# Login API # Overview {% #overview %} * **Version:** 1.0.0 * **Servers**: `https://login.xsolla.com/api` * **Protocols**: https * **Accepts**: application/json * **Responds with**: application/json * **[Contact us by email](mailto:integration@xsolla.com)** * **Contact URL:** https://xsolla.com/ This section describes API calls for working with [Login](https://developers.xsolla.com/doc/login). [Set up](/doc/login/integration-guide/integrate-solution/#login_guide_integration_api) your Login project in [Publisher Account](https://publisher.xsolla.com/) before sending requests. # IP addresses {% #ip-addresses %} The full list of IP addresses that login.xsolla.com may use: * 34.94.0.85 * 34.94.14.95 * 34.94.25.33 * 34.94.115.185 * 34.94.154.26 * 34.94.173.132 * 34.102.48.30 * 35.235.99.248 * 35.236.32.131 * 35.236.35.100 * 35.236.117.164 # Glossary {% #glossary %} You have access to the following Login project types in Publisher Account: * Standard Login project * Shadow Login project To find more information on it, see [Cross-platform account](https://developers.xsolla.com/doc/login/features/cross-platform-account/) feature. ## Rate limits {% #glossary-rate-limits %} Are the restrictions applied by Xsolla API on the frequency of access by a user within a defined timeframe. ## Standard Login project {% #glossary-standard-login-project %} Is a Login project that is used to store main accounts. ## Shadow Login project {% #glossary-shadow-login-project %} Is a Login project that is used to store platform accounts. ## Main account {% #glossary-main-account %} Is an account type that is created in a standard Login project and linked to platform accounts. The main account is used to identify the player on different platforms. ## Platform account {% #glossary-platform-account %} Is an account type that is created in a shadow Login project and connected to a definite publishing platform. The platform account can't be linked to another platform account. Also, you can't unlink the accounts from a main account. ## Publishing platform {% #glossary-publishing-platform %} Is a game platform that is used for game distribution (e.g. Steam, PlayStation, Xbox, etc.). # Authentication {% #authentication %} Login API supports the following token types: * User token. It is used for sending requests to the following user resources: * profile * friends * attributes * Server token. It is used for sending requests to application resources such as settings or user data. The following requests are available: * [Create platform accounts](https://developers.xsolla.com/api/login/operation/auth-by-custom-id) * [Get user data](https://developers.xsolla.com/api/login/operation/get-users-ids-by-social-id-and-platform) * [Link accounts](https://developers.xsolla.com/api/login/operation/link-accounts-by-code) * [Link user accounts via external ID](https://developers.xsolla.com/api/login/operation/link-user-ids-via-external-id) ## Authentication schemes {% #authentication-schemes %} You can determine whether an API call is client or server-side by the scheme of authentication: - Client-side — are called without authentication or with the `Authorization` header: `Bearer ` header, where `` — is the user token. - Server-side API calls for implementing the user flow — are called with the header: `X-SERVER-AUTHORIZATION: `, where `` — is the server token. ## Getting a user token {% #getting-user-token %} To get the token, send one of the following requests: * user registration ([JWT](https://developers.xsolla.com/api/login/operation/jwt-register-new-user) or [OAuth 2.0](https://developers.xsolla.com/api/login/operation/oauth-20-register-new-user)) * authentication by username and password ([JWT](https://developers.xsolla.com/api/login/operation/auth-by-username-and-password), [OAuth 2.0](https://developers.xsolla.com/api/login/operation/oauth-20-auth-by-username-and-password), or [JWT auth by username and password](https://developers.xsolla.com/api/login/operation/jwt-auth-by-username-and-password)) * authentication via social networks ([JWT](https://developers.xsolla.com/api/login/operation/jwt-auth-via-social-network) or [OAuth 2.0](https://developers.xsolla.com/api/login/operation/oauth-20-auth-via-social-network)) * silent authentication ([JWT](https://developers.xsolla.com/api/login/operation/jwt-silent-authentication) or [OAuth 2.0](https://developers.xsolla.com/api/login/operation/oauth-20-silent-authentication)) * [authentication via a social network access token](https://developers.xsolla.com/api/login/operation/jwt-auth-via-access-token-of-social-network) * [authentication via a publishing platform](https://developers.xsolla.com/api/login/operation/auth-by-custom-id) After JWT authentication, the user is redirected to the Callback URL with a token in a query-parameter: `?token=`. After OAuth 2.0 protocol-based authentication, send the [Generate JWT](https://developers.xsolla.com/api/login/operation/generate-jwt) `POST` request to the Xsolla Login server to exchange the received `code` parameter for a user token (`access_token`). When the access token expires, the client sends [Generate JWT](https://developers.xsolla.com/api/login/operation/generate-jwt) `POST` request endpoint on the Xsolla Login server. The request body must include the following parameters: - `grant_type` — JWT grant type, pass the `refresh_token` value. - `client_id` — OAuth 2.0 client ID. - `refresh_token` — refresh token received in response to the user authorization request. ## Getting a server token {% #getting-server-token %} To get a server token: 1. [Set up server OAuth 2.0 client](#set-up-server-oauth-20-client). 2. [Generate server JWT](#generate-server-jwt). ### Set up server OAuth 2.0 client {% #set-up-server-oauth-20-client %} 1. Open your project in [Publisher Account](https://publisher.xsolla.com/) and go to the **Login section**. 2. Click **Configure** in the panel of a **Login** project. 3. Go to the **Security** block and select the **OAuth 2.0** section. 4. Click **Add OAuth 2.0 Client**. 5. Check the **Server (server-to-server connection)** box. 6. Specify **Token lifetime**. 7. Click **Connect**. 8. Copy and save the client ID and secret key. ### Generate server JWT {% #generate-server-jwt %} On the back end of your application, implement a method to get the server JWT using the [Generate JWT API](https://developers.xsolla.com/api/login/operation/generate-jwt/) call. The request must contain the following parameters: * `grant_type` is the type of getting JWT, pass the `client_credentials` value. * `client_secret` is the secret key that is received when you set up the server OAuth 2.0 client. * `client_id` is the client ID received when you set up the server OAuth 2.0 client. When the server token expires, generate a new token using the [Generate JWT API](https://developers.xsolla.com/api/login/operation/generate-jwt/) call. The request body must include the following parameters: - `grant_type` — JWT grant type, pass the `client_credentials` value. - `client_id` — OAuth 2.0 client ID. - `client_secret` — OAuth 2.0 client secret key. # Rate limits {% #rate-limits %} To prevent Xsolla system overloads and protect against sudden spikes in incoming traffic, Xsolla limits the number of requests received by the Xsolla API within a specified period of time. If the limit is exceeded, the Xsolla API returns an HTTP response with the `429` status code. Rate limits vary by method, IP-address, authentication scheme, and other factors. Rate limits for server-side methods are applied to methods with server-side authentication — methods that are called with the `X-SERVER-AUTHORIZATION: ` header, where `` is the server token. Rate limits for client-side methods are applied to methods without authentication or with client-side authentication — methods that are called with the `Authorization: Bearer ` header, where `` is the user token. **Example of a method with server-side authentication:** ![Example of a method with server-side authentication](https://cdn.xsolla.net/developers/current/images/api_docs/login-rate-limits-1.png) **Example of a method with client-side authentication:** ![Example of a method with server-side authentication](https://cdn.xsolla.net/developers/current/images/api_docs/login-rate-limits-2.png) Rate limits for client-side methods do not change and are necessary to prevent brute-force attacks. The maximum request rate for server-side methods is higher than for client-side methods. You can refer to the recommendations on how to manage rate limits in the [documentation](https://developers.xsolla.com/api/getting-started/#api_rate_limits). {% html name="div" attrs={"class": "note"} %} **Note** In certain cases, it is possible to adjust the rate limits by request. To request the rate limits adjustment, contact your Customer Success Manager or email [csm@xsolla.com](mailto:csm@xsolla.com). {% /html %} # JWT structure {% #jwt-structure %} Every token has a [JWT](https://jwt.io/) format and contains a definite information in a payload. ## User JWT {% #user-jwt %} User JWT is a token received as a result of authentication or registration. A token payload contains information about the user and authentication call. Getting a user token via the OAuth 2.0 protocol requires an OAuth 2.0 client. The user token is passed in the `Authorization: Bearer ` header. ## Main claims {% #jwt-main-claims %} A token will contain the main claims after authentication or email address confirmation. Presence of these claims does not depend on the user database and authentication call. | Claim | Type | Required | Description | |---|---|---|---| | `exp` | [Unix Timestamp](https://www.unixtimestamp.com/) | Yes | Date and time of token expiration. Default expiration time is 24 hours. You can change expiration time for every Login project. | | `iss` | string | Yes | Service that signed the token: `https://login.xsolla.com`. | | `iat` | [Unix Timestamp](https://www.unixtimestamp.com/) | Yes | Date and time of giving the token. | | `sub` | string (UUID) | Yes | User ID written on the Xsolla Login server side. | | `groups` | array | Yes | List of groups the user is in. Each group: `id` — group ID; `name` — group name; `is_default` — whether the group is default (`true` or `false`). There can be only one default group, which initially includes all users before they are distributed into different groups. | | `xsolla_login_project_id` | string (UUID) | Yes | Login project ID. | | `type` | string | | Authentication option: `xsolla_login` — login via username/email and password; `social` — social login; `email` — passwordless login via one-time code by email; `phone` — by SMS; `firebase` — Firebase storage; `playfab` — PlayFab storage; `proxy` — custom storage; `device` — device ID; `server_custom_id` — custom ID. | | `avatar` | string | | User avatar URL. | | `username` | string | | Username. | | `publisher_id` | integer | | ID of a merchant who owns a Login project. | | `email` | string | | User email address. | | `payload` | string | | Additional information that is passed in the payload parameter during authentication. | | `promo_email_agreement` | boolean | | `true` if the user agrees to receive a newsletter, `false` otherwise. Default: `true`. To add to the [Login widget](https://developers.xsolla.com/doc/login/integration-guide/integrate-solution/#login_guide_integration_widget) registration form: contact your Account Manager (Widget 2.0) or add the `fields` parameter with the `promo_email_agreement` value to the [initialization code](https://github.com/xsolla/xsolla-login-js-sdk#step-2-initializing-widget) (previous widget version). | | `connection_information` | string | | Shows whether the user confirmed their birth date or not. Confirmation is made via the [okname](https://www.ok-name.co.kr/) service. | ## PlayFab storage {% #playfab-storage %} Claims that are contained in the token after authentication if you use [PlayFab storage](https://developers.xsolla.com/doc/login/integration-guide/connect-users-storage/). | Claim | Type | Required | Description | |---|---|---|---| | `external_account_id` | string | Yes | User PlayFab ID. | | `session_ticket` | string | Yes | A **SessionTicket** parameter received during an authentication request or requests to the [PlayFab API](https://api.playfab.com/documentation/client). A token contains the claim if you authenticate users via the OAuth 2.0 protocol and pass the `playfab` value to the `scope` parameter. | | `entity_token` | string | Yes | An **EntityToken.EntityToken** parameter. | | `entity_type` | string | Yes | An **EntityToken.Entity.Type** parameter. Can have only the `title_player_account` value. | | `entity_id` | string | Yes | An **EntityToken.Entity.Id** parameter. | ## Custom storage {% #custom-storage %} Claims that are contained in the token after authentication if you use [custom storage](https://developers.xsolla.com/doc/login/integration-guide/connect-users-storage/). | Claim | Type | Required | Description | |---|---|---|---| | `provider` | string | Yes | Name of a social network used for authentication. If the user authenticates via username and password, the claim has the `xsolla` value. | | `external_account_id` | string | | User ID on your server side. | | `partner_data` | | | Data of any type returned by your server in the response body during authentication. To enable the transmission of this claim, contact your Customer Success Manager or email [csm@xsolla.com](mailto:csm@xsolla.com). | | `social_access_token` | | | Access token of the social network through which the user was authenticated. To enable the transmission of this claim, contact your Customer Success Manager or email [csm@xsolla.com](mailto:csm@xsolla.com). | ## Social authentication {% #social-authentication %} Claims that are contained in the token after authentication via a social network. Presence of these claims does not depend on the user database. | Claim | Type | Required | Description | |---|---|---|---| | `provider` | string | Yes | Name of a social network used for authentication. | | `id` | string | Yes | User ID in a social network. | | `is_cross_auth` | boolean | | Shows that the silent authentication request is in progress. | | `social_access_token` | string | | Social network account `access_token` parameter used for authentication. Contact your Account Manager to set up the feature. | | `picture` | string (URL) | | Link to the user profile picture in a social network. | | `birthday` | date ([RFC3339](https://www.ietf.org/rfc/rfc3339.txt)) | | User birth date in a social network. | | `gender` | string | | User gender in a social network. | | `name` | string | | User nickname in a social network. | ## Authentication via the OAuth 2.0 protocol {% #authentication-via-oauth-protocol %} Claims that are contained in the token after OAuth 2.0 authentication. | Claim | Type | Required | Description | |---|---|---|---| | `jti` | string | Yes | Unique token ID. | ## Authentication via a phone number {% #authentication-via-phone-number %} Claim which is contained in the token after authentication via a phone number. | Claim | Type | Required | Description | |---|---|---|---| | `phone_number` | string | Yes | User's phone number used for authentication. The phone number format based on the country code, area code, and line number without any dividers. | ## Server JWT {% #server-jwt %} The server token is passed in the `X-SERVER-AUTHORIZATION` header. The token payload contains information about resources owned by the OAuth 2.0 client. The token has access to calls with server-based authentication for these resources. | Claim | Type | Required | Description | |---|---|---|---| | `xsolla_login_project_id` | string (UUID) | Yes | ID of a Login project that owns the OAuth 2.0 client. | | `resources` | array | Yes | List of resources owned by an OAuth 2.0 client. Possible types: `publisher_id` — resources of a merchant who owns the Login project; `publisher_project_id` — resources of a project in [Publisher Account](https://publisher.xsolla.com/). Each resource: `name` — resource type; `value` — resource ID. | | `jti` | string | Yes | Unique token ID. | # JWT validation {% #jwt-validation %} To validate the JWT, use the following Login API calls: - [User JWT validate](/api/login/operation/validate-jwt) — for a user token. - [Server JWT validate](/api/login/operation/validate-server-jwt) — for a server token. {% html name="div" attrs={"class": "notice"} %} **Notice** Do not reveal your secret key to anyone. If it was compromised, please update it. {% /html %} # Errors {% #errors %} Refer to the [documentation](/doc/login/references/errors/) for information about Xsolla Login API errors. Version: v1 ## Servers ``` https://login.xsolla.com/api ``` ## Security ### APIKey access key from JWT user token Type: apiKey In: header Name: Authorization ### AttributesBearer Type: apiKey In: header Name: Authorization ### AttributesServer [Server token authorization](/api/login/getting-server-token). Type: apiKey In: header Name: X-SERVER-AUTHORIZATION ### Bearer Bearer authentication. ```Bearer ```. Type: apiKey In: header Name: Authorization ### BearerCallback Bearer authentication. ```Bearer ```. Type: apiKey In: header Name: Authorization ### ExternalBearer Type: apiKey In: header Name: Authorization ### Server [Server token authorization](/api/login/getting-server-token). Type: apiKey In: header Name: X-SERVER-AUTHORIZATION ## Download OpenAPI description [Login API](https://developers.xsolla.com/_bundle/api/login/index.yaml) ## Age restrictions ### Delete age restriction for country - [DELETE /projects/{project_id}/age_rating](https://developers.xsolla.com/api/login/product-configuration-age-restrictions/delete-age-restriction.md): Deletes age restriction for a selected country in a project. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### List age restrictions for project - [GET /projects/{project_id}/age_rating](https://developers.xsolla.com/api/login/product-configuration-age-restrictions/list-age-restrictions.md): Returns a list of countries with age restrictions in a project. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Create age restriction for country - [POST /projects/{project_id}/age_rating](https://developers.xsolla.com/api/login/product-configuration-age-restrictions/create-age-restriction.md): Creates or updates existing age restriction for a selected country in a project. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method.Rate limits for server-side methods are applied to this method. {% /html %} ### Manage age restrictions for countries - [POST /projects/{project_id}/age_rating/batch](https://developers.xsolla.com/api/login/product-configuration-age-restrictions/batch-age-restrictions.md): Updates, deletes, or creates age restrictions for all countries in a project. You may set default restrictions for all countries and set country-specific restrictions, if any. {% html name="div" attrs={"class": "notice"} %} Notice Each new call overrides previous settings. {% /html %} ## Custom email templates ### Get custom email template - [GET /projects/{project_id}/templates/email/{template_id}/{locale}/{template_type}](https://developers.xsolla.com/api/login/custom-email-templates/get-custom-email-template.md): Gets all information about the specific template. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Create custom email template - [POST /projects/{project_id}/templates/email/{template_id}/{locale}/{template_type}](https://developers.xsolla.com/api/login/custom-email-templates/create-custom-email-template.md): Creates an email template with custom structure, styles, and texts. You can add the variables for some texts to the template. To add the relevant texts for these variables, use the Send email based on template call. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Update custom email template - [PUT /projects/{project_id}/templates/email/{template_id}/{locale}/{template_type}](https://developers.xsolla.com/api/login/custom-email-templates/update-custom-email-template.md): Updates the specific custom email template. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Switch off welcome email - [DELETE /projects/{project_id}/welcome_email](https://developers.xsolla.com/api/login/custom-email-templates/switch-off-welcome-email.md): Switches off a welcome email. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Switch on welcome email - [POST /projects/{project_id}/welcome_email](https://developers.xsolla.com/api/login/custom-email-templates/switch-on-welcome-email.md): Switches on a welcome email. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Send email based on template - [POST /templates/email/send](https://developers.xsolla.com/api/login/custom-email-templates/send-email-based-on-template.md): Sends an email based on a custom template and data that you provided to the specified email address. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ## RSA keys ### Get JSON Web Key Set - [GET /projects/{project_id}/jwks.json](https://developers.xsolla.com/api/login/product-configuration-rsa/json-web-key-set.md): Gets a JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array of JWKs. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Get project keys - [GET /projects/{project_id}/keys](https://developers.xsolla.com/api/login/product-configuration-rsa/get-projects-keys.md): Gets a list of the public RSA project keys. To validate user JWT, choose the library and pass an appropriate public key from the response to this call to the validation function. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Social ### Change settings for connected social provider - [PUT /projects/{project_id}/social/provider_token](https://developers.xsolla.com/api/login/product-configuration-social/put-social-provider-token.md): Configure social provider token in Login JWT. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Change scope settings for connected social provider - [PUT /projects/{project_id}/social/{provider_name}/custom_scope](https://developers.xsolla.com/api/login/product-configuration-social/put-social-provider-custom-scope.md): Manage custom Oauth2 scopes for provider. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ## User groups ### Get project groups - [GET /projects/{project_id}/user_groups](https://developers.xsolla.com/api/login/product-configuration-groups/get-project-user-groups.md): Gets a list of user groups in project. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Add new group to project - [POST /projects/{project_id}/user_groups](https://developers.xsolla.com/api/login/product-configuration-groups/post-project-user-group.md): Adds a new user group to a project. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method.Rate limits for server-side methods are applied to this method. {% /html %} ### Delete group from project - [DELETE /projects/{project_id}/user_groups/{group_id}](https://developers.xsolla.com/api/login/product-configuration-groups/del-project-user-group.md): Deletes a user group. {% html name="div" attrs={"class": "notice"} %} Notice A user group can't be deleted if it contains users. {% /html %} ### Update group name - [PUT /projects/{project_id}/user_groups/{group_id}](https://developers.xsolla.com/api/login/product-configuration-groups/put-project-user-group.md): Changes a user group name. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ## Multi-factor authentication ### Get project two-factor authentication settings - [GET /projects/{project_id}/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/get-project-two-factor-authentication-settings.md): Gets project two-factor authentication settings. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Update project two-factor authentication settings - [PUT /projects/{project_id}/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/update-project-two-factor-authentication-settings.md): Updates project two-factor authentication settings. The user must confirm the changes by entering a one-time code. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get user's two-factor authentication settings - [GET /projects/{project_id}/users/{user_id}/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/get-server-mfa.md): Gets user's two-factor authentication settings. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Update user's two-factor authentication settings - [POST /projects/{project_id}/users/{user_id}/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/update-server-mfa.md): Updates user's two-factor authentication settings from server. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get user’s two-factor authentication settings - [GET /users/me/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/get-users-two-factor-authentication-settings.md): Gets user’s two-factor authentication settings. You must enable two-factor authentication for the Login project. Contact your Customer Success Manager to enable it. ### Update user’s two-factor authentication settings - [POST /users/me/mfa](https://developers.xsolla.com/api/login/product-configuration-mfa/update-users-two-factor-authentication-settings.md): Updates user’s two-factor authentication settings. The user must confirm the changes by entering a one-time code. The workflow of using this call: 1. The user enables or disables two-factor authentication. 2. The application sends the request to the Xsolla Login server. 3. The Xsolla Login server sends the one-time confirmation code to the user and returns the URL of the two-factor authentication page. 4. The application redirects the user to the URL. 5. The user enters the one-time code. 6. New two-factor authentication settings are applied. You must enable two-factor authentication for the Login project. Contact your Customer Success Manager to enable it. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Webhooks ### Get webhooks for event - [GET /projects/{project_id}/events/{event_type}/webhooks](https://developers.xsolla.com/api/login/webhooks/get-webhooks-for-event.md): Gets the list of webhooks information for the specified type of events. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Add webhook for event - [POST /projects/{project_id}/events/{event_type}/webhooks](https://developers.xsolla.com/api/login/webhooks/add-webhook-for-event.md): Creates a webhook for the specified event. The webhook has the following format: json { "event_type": "Event type", "event_time": "Date and time when the event occurred in the ISO 8601 format", "project_id": "Login project ID", "data": { // Some other data, can be different for different events and include nested objects } } {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Delete webhook for event - [DELETE /projects/{project_id}/events/{event_type}/webhooks/{webhook_id}](https://developers.xsolla.com/api/login/webhooks/delete-webhook-for-event.md): Deletes a webhook with the specified ID. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ## User profile ### [OAuth2.0] Resend account confirmation email - [POST /oauth2/user/resend_confirmation_link](https://developers.xsolla.com/api/login/user-profile/oauth-20-resend-account-confirmation-email.md): Resends an account confirmation email to a user. To complete account confirmation, the user should follow the link in the email. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Unban user - [DELETE /projects/{project_id}/users/{user_id}/ban](https://developers.xsolla.com/api/login/user-profile/del-projects-users-ban.md): Removes the ban from the user. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Ban user - [POST /projects/{project_id}/users/{user_id}/ban](https://developers.xsolla.com/api/login/user-profile/post-projects-users-ban.md): Add a ban to the user, either for a specific period or permanently. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Update server custom ID for user - [PUT /projects/{project_id}/users/{user_id}/server_custom_id](https://developers.xsolla.com/api/login/user-profile/put-user-custom-id.md): Updates server custom ID for a user. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### [JWT] Resend account confirmation email - [POST /user/resend_confirmation_link](https://developers.xsolla.com/api/login/user-profile/jwt-resend-account-confirmation-email.md): Resends an account confirmation email to a user. To complete account confirmation, the user should follow the link in the email. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Check user age - [POST /users/age/check](https://developers.xsolla.com/api/login/user-profile/check-users-age.md): Checks user’s age for a particular region. The age requirements depend on the region. Service determines the user’s location by the IP address. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get user details - [GET /users/me](https://developers.xsolla.com/api/login/user-profile/get-user-details.md): Gets details of the user authenticated by the JWT. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Update user details - [PATCH /users/me](https://developers.xsolla.com/api/login/user-profile/update-user-details.md): Updates the details of the authenticated user by JWT. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Get user devices - [GET /users/me/devices](https://developers.xsolla.com/api/login/user-profile/get-users-devices.md): Gets a list of user’s devices. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Link device to account - [POST /users/me/devices/{device_type}](https://developers.xsolla.com/api/login/user-profile/link-device-to-account.md): Links the specified device to the user account. To enable authentication via device ID and linking, use the instruction. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Unlink device from account - [DELETE /users/me/devices/{id}](https://developers.xsolla.com/api/login/user-profile/unlink-device-from-account.md): Unlinks the specified device from the user account. To enable authentication via device ID and unlinking, contact your Customer Success Manager. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Get user email - [GET /users/me/email](https://developers.xsolla.com/api/login/user-profile/get-user-email.md): Gets the email of the authenticated user by JWT. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Add username/email auth to account - [POST /users/me/link_email_password](https://developers.xsolla.com/api/login/user-profile/add-username-email-auth-to-account.md): Adds the username/email and password authentication to the existing user account. This call is used if the account is created via device ID or phone number. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Get links for social auth - [GET /users/me/login_urls](https://developers.xsolla.com/api/login/user-profile/get-links-for-social-auth.md): Gets links for authentication via the social networks enabled in your Login project > General settings > Social Networks section of Publisher Account. The links are valid for 10 minutes. You can get the link by this call and add it to your button for authentication via the social network. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Get user phone number - [GET /users/me/phone](https://developers.xsolla.com/api/login/user-profile/get-user-phone-number.md): Gets the phone number of the authenticated user by JWT. The phone number in this call is used only for passing the two-factor authentication. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Update user phone number - [POST /users/me/phone](https://developers.xsolla.com/api/login/user-profile/update-user-phone-number.md): Updates the phone number of the authenticated user by JWT. The phone number in this call is used only for passing the two-factor authentication. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Delete user phone number - [DELETE /users/me/phone/{phoneNumber}](https://developers.xsolla.com/api/login/user-profile/delete-user-phone-number.md): Deletes the phone number of the authenticated user by JWT. The phone number in this call is used only for passing the two-factor authentication. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Confirmation of request to link phone number to user - [POST /users/me/phone_link/confirm](https://developers.xsolla.com/api/login/user-profile/confirm-phone-number.md): {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} 1. Call the method /users/me/phone_link/request 2. Put your phone number in the body of the request 3. Then u will receive the sms code 4. Call method /users/me/phone_link/confirm with the code ### Request to link phone number to user as new method of authorization - [POST /users/me/phone_link/request](https://developers.xsolla.com/api/login/user-profile/link-phone-number.md): {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} 1. Call the method /users/me/phone_link/request 2. Put your phone number in the body of the request 3. Then u will receive the sms code 4. Call method /users/me/phone_link/confirm with the code ### Delete user picture - [DELETE /users/me/picture](https://developers.xsolla.com/api/login/user-profile/delete-user-picture.md): Deletes the profile picture of the authenticated user by JWT. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Upload user picture - [POST /users/me/picture](https://developers.xsolla.com/api/login/user-profile/upload-user-picture.md): Uploads the profile picture of the authenticated user by JWT. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Account linking ### Create code for linking accounts - [POST /users/account/code](https://developers.xsolla.com/api/login/account-linking/create-code-for-linking-accounts.md): Creates the code for linking the platform account to the existing main account when the user logs in to the game via a gaming console. The call is used with Link accounts by code request. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Link accounts by code - [POST /users/account/link](https://developers.xsolla.com/api/login/account-linking/link-accounts-by-code.md): Links the platform account to the existing main account by the code. To link accounts, the game server uses this call with the response from the Create code for linking accounts request. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Link user IDs via external ID - [POST /users/account/link_external_id](https://developers.xsolla.com/api/login/account-linking/link-user-ids-via-external-id.md): Links a user from your game to a user from your Login project via an external ID. You will not be able to link the same external ID to different users and update the external ID of a user if they already have it. You can find an external ID in: * a user JWT after successful authentication as a value of the external_account_id claim, * a response of the Get user details call as a value of the external_id parameter. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ## Password reset ### Confirm password reset - [POST /password/reset/confirm](https://developers.xsolla.com/api/login/password-reset/confirm-password-reset.md): Confirms the user password reset. You can reset user password if you use Login widget forms or your own password reset forms. If you use your own forms, contact your Customer Success Manager and specify the URL of your password reset form. The workflow of using this call with your own forms: 1. The application opens a form so the user can enter their email or username. 2. The user enters their email or username. 3. The application sends the Reset password request to the Xsolla Login server. 4. The Xsolla Login server sends a confirmation email to the user. 5. The user follows the link in the email and proceeds to the form for setting a new password. 6. The user enters a new password and clicks Set new password. 7. The application or Login widget sends this request to the Xsolla Login server. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Reset password - [POST /password/reset/request](https://developers.xsolla.com/api/login/password-reset/reset-password.md): Resets the user password with user confirmation. If the user data is kept in the Xsolla data storage or on your side, users receive a password change confirmation email. If the user data is kept in the PlayFab storage, password reset is done on PlayFab’s side. To get more information, see the Comparison of user data storages page. The workflow of using this call: 1. The application opens a form so the user can enter their email or username. 2. The user enters their email or username. 3. The application sends this request to the Xsolla Login server. 4. The Xsolla Login server sends a confirmation email to the user. 5. The user follows the link in the email and proceeds to the form for setting a new password. 6. The user enters a new password and clicks Set new password. 7. The application sends the Confirm password reset request to the Xsolla Login server. If you use your own password reset form, use the Confirm password reset call to reset the user password. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## User search ### Get user by ID for project - [GET /projects/{project_id}/users](https://developers.xsolla.com/api/login/search/get-user-for-project.md): Gets user data by user ID. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Search users - [GET /projects/{project_id}/users/search](https://developers.xsolla.com/api/login/search/search-users-by-filter.md): Searches users by criteria. Returns results with pagination and ordering. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get user by ID - [GET /projects/{project_id}/users/search/by_id/{user_id}](https://developers.xsolla.com/api/login/search/get-user.md): Gets user data by user ID. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get social profiles - [GET /projects/{project_id}/users/{user_id}/social_profile](https://developers.xsolla.com/api/login/search/get-all-users-social-profiles.md): Gets all user's social profiles. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get user IDs by social ID and platform - [POST /users/linking_info](https://developers.xsolla.com/api/login/search/get-users-ids-by-social-id-and-platform.md): The call will return: * user ID if the user has linked the main account. * user ID if the user has linked the platform account. * xl_uid=null if the user does not have a linked account. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Search users by nickname - [GET /users/search/by_nickname](https://developers.xsolla.com/api/login/search/search-users-by-nickname.md): Searches users by the nickname parameter and gets a list of them. Search can be performed instantly when the user starts entering the search parameter. The workflow of using this call: 1. The user enters a nickname or tag, or nickname and tag. 2. The Xsolla Login server searches for users in the Login project data of the user who initiated a search. The current user can execute this call only one time per second. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Social networks ### Get linked networks - [GET /users/me/social_providers](https://developers.xsolla.com/api/login/social-networks/get-linked-networks.md): Gets a list of the social networks linked to the user account. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Delete linked network - [DELETE /users/me/social_providers/{providerName}](https://developers.xsolla.com/api/login/social-networks/delete-linked-networks.md): Deletes social network linked to the user account. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Link social network to account - [GET /users/me/social_providers/{providerName}/login_redirect](https://developers.xsolla.com/api/login/social-networks/link-social-network-to-account.md): Links the social network, which is used by the player for authentication, to the user account. The linking flow: 1. The user authenticates on the game website. 2. The UI offers to link the social network to the user account. 3. The Xsolla Login server redirects the user to the social network. 4. The user authenticates in the social network. 5. The Xsolla Login server links the social network to the user account. 6. The Xsolla Login server redirects the user to the game website. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Get URL to link social network to account - [GET /users/me/social_providers/{providerName}/login_url](https://developers.xsolla.com/api/login/social-networks/get-url-to-link-social-network-to-account.md): Gets the URL to link the social network to the user’s account. The social network should be used for authentication. The linking flow: 1. The user authenticates on the game website. 2. The UI offers to link the social network to the user account. 3. The Xsolla Login server returns social network URL. 4. The game website redirects the user to the social network. 5. The user authenticates in the social network. 6. The Xsolla Login server links the social network to the user account. 7. The Xsolla Login server redirects the user to the game website. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## User friends ### Get user friends - [GET /users/me/relationships](https://developers.xsolla.com/api/login/user-friends/get-users-friends.md): Gets a list of users added as friends of the authenticated user. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Update user friends - [POST /users/me/relationships](https://developers.xsolla.com/api/login/user-friends/update-users-friends.md): Updates the friend list of the authenticated user. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Get social account friends - [GET /users/me/social_friends](https://developers.xsolla.com/api/login/user-friends/get-social-account-friends.md): Gets a list of user’s friends from a social provider. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Update social account friends - [POST /users/me/social_friends/update](https://developers.xsolla.com/api/login/user-friends/update-social-account-friends.md): Begins data processing to update a list of user’s friends from a social provider. Note that there may be a delay in data processing because of the Xsolla Login server or provider server high loads. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Get user public profile - [GET /users/{user_id}/public](https://developers.xsolla.com/api/login/user-friends/get-user-public-profile.md): Gets the user information from their public profile by the user ID. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## User groups ### Delete user groups - [DELETE /projects/{project_id}/users/{user_id}/user_groups](https://developers.xsolla.com/api/login/user-management-groups/delete-user-groups.md): Deletes user groups. {% html name="div" attrs={"class": "notice"} %} Notice A Default group cannot be passed to this method.This method automatically updates user tags in Mailchimp if you have connected it.Rate limits for server-side methods are applied to this method. {% /html %} ### Get user groups - [GET /projects/{project_id}/users/{user_id}/user_groups](https://developers.xsolla.com/api/login/user-management-groups/get-user-groups.md): Gets all user's groups. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Update user groups - [PATCH /projects/{project_id}/users/{user_id}/user_groups](https://developers.xsolla.com/api/login/user-management-groups/update-user-groups.md): Updates user's groups. {% html name="div" attrs={"class": "notice"} %} Notice Pass IDs of all groups where the users should be, other groups will be automatically deactivated for this user.This method automatically updates user tags in Mailchimp if you have connected it.Rate limits for server-side methods are applied to this method. {% /html %} ### Manage groups for user - [PUT /projects/{project_id}/users/{user_id}/user_groups](https://developers.xsolla.com/api/login/user-management-groups/manage-user-groups.md): Manages groups for a user. A default group cannot be passed to this method. {% html name="div" attrs={"class": "notice"} %} Notice A Default group cannot be passed to this method.This method automatically updates user tags in Mailchimp if you have connected it.Rate limits for server-side methods are applied to this method. {% /html %} ## Export/Import ### Export user data - [POST /projects/{project_id}/export_users](https://developers.xsolla.com/api/login/bulk-user-management/export-users.md): Exports user data (personal information and attributes) from the Login project to an archive of CSV files. You will receive the archive of user data to the specified email address. The call can be requested 1 time per hour. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Import user data - [POST /projects/{project_id}/user_import](https://developers.xsolla.com/api/login/bulk-user-management/upload-import-file.md): Imports user data from a CSV format file to the Login project. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ## Via server custom ID ### [JWT] Auth by custom ID - [POST /users/login/server_custom_id](https://developers.xsolla.com/api/login/server-custom-id/auth-by-custom-id.md): Authenticates a user by a particular custom ID. If the user does not exist, they are created. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ## User and server token management ### [OAuth2.0] Generate JWT - [POST /oauth2/token](https://developers.xsolla.com/api/login/token-management/generate-jwt.md): Use this call: * To get a user JWT. * To refresh the JWT when it expires. Works only if scope=offline is passed in the registration or authentication call. * To get a server JWT. The user participation isn’t needed. * To exchange user JWT for a new one with different scope. Usage of this call depends on the value of the grant_type parameter. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth2.0] Revoke Token - [POST /oauth2/token/revoke](https://developers.xsolla.com/api/login/token-management/revoke-jwt.md): Revokes an obtained access token {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Validate Server JWT - [POST /server/token/validate](https://developers.xsolla.com/api/login/token-management/validate-server-jwt.md): Validates a server JWT. Checks the following criteria: - the lifetime of the token - existence of the Login project - presence of an authentic signature from the login.xsolla.com server - value of the request_type field: gateway_token {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Validate user JWT - [POST /token/validate](https://developers.xsolla.com/api/login/token-management/validate-jwt.md): Validates a user JWT based on the following criteria: - the lifetime of the token - existence of the Login project - presence of an authentic signature from the login.xsolla.com server - user existence - Validates the user JWT. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Via device ID ### [JWT] Auth via device ID - [POST /login/device/{device_type}](https://developers.xsolla.com/api/login/device-id/jwt-auth-via-device-id.md): Authenticates a user via a particular device ID. To enable silent authentication, use the instruction. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth2.0] Auth via device ID - [POST /oauth2/login/device/{device_type}](https://developers.xsolla.com/api/login/device-id/oauth-20-auth-via-device-id.md): Authenticates a user via a particular device ID. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Via social networks ### [OAuth 2.0] Auth via social network - [GET /oauth2/social/{provider_name}/login_redirect](https://developers.xsolla.com/api/login/social-login/oauth-20-auth-via-social-network.md): Redirects the user to the page for authentication via the specified social network. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth 2.0] Get link for social auth - [GET /oauth2/social/{provider_name}/login_url](https://developers.xsolla.com/api/login/social-login/oauth-20-get-link-for-social-auth.md): Gets the link for authentication via the social network. The link is valid for 10 minutes. You can get the link by this call and add it to your button for authentication via a social network. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth 2.0] Auth via access token of social network - [POST /oauth2/social/{provider_name}/login_with_token](https://developers.xsolla.com/api/login/social-login/oauth-20-auth-via-access-token-of-social-network.md): Authenticates the user with the access token using social network credentials. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [JWT] Auth via social network - [GET /social/{provider_name}/login_redirect](https://developers.xsolla.com/api/login/social-login/jwt-auth-via-social-network.md): Redirects the user to the page for authentication via the specified social network. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [JWT] Get link for social auth - [GET /social/{provider_name}/login_url](https://developers.xsolla.com/api/login/social-login/jwt-get-link-for-social-auth.md): Gets the link for authentication via the social network. The link is valid for 10 minutes. You can get the link by this call and add it to your button for authentication via the social network. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [JWT] Auth via access token of social network - [POST /social/{provider_name}/login_with_token](https://developers.xsolla.com/api/login/social-login/jwt-auth-via-access-token-of-social-network.md): Authenticates the user with the access token using social network credentials. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [JWT] Refresh social tokens in JWT - [POST /social/{provider_name}/refresh_token](https://developers.xsolla.com/api/login/social-login/jwt-refresh-social-token.md): Refreshes social token by social refresh token from JWT. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Cross-platform ### [OAuth 2.0] Silent authentication - [GET /oauth2/social/{oauth2_cross_social_provider_name}/cross_auth](https://developers.xsolla.com/api/login/cross-platform/oauth-20-silent-authentication.md): Exchanges a platform-specific authentication credential (a session ticket/exchange code/authorization token) from Epic Games, Steam, or Xbox for the JWT in your project (projectId). You will get the link to redirect the user to your project. To enable silent authentication, use the instruction. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [JWT] Silent authentication - [GET /social/{cross_social_provider_name}/cross_auth](https://developers.xsolla.com/api/login/cross-platform/jwt-silent-authentication.md): Exchanges a platform-specific authentication credential (a session ticket/exchange code/authorization token) from Epic Games, Steam, or Xbox for the JWT in your project (projectId). You will get the link to redirect the user to your project. To enable silent authentication, use the instruction. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Classic (with password) ### [JWT] Auth by username and password - [POST /login](https://developers.xsolla.com/api/login/login-and-password/auth-by-username-and-password.md): Authenticates the user by the username/email and password specified. ### [OAuth 2.0] Auth by username and password - [POST /oauth2/login](https://developers.xsolla.com/api/login/login-and-password/oauth-20-auth-by-username-and-password.md): Authenticates the user by the username/email and password specified. To finish user authentication, get the user JWT by sending the Generate JWT request. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth 2.0] JWT auth by username and password - [POST /oauth2/login/token](https://developers.xsolla.com/api/login/login-and-password/jwt-auth-by-username-and-password.md): Authenticates the user by the username/email and password and returns a JWT. Exchanging the code to a JWT via the Generate JWT call is not needed. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth2.0] Register new user - [POST /oauth2/user](https://developers.xsolla.com/api/login/login-and-password/oauth-20-register-new-user.md): Creates a new user. * If you store user data at Xsolla or in custom storage, the user will receive an account confirmation email. * If you store user data at PlayFab, you can set up sending the account confirmation email to the user. Use the PlayFab instruction for this. * If you store user data at Firebase, the user will receive an account confirmation message from Firebase side. See the Comparison of user data storages page for more information about user data storages. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [JWT] Register new user - [POST /user](https://developers.xsolla.com/api/login/login-and-password/jwt-register-new-user.md): Creates a new user. * If you store user data at Xsolla or custom storage, the user will receive an account confirmation message. If you store user data at PlayFab, the user will not* receive an account confirmation message. * If you store user data at Firebase, the user will receive an account confirmation message from Firebase side. See the Comparison of user data storages page for more information about user data storages. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Passwordless ### [JWT] Complete auth by email - [POST /login/email/confirm](https://developers.xsolla.com/api/login/passwordless/jwt-complete-auth-by-email.md): Completes authentication by the user email address and a confirmation code. The code lifetime is 3 minutes. This call is used only with the Start auth by email call. The workflow of using this call: 1. The application opens an authentication form so the user can enter their email address. 2. The user enters their email address. 3. The application sends the Start auth by email request to the Xsolla Login server: a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make email contain the confirmation code and link. b. If the parameter send_link is false or not passed, the email will contain the confirmation code only. 4. The Xsolla Login server sends the email and returns the ID of the confirmation code. 5. The application shows a field so the user can fill in the confirmation code. 6. The user enters the received confirmation code or follows the link. 7. The application sends this request to the Xsolla Login server with the received ID. 8. The user is considered as authorized. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [JWT] Start auth by email - [POST /login/email/request](https://developers.xsolla.com/api/login/passwordless/jwt-start-auth-by-email.md): Starts authentication by the user email address and sends a confirmation code to their email address. The code lifetime is 3 minutes. This call is used only with the Complete auth by email call. The workflow of using this call: 1. The application opens an authentication form so the user can enter their email address. 2. The user enters their email address. 3. The application sends this request to the Xsolla Login server: a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make email contain the confirmation code and link. b. If the parameter send_link is false or not passed, the email will contain the confirmation code only. 4. The Xsolla Login server sends the email and returns the ID of the confirmation code. 5. The application shows a field so the user can fill in the confirmation code. 6. The user enters the received confirmation code or follows the linke. 7. The application sends the Complete auth by email request with the received ID to the Xsolla Login server. 8. The user is considered as authorized. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [JWT] Complete auth by phone number - [POST /login/phone/confirm](https://developers.xsolla.com/api/login/passwordless/jwt-complete-auth-by-phone-number.md): Completes authentication by the user phone number and a confirmation code. The code lifetime is 3 minutes. This call is used only with the Start auth by phone number call. The workflow of using this call: 1. The application opens an authentication form so the user can enter their phone number. 2. The user enters their phone number. 3. The application sends the Start auth by phone number request to the Xsolla Login server: a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make SMS contain the confirmation code and link. b. If the parameter send_link is false or not passed, the SMS will contain the confirmation code only. 4. The Xsolla Login server sends the SMS and returns the ID of the confirmation code. 5. The application shows a field so the user can fill in the confirmation code. 6. The user enters the received confirmation code or follows the link. 7. The application sends this request to the Xsolla Login server. 8. The user is considered as authorized. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [JWT] Start auth by phone number - [POST /login/phone/request](https://developers.xsolla.com/api/login/passwordless/jwt-start-auth-by-phone-number.md): Starts authentication by the user phone number and sends a confirmation code to their phone number. The code lifetime is 3 minutes. This call is used only with the Complete auth by phone number call. The workflow of using this call: 1. The application opens an authentication form so the user can enter their phone number. 2. The user enters their phone number. 3. The application sends this request to the Xsolla Login server: a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make SMS contain the confirmation code and link. b. If the parameter send_link is false or not passed, the SMS will contain the confirmation code only. 4. The Xsolla Login server sends the SMS and returns the ID of the confirmation code. 5. The application shows a field so the user can fill in the confirmation code. 6. The user enters the received confirmation code or follows the link. 7. The application sends the Complete auth by phone number request with the received ID to the Xsolla Login server. 8. The user is considered as authorized. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth2.0] Complete auth by email - [POST /oauth2/login/email/confirm](https://developers.xsolla.com/api/login/passwordless/oauth-20-complete-auth-by-email.md): Completes authentication by the user email address and a confirmation code. The code lifetime is 3 minutes. This call is used only with the Start auth by email call. The workflow of using this call: 1. The application opens an authentication form so the user can enter their email address. 2. The user enters their email address. 3. The application sends the Start auth by email request to the Xsolla Login server: a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make email contain the confirmation code and link. b. If the parameter send_link is false or not passed, the email will contain the confirmation code only. 4. The Xsolla Login server sends the email and returns the ID of the confirmation code. 5. The application shows a field so the user can fill in the confirmation code. 6. The user enters the received confirmation code or follows the link. 7. The application sends this request to the Xsolla Login server with the received ID. 8. The user is considered as authorized. ### [OAuth2.0] Start auth by email - [POST /oauth2/login/email/request](https://developers.xsolla.com/api/login/passwordless/oauth-20-start-auth-by-email.md): Starts authentication by the user email address and sends a confirmation code to their email address. The code lifetime is 3 minutes. This call is used only with the Complete auth by email call. The workflow of using this call: 1. The application opens an authentication form so the user can enter their email address. 2. The user enters their email address. 3. The application sends this request to the Xsolla Login server: a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make email contain the confirmation code and link. b. If the parameter send_link is false or not passed, the email will contain the confirmation code only. 4. The Xsolla Login server sends the email and returns the ID of the confirmation code. 5. The application shows a field so the user can fill in the confirmation code. 6. The user enters the received confirmation code or follows the link. 7. The application sends the Complete auth by email request with the received ID to the Xsolla Login server. 8. The user is considered as authorized. ### [OAuth2.0] Complete auth by phone number - [POST /oauth2/login/phone/confirm](https://developers.xsolla.com/api/login/passwordless/oauth-20-complete-auth-by-phone-number.md): Completes authentication by the user phone number and a confirmation code. The code lifetime is 3 minutes. This call is used only with the Start auth by phone number call. The workflow of using this call: 1. The application opens an authentication form so the user can enter their phone number. 2. The user enters their phone number. 3. The application sends the Start auth by phone number request to the Xsolla Login server: a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make SMS contain the confirmation code and link. b. If the parameter send_link is false or not passed, the SMS will contain the confirmation code only. 4. The Xsolla Login server sends the SMS and returns the ID of the confirmation code. 5. The application shows a field so the user can fill in the confirmation code. 6. The user enters the received confirmation code or follows the link. 7. The application sends this request to the Xsolla Login server. 8. The user is considered as authorized. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth2.0] Start auth by phone number - [POST /oauth2/login/phone/request](https://developers.xsolla.com/api/login/passwordless/oauth-20-start-auth-by-phone-number.md): Starts authentication by the user phone number and sends a confirmation code to their phone number. The code lifetime is 3 minutes. This call is used only with the Complete auth by phone number call. The workflow of using this call: 1. The application opens an authentication form so the user can enter their phone number. 2. The user enters their phone number. 3. The application sends this request to the Xsolla Login server: a. If the parameter send_link is true, after this request, you should send the Get confirmation code request to make SMS contain the confirmation code and link. b. If the parameter send_link is false or not passed, the SMS will contain the confirmation code only. 4. The Xsolla Login server sends the SMS and returns the ID of the confirmation code. 5. The application shows a field so the user can fill in the confirmation code. 6. The user enters the received confirmation code or follows the link. 7. The application sends the Complete auth by phone number request with the received ID to the Xsolla Login server. 8. The user is considered as authorized. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Get confirmation code - [GET /otc/code](https://developers.xsolla.com/api/login/passwordless/get-confirmation-code.md): Waits until the user follows the link provided via email or SMS and returns the confirmation code for authentication. If you sent this call and after 20 seconds you didn't get the code, there was an error. In this case, resend the call immediately. The code lifetime is 3 minutes. The workflow of using this call: 1. The application opens an authentication form so the user can enter their email address. 2. The user enters their email address. 3. The application sends the Start auth by email or phone number (JWT or OAuth 2.0) request to the Xsolla Login server: a. If the parameter send_link is true, after this request, you should send this same request to make email or SMS contain the confirmation code and link. b. If the parameter send_link is false or not passed, the email will contain the confirmation code only. 4. The Xsolla Login server sends an email or SMS to the user and returns the ID of the confirmation code. 5. The application shows a field so the user can fill in the confirmation code. 6. The user enters the received confirmation code or follows the link. 7. The application sends the Complete auth by email or phone number (JWT or OAuth 2.0) request with the received ID to the Xsolla Login server. 8. The user is considered as authorized. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Register new user from server - [POST /users](https://developers.xsolla.com/api/login/passwordless/register-new-user-from-server.md): Creates a new user with requested body parameters. These parameters are set as confirmed. Combination of parameters passed to the body must include at least email or phone_number parameter. The call is used only if you set up Xsolla storage. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ## SSO ### OAuth 2.0 authorize - [GET /oauth2/auth](https://developers.xsolla.com/api/login/sso/oauth2-authorize.md): Checks the presence of a valid SSO session. Redirects to the URL passed in the redirect_url parameter with an authorization code. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth 2.0] Clear SSO - [GET /oauth2/clear_sso](https://developers.xsolla.com/api/login/sso/clear-sso-cookie.md): Deletes user's SSO cookie for given project. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth 2.0] Log user out - [GET /oauth2/logout](https://developers.xsolla.com/api/login/sso/log-user-out.md): Logs the user out and deletes the user session according to the value of the sessions parameter. Call the Check user authentication call to see if the user is logged in. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth 2.0] Check user authentication - [GET /oauth2/sso](https://developers.xsolla.com/api/login/sso/check-user-authentication.md): Checks if a user has already logged in via a service. If they have, you will receive an OAuth 2.0 authorization code without user participation. Used in Single Sign-on. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## OAuth 2.0 consent management ### [OAuth 2.0] Save consent for OAuth 2.0 - [POST /oauth2/consent](https://developers.xsolla.com/api/login/consent-management/oauth2-save-consent.md): Saves the user's consent to the application of certain scopes for a specific OAuth 2.0 client. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### [OAuth 2.0]Check consent for OAuth 2.0 - [POST /oauth2/consent/validate](https://developers.xsolla.com/api/login/consent-management/oauth2-check-consent.md): Checks if the user gave consent to the application of the user data collection scope for a specific OAuth 2.0 client. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Client-side ### Get attributes by server custom IDs - [POST /attributes/custom_id/get](https://developers.xsolla.com/api/login/attributes-client/get-attributes-by-server-custom-id.md): Gets a list of particular user’s attributes. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get user attributes from client - [POST /attributes/users/me/get](https://developers.xsolla.com/api/login/attributes-client/get-users-attributes-from-client.md): Gets a list of particular user’s attributes. Returns only attributes with the client value of attr_type parameter. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Get read-only user attributes from client - [POST /attributes/users/me/get_read_only](https://developers.xsolla.com/api/login/attributes-client/get-users-read-only-attributes-from-client.md): Gets a list of particular user’s read-only attributes. Returns only attributes with the server value of the attr_type parameter, which was set only for reading. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ### Update user attributes from client - [POST /attributes/users/me/update](https://developers.xsolla.com/api/login/attributes-client/update-users-attributes-from-client.md): Updates and creates particular user’s attributes. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for client-side methods are applied to this method. {% /html %} ## Server-side ### Get users by attribute from server - [POST /attributes/users/get](https://developers.xsolla.com/api/login/attributes-server/get-users-by-attribute-from-server.md): Gets a list of users by an attribute. Returns a list of the users’ IDs, their emails, and the attributes that were specified in the key object of the request. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get user attributes from server - [POST /attributes/users/{user_id}/get](https://developers.xsolla.com/api/login/attributes-server/get-users-attributes-from-server.md): Gets user’s attributes. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get read-only user attributes from server - [POST /attributes/users/{user_id}/get_read_only](https://developers.xsolla.com/api/login/attributes-server/get-users-read-only-attributes-from-server.md): Gets a list of user’s read-only attributes. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Update user attributes from server - [POST /attributes/users/{user_id}/update](https://developers.xsolla.com/api/login/attributes-server/update-users-attributes-from-server.md): Updates and creates user’s attributes. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Update user read-only attributes from server - [POST /attributes/users/{user_id}/update_read_only](https://developers.xsolla.com/api/login/attributes-server/update-users-read-only-attributes-from-server.md): Updates and creates user’s read-only attributes. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Update user attributes from server by server custom ID - [POST /projects/{project_id}/server_custom_id/{server_custom_id}/attributes](https://developers.xsolla.com/api/login/attributes-server/update-users-attributes-from-server-by-server-custom-id.md): Updates and creates user attributes by user ID on your server (server_custom_id). {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get attributes by user ID - [GET /projects/{project_id}/users/{user_id}/attributes](https://developers.xsolla.com/api/login/attributes-server/get-attributes-by-user-id.md): Gets a list of user’s attributes. Returns only attributes values for user by his ID. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ## Validation schema ### Delete schema - [DELETE /project/{project_id}/attribute_schema](https://developers.xsolla.com/api/login/attributes-schema/delete-attributes-schema.md): Deletes JSON Schema of user attributes from the Login project. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Get schema - [GET /project/{project_id}/attribute_schema](https://developers.xsolla.com/api/login/attributes-schema/get-attributes-schema.md): Gets JSON Schema of user attributes. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %} ### Update schema - [PUT /project/{project_id}/attribute_schema](https://developers.xsolla.com/api/login/attributes-schema/put-attributes-schema.md): Updates JSON Schema of user attributes. {% html name="div" attrs={"class": "notice"} %} Notice Rate limits for server-side methods are applied to this method. {% /html %}