Auth via device ID

 - [POST /login/device/{device_type}](https://developers.xsolla.com/api/login/device-id/jwt-auth-via-device-id.md): Authenticates a user via a particular device ID. To enable silent authentication, use the instruction.

### [OAuth2.0] Auth via device ID

 - [POST /oauth2/login/device/{device_type}](https://developers.xsolla.com/api/login/device-id/oauth-20-auth-via-device-id.md): Authenticates a user via a particular device ID.

## Via social networks

### [OAuth 2.0] Auth via social network

 - [GET /oauth2/social/{provider_name}/login_redirect](https://developers.xsolla.com/api/login/social-login/oauth-20-auth-via-social-network.md): Redirects the user to the page for authentication via the specified social network.

### [OAuth 2.0] Get link for social auth

 - [GET /oauth2/social/{provider_name}/login_url](https://developers.xsolla.com/api/login/social-login/oauth-20-get-link-for-social-auth.md): Gets the link for authentication via the social network. The link is valid for 10 minutes.

You can get the link by this call and add it to your button for authentication via a social network.

### [OAuth 2.0] Auth via access token of social network

 - [POST /oauth2/social/{provider_name}/login_with_token](https://developers.xsolla.com/api/login/social-login/oauth-20-auth-via-access-token-of-social-network.md): Authenticates the user with the access token using social network credentials.

### [JWT] Auth via social network

 - [GET /social/{provider_name}/login_redirect](https://developers.xsolla.com/api/login/social-login/jwt-auth-via-social-network.md): Redirects the user to the page for authentication via the specified social network.

### [JWT] Get link for social auth

 - [GET /social/{provider_name}/login_url](https://developers.xsolla.com/api/login/social-login/jwt-get-link-for-social-auth.md): Gets the link for authentication via the social network. The link is valid for 10 minutes.

You can get the link by this call and add it to your button for authentication via the social network.

### [JWT] Auth via access token of social network

 - [POST /social/{provider_name}/login_with_token](https://developers.xsolla.com/api/login/social-login/jwt-auth-via-access-token-of-social-network.md): Authenticates the user with the access token using social network credentials.

### [JWT] Refresh social tokens in JWT

 - [POST /social/{provider_name}/refresh_token](https://developers.xsolla.com/api/login/social-login/jwt-refresh-social-token.md): Refreshes social token by social refresh token from JWT.

## Cross-platform

### [OAuth 2.0] Silent authentication

 - [GET /oauth2/social/{oauth2_cross_social_provider_name}/cross_auth](https://developers.xsolla.com/api/login/cross-platform/oauth-20-silent-authentication.md): Exchanges a platform-specific authentication credential (a session ticket/exchange code/authorization token) from Epic Games, Steam, or Xbox for the JWT in your project (projectId).

You will get the link to redirect the user to your project.

To enable silent authentication, use the instruction.

### [JWT] Silent authentication

 - [GET /social/{cross_social_provider_name}/cross_auth](https://developers.xsolla.com/api/login/cross-platform/jwt-silent-authentication.md): Exchanges a platform-specific authentication credential (a session ticket/exchange code/authorization token) from Epic Games, Steam, or Xbox for the JWT in your project (projectId).

You will get the link to redirect the user to your project.

To enable silent authentication, use the instruction.

## Classic (with password)

### [JWT] Auth by username and password

 - [POST /login](https://developers.xsolla.com/api/login/login-and-password/auth-by-username-and-password.md): Authenticates the user by the username/email and password specified.

### [OAuth 2.0] Auth by username and password

 - [POST /oauth2/login](https://developers.xsolla.com/api/login/login-and-password/oauth-20-auth-by-username-and-password.md): Authenticates the user by the username/email and password specified. To finish user authentication, get the user JWT by sending the Generate JWT request.

### [OAuth 2.0] JWT auth by username and password

 - [POST /oauth2/login/token](https://developers.xsolla.com/api/login/login-and-password/jwt-auth-by-username-and-password.md): Authenticates the user by the username/email and password and returns a JWT. Exchanging the code to a JWT via the Generate JWT call is not needed.

### [OAuth2.0] Register new user

 - [POST /oauth2/user](https://developers.xsolla.com/api/login/login-and-password/oauth-20-register-new-user.md): Creates a new user.

* If you store user data at Xsolla or in custom storage, the user will receive an account confirmation email.
* If you store user data at PlayFab, you can set up sending the account confirmation email to the user. Use the PlayFab instruction for this.
* If you store user data at Firebase, the user will receive an account confirmation message from Firebase side.

See the Comparison of user data storages page for more information about user data storages.

### [JWT] Register new user

 - [POST /user](https://developers.xsolla.com/api/login/login-and-password/jwt-register-new-user.md): Creates a new user.

* If you store user data at Xsolla or custom storage, the user will receive an account confirmation message.
 If you store user data at PlayFab, the user will not* receive an account confirmation message.
* If you store user data at Firebase, the user will receive an account confirmation message from Firebase side.

See the Comparison of user data storages page for more information about user data storages.

## Passwordless

### [JWT] Complete auth by email

 - [POST /login/email/confirm](https://developers.xsolla.com/api/login/passwordless/jwt-complete-auth-by-email.md): Completes authentication by the user email address and a confirmation code. The code lifetime is 3 minutes.

This call is used only with the Start auth by email call.

The workflow of using this call:
1. The application opens an authentication form so the user can enter their email address.
2. The user enters their email address.
3. The application sends the Start auth by email request to the Xsolla Login server:
  a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make email contain the confirmation code and link.
  b. If the parameter send_link is false or not passed, the email will contain the confirmation code only.
4. The Xsolla Login server sends the email and returns the ID of the confirmation code.
5. The application shows a field so the user can fill in the confirmation code.
6. The user enters the received confirmation code or follows the link.
7. The application sends this request to the Xsolla Login server with the received ID.
8. The user is considered as authorized.

### [JWT] Start auth by email

 - [POST /login/email/request](https://developers.xsolla.com/api/login/passwordless/jwt-start-auth-by-email.md): Starts authentication by the user email address and sends a confirmation code to their email address. The code lifetime is 3 minutes.

This call is used only with the Complete auth by email call.

The workflow of using this call:
1. The application opens an authentication form so the user can enter their email address.
2. The user enters their email address.
3. The application sends this request to the Xsolla Login server:
  a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make email contain the confirmation code and link.
  b. If the parameter send_link is false or not passed, the email will contain the confirmation code only.
4. The Xsolla Login server sends the email and returns the ID of the confirmation code.
5. The application shows a field so the user can fill in the confirmation code.
6. The user enters the received confirmation code or follows the linke.
7. The application sends the Complete auth by email request with the received ID to the Xsolla Login server.
8. The user is considered as authorized.

### [JWT] Complete auth by phone number

 - [POST /login/phone/confirm](https://developers.xsolla.com/api/login/passwordless/jwt-complete-auth-by-phone-number.md): Completes authentication by the user phone number and a confirmation code. The code lifetime is 3 minutes.

This call is used only with the Start auth by phone number call.

The workflow of using this call:
1. The application opens an authentication form so the user can enter their phone number.
2. The user enters their phone number.
3. The application sends the Start auth by phone number request to the Xsolla Login server:
  a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make SMS contain the confirmation code and link.
  b. If the parameter send_link is false or not passed, the SMS will contain the confirmation code only.
4. The Xsolla Login server sends the SMS and returns the ID of the confirmation code.
5. The application shows a field so the user can fill in the confirmation code.
6. The user enters the received confirmation code or follows the link.
7. The application sends this request to the Xsolla Login server.
8. The user is considered as authorized.

### [JWT] Start auth by phone number

 - [POST /login/phone/request](https://developers.xsolla.com/api/login/passwordless/jwt-start-auth-by-phone-number.md): Starts authentication by the user phone number and sends a confirmation code to their phone number. The code lifetime is 3 minutes.

This call is used only with the Complete auth by phone number call.

The workflow of using this call:
1. The application opens an authentication form so the user can enter their phone number.
2. The user enters their phone number.
3. The application sends this request to the Xsolla Login server:
  a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make SMS contain the confirmation code and link.
  b. If the parameter send_link is false or not passed, the SMS will contain the confirmation code only.
4. The Xsolla Login server sends the SMS and returns the ID of the confirmation code.
5. The application shows a field so the user can fill in the confirmation code.
6. The user enters the received confirmation code or follows the link.
7. The application sends the Complete auth by phone number request with the received ID to the Xsolla Login server.
8. The user is considered as authorized.

### [OAuth2.0] Complete auth by email

 - [POST /oauth2/login/email/confirm](https://developers.xsolla.com/api/login/passwordless/oauth-20-complete-auth-by-email.md): Completes authentication by the user email address and a confirmation code. The code lifetime is 3 minutes.

This call is used only with the Start auth by email call.

The workflow of using this call:
1. The application opens an authentication form so the user can enter their email address.
2. The user enters their email address.
3. The application sends the Start auth by email request to the Xsolla Login server:
  a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make email contain the confirmation code and link.
  b. If the parameter send_link is false or not passed, the email will contain the confirmation code only.
4. The Xsolla Login server sends the email and returns the ID of the confirmation code.
5. The application shows a field so the user can fill in the confirmation code.
6. The user enters the received confirmation code or follows the link.
7. The application sends this request to the Xsolla Login server with the received ID.
8. The user is considered as authorized.

### [OAuth2.0] Start auth by email

 - [POST /oauth2/login/email/request](https://developers.xsolla.com/api/login/passwordless/oauth-20-start-auth-by-email.md): Starts authentication by the user email address and sends a confirmation code to their email address. The code lifetime is 3 minutes.

This call is used only with the Complete auth by email call.

The workflow of using this call:
1. The application opens an authentication form so the user can enter their email address.
2. The user enters their email address.
3. The application sends this request to the Xsolla Login server:
   a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make email contain the confirmation code and link.
   b. If the parameter send_link is false or not passed, the email will contain the confirmation code only.
4. The Xsolla Login server sends the email and returns the ID of the confirmation code.
5. The application shows a field so the user can fill in the confirmation code.
6. The user enters the received confirmation code or follows the link.
7. The application sends the Complete auth by email request with the received ID to the Xsolla Login server.
8. The user is considered as authorized.

### [OAuth2.0] Complete auth by phone number

 - [POST /oauth2/login/phone/confirm](https://developers.xsolla.com/api/login/passwordless/oauth-20-complete-auth-by-phone-number.md): Completes authentication by the user phone number and a confirmation code. The code lifetime is 3 minutes.

This call is used only with the Start auth by phone number call.

The workflow of using this call:
1. The application opens an authentication form so the user can enter their phone number.
2. The user enters their phone number.
3. The application sends the Start auth by phone number request to the Xsolla Login server:
  a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make SMS contain the confirmation code and link.
  b. If the parameter send_link is false or not passed, the SMS will contain the confirmation code only.
4. The Xsolla Login server sends the SMS and returns the ID of the confirmation code.
5. The application shows a field so the user can fill in the confirmation code.
6. The user enters the received confirmation code or follows the link.
7. The application sends this request to the Xsolla Login server.
8. The user is considered as authorized.

### [OAuth2.0] Start auth by phone number

 - [POST /oauth2/login/phone/request](https://developers.xsolla.com/api/login/passwordless/oauth-20-start-auth-by-phone-number.md): Starts authentication by the user phone number and sends a confirmation code to their phone number. The code lifetime is 3 minutes.

This call is used only with the Complete auth by phone number call.

The workflow of using this call:
1. The application opens an authentication form so the user can enter their phone number.
2. The user enters their phone number.
3. The application sends this request to the Xsolla Login server:
  a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make SMS contain the confirmation code and link.
  b. If the parameter send_link is false or not passed, the SMS will contain the confirmation code only.
4. The Xsolla Login server sends the SMS and returns the ID of the confirmation code.
5. The application shows a field so the user can fill in the confirmation code.
6. The user enters the received confirmation code or follows the link.
7. The application sends the Complete auth by phone number request with the received ID to the Xsolla Login server.
8. The user is considered as authorized.

### Get confirmation code

 - [GET /otc/code](https://developers.xsolla.com/api/login/passwordless/get-confirmation-code.md): Waits until the user follows the link provided via email or SMS and returns the confirmation code for authentication. If you sent this call and after 20 seconds you didn't get the code, there was an error. In this case, resend the call immediately. The code lifetime is 3 minutes.

The workflow of using this call:
1. The application opens an authentication form so the user can enter their email address.
2. The user enters their email address.
3. The application sends the Start auth by email or phone number (JWT or OAuth 2.0) request to the Xsolla Login server:
  a. If the parameter send_link is true, after this request, you should send this same request to make email or SMS contain the confirmation code and link.
  b. If the parameter send_link is false or not passed, the email will contain the confirmation code only.
4. The Xsolla Login server sends an email or SMS to the user and returns the ID of the confirmation code.
5. The application shows a field so the user can fill in the confirmation code.
6. The user enters the received confirmation code or follows the link.
7. The application sends the Complete auth by email or phone number (JWT or OAuth 2.0) request with the received ID to the Xsolla Login server.
8. The user is considered as authorized.

### Register new user from server

 - [POST /users](https://developers.xsolla.com/api/login/passwordless/register-new-user-from-server.md): Creates a new user with requested body parameters. These parameters are set as confirmed. Combination of parameters passed to the body must include at least email or phone_number parameter. The call is used only if you set up Xsolla storage. NoticeRate limits for server-side methods are applied to this method.

## SSO

### OAuth 2.0 authorize

 - [GET /oauth2/auth](https://developers.xsolla.com/api/login/sso/oauth2-authorize.md): Checks the presence of a valid SSO session. Redirects to the URL passed in the redirect_url parameter with an authorization code.

### [OAuth 2.0] Clear SSO

 - [GET /oauth2/clear_sso](https://developers.xsolla.com/api/login/sso/clear-sso-cookie.md): Deletes user's SSO cookie for given project.

### [OAuth 2.0] Log user out

 - [GET /oauth2/logout](https://developers.xsolla.com/api/login/sso/log-user-out.md): Logs the user out and deletes the user session according to the value of the sessions parameter. Call the Check user authentication call to see if the user is logged in.

### [OAuth 2.0] Check user authentication

 - [GET /oauth2/sso](https://developers.xsolla.com/api/login/sso/check-user-authentication.md): Checks if a user has already logged in via a service. If they have, you will receive an OAuth 2.0 authorization code without user participation. Used in Single Sign-on.

## OAuth 2.0 consent management

### [OAuth 2.0] Save consent for OAuth 2.0

 - [POST /oauth2/consent](https://developers.xsolla.com/api/login/consent-management/oauth2-save-consent.md): Saves the user's consent to the application of certain scopes for a specific OAuth 2.0 client.

### [OAuth 2.0]Check consent for OAuth 2.0

 - [POST /oauth2/consent/validate](https://developers.xsolla.com/api/login/consent-management/oauth2-check-consent.md): Checks if the user gave consent to the application of the user data collection scope for a specific OAuth 2.0 client.

## Client-side

### Get attributes by server custom IDs

 - [POST /attributes/custom_id/get](https://developers.xsolla.com/api/login/attributes-client/get-attributes-by-server-custom-id.md): Gets a list of particular user’s attributes.NoticeRate limits for server-side methods are applied to this method.

### Get user attributes from client

 - [POST /attributes/users/me/get](https://developers.xsolla.com/api/login/attributes-client/get-users-attributes-from-client.md): Gets a list of particular user’s attributes. Returns only attributes with the client value of attr_type parameter.NoticeRate limits for client-side methods are applied to this method.

### Get read-only user attributes from client

 - [POST /attributes/users/me/get_read_only](https://developers.xsolla.com/api/login/attributes-client/get-users-read-only-attributes-from-client.md): Gets a list of particular user’s read-only attributes. Returns only attributes with the server value of the attr_type parameter, which was set only for reading.NoticeRate limits for client-side methods are applied to this method.

### Update user attributes from client

 - [POST /attributes/users/me/update](https://developers.xsolla.com/api/login/attributes-client/update-users-attributes-from-client.md): Updates and creates particular user’s attributes.NoticeRate limits for client-side methods are applied to this method.

## Server-side

### Get users by attribute from server

 - [POST /attributes/users/get](https://developers.xsolla.com/api/login/attributes-server/get-users-by-attribute-from-server.md): Gets a list of users by an attribute. Returns a list of the users’ IDs, their emails, and the attributes that were specified in the ‘key’ object of the request.NoticeRate limits for server-side methods are applied to this method.

### Get user attributes from server

 - [POST /attributes/users/{user_id}/get](https://developers.xsolla.com/api/login/attributes-server/get-users-attributes-from-server.md): Gets user’s attributes.NoticeRate limits for server-side methods are applied to this method.

### Get read-only user attributes from server

 - [POST /attributes/users/{user_id}/get_read_only](https://developers.xsolla.com/api/login/attributes-server/get-users-read-only-attributes-from-server.md): Gets a list of user’s read-only attributes.NoticeRate limits for server-side methods are applied to this method.

### Update user attributes from server

 - [POST /attributes/users/{user_id}/update](https://developers.xsolla.com/api/login/attributes-server/update-users-attributes-from-server.md): Updates and creates user’s attributes.NoticeRate limits for server-side methods are applied to this method.

### Update user read-only attributes from server

 - [POST /attributes/users/{user_id}/update_read_only](https://developers.xsolla.com/api/login/attributes-server/update-users-read-only-attributes-from-server.md): Updates and creates user’s read-only attributes.NoticeRate limits for server-side methods are applied to this method.

### Update user attributes from server by server custom ID

 - [POST /projects/{project_id}/server_custom_id/{server_custom_id}/attributes](https://developers.xsolla.com/api/login/attributes-server/update-users-attributes-from-server-by-server-custom-id.md): Updates and creates user attributes by user ID on your server (server_custom_id).NoticeRate limits for server-side methods are applied to this method.

### Get attributes by user ID

 - [GET /projects/{project_id}/users/{user_id}/attributes](https://developers.xsolla.com/api/login/attributes-server/get-attributes-by-user-id.md): Gets a list of user’s attributes. Returns only attributes values for user by his ID.NoticeRate limits for server-side methods are applied to this method.

## Validation schema

### Delete schema

 - [DELETE /project/{project_id}/attribute_schema](https://developers.xsolla.com/api/login/attributes-schema/delete-attributes-schema.md): Deletes JSON Schema of user attributes from the Login project.NoticeRate limits for server-side methods are applied to this method.

### Get schema

 - [GET /project/{project_id}/attribute_schema](https://developers.xsolla.com/api/login/attributes-schema/get-attributes-schema.md): Gets JSON Schema of user attributes.NoticeRate limits for server-side methods are applied to this method.

### Update schema

 - [PUT /project/{project_id}/attribute_schema](https://developers.xsolla.com/api/login/attributes-schema/put-attributes-schema.md): Updates JSON Schema of user attributes.NoticeRate limits for server-side methods are applied to this method.