Getting started

Overview

Xsolla API includes:

Pay Station API — payment UI and tokenization methods.
Shop Builder API — methods for working with Shop Builder module.
Subscriptions API — methods for Subscriptions.
Login API — methods for user authentication using your own interface (see integration guide).

Xsolla API uses the REST architecture. The API has predictable, resource-oriented URLs and uses HTTP response codes to indicate API errors. The API always responds in the JSON format, including in case of errors.

The API uses built-in HTTP features such as HTTP authentication and HTTP verbs, which can be interpreted by off-the-shelf HTTP clients. It also supports cross-origin resource sharing, allowing you to access it securely from a client web application.

Xsolla API uses the following endpoint paths:

https://api.xsolla.com — Pay Station API, Subscriptions API
https://login.xsolla.com/api — Login API
https://store.xsolla.com/api — Shop Builder API

Most endpoint paths include the merchant_id parameter. This indicates that the requesting application is running on your behalf.

Requests and responses

The requests to Xsolla API must:

be sent over HTTPS,
use TLS 1.2 or higher,
contain authentication parameters,
contain an additional header: Content-Type: application/json for PUT and POST requests.

Copy

Full screen

Small screen

Authorization: Basic <your_authorization_basic_key>
Content-Type: application/json

By default, all requests return a response with JSON data in the body and Content-Type: application/json in the header.

API changes

Xsolla may change the API functionality as follows:

Add new API resources
Add optional request parameters
Add new properties to existing API responses
Add new values for existing parameters with enumerable values
Add new webhook types and JSON parameters
Add optional HTTP request headers
Reject any request in which valid parameters contain invalid values
Reject improperly formed requests that were previously accepted due to lenient parsing, if the parsing logic is changed
Add, change, or remove undocumented functionality at any time

Your client should remain functional regardless of such changes. For example, new JSON parameters that aren’t recognized by your client should not hinder its normal operation.

Versioning

All Xsolla API methods support versioning. We will issue a new version every time there are changes incompatible with the current version. The version is identified by “v1”/“v2”/etc. following the “/merchant” prefix in the URL. If this is your first time working with the API, use the latest version. If you omit the version, we will use the first version by default.

Keep in mind that we can only guarantee API integrity within the same version.

Authentication

Xsolla API uses the following authentication types:

Basic access authentication. Such requests to API must contain the Authorization: Basic <your_authorization_basic_key> header, where <your_authorization_basic_key> is the merchant ID:API key pair, encoded according to the Base64 standard. Go to Publisher Account to find these parameters:
- Merchant ID is shown:
  - In the Company settings > Company section.
  - In the URL in the browser address bar on any Publisher Account page. The URL has the following format: https://publisher.xsolla.com/<merchant_ID>/.
- API key is shown in Publisher Account only once when it is created and must be stored on your side. You can create a new key in the following section:
  - Company settings > API keys.
  - Project settings > API keys.
Authentication using the user JWT. Such requests to API must contain the Authorization: Bearer <user_JWT> header, where <user_JWT> is the user token.
Authentication using the server JWT. Such API methods must contain the X-SERVER-AUTHORIZATION: <server_JWT> header, where <server_JWT> is the server token.
Without authentication.

For more information about working with API keys, see the API reference.

Key recommendations:

Save the generated API key on your side. You can view the API key in Publisher Account only once when it is created.
Keep your API key a secret. It provides access to your personal account and your projects in Publisher Account.
The API key must be stored on your server and never in binaries or on the frontend.

If an API call you need does not contain the project_id path parameter, use the API key that is valid in all the company’s projects to set up authorization.

API calls by interaction model

When integrating Xsolla products via the Xsolla API, it’s important to use the API calls according to their intended use:

Client-side API calls — API calls for interaction between the client part of the partner’s application and the Xsolla server. User actions on the client initiate the request of these API calls. Example of client-side API calls: getting a list of items, user authentication, obtaining a payment token on the client.
Server-side API calls — API calls for interaction between the partner’s server and the Xsolla server, which are intended for the following tasks:
- Implementation of the user flow.
  User actions on the client trigger the invocation of the partner’s client-side API call, and then the Xsolla server-side API call is invoked on the partner’s server. Examples of server API calls for implementing the user flow: updating user attributes on the server, obtaining a payment token on the server.
- Administrative tasks, or setup of Xsolla products by the partner.
  User actions on the client cannot initiate a call to these methods. Examples of admin server API calls: creating and editing an item or promotion.

A correctly configured integration helps avoid the most common errors:

Exceeding rate limits:
- The rate limits for server-side API calls are stricter than for client-side API calls.
- The rate limits for administrator server-side API calls are stricter than for user flow implementation API calls.
Receiving irrelevant information in response. For example, when using server-side API calls of getting a list of items for the administrator instead of client-side API calls of getting a list of items to build a catalog.
Unauthorized data changes by users. For example, when using client-side API calls to update attributes instead of server-side API calls.
Incorrect country and currency determination in the payment interface.

	Client-side	Server-side
	Client-side	For implementation of the user flow	For administrative tasks
Interaction	Client-to-server. The request is sent from the game client directly to the Xsolla server.	Server-to-server. The request is sent from the game client to the game server, then from the game server to the Xsolla server.	Server-to-server. The request is sent from server of the partner’s system to the Xsolla server.
Authentication	JSON web token (JWT) of the user or without authentication.	Basic access authentication or server JWT.	Basic access authentication.
Rate limits	Can withstand high load.	Can withstand high load.	Designed for partner use only, so these API calls have low performance requirements and strict rate limits.
User access	API calls are used on the client side, which allows data to quickly be displayed to the user. For example, an item catalog or user attributes — the number of purchases or the level in the game. All the data is openly accessible in the client’s code. Do not use these API calls to work with data that should not be available to the user for editing. For example, to update user attributes.	API calls are used for interaction between servers, so the user does not have access to the data. Use these API calls to work with data that the user cannot modify.	API calls are not used to implement the user flow.
Country and currency determination	The country and currency are determined by the client’s IP address from which the request is sent. Therefore, it is important to use these API calls on the client side, not the server.	The country and currency are determined by the server’s IP address from which the request is sent. Therefore, it is important to pass the user’s country/currency data in the header or parameter in accordance with the description in the API call used.	API calls are not used to implement the user flow.

You can determine whether an API call is client or server-side by the scheme of authentication:

Client-side — are called without authentication or with the Authorization header: Bearer <user_JWT> header, where <user_JWT> — is the user token.
Server-side API calls for implementing the user flow — are called with the header:
- X-SERVER-AUTHORIZATION: <server_JWT>, where <server_JWT> — is the server token.
- Authorization: Basic <your_authorization_basic_key>, where <your_authorization_basic_key> — project_id:api_key pair, encoded according to the Base64 standard.
Server-side API calls for administrative tasks — are called with the Authorization: Basic <your_authorization_basic_key> header, where <your_authorization_basic_key> — project_id:api_key pair, encoded according to the Base64 standard.

Example of a server-side API calls with server-side authentication:

Example of a client-side API calls with client-side authentication:

Depending on your requirements, you can choose how to set up the integration when implementing the user flow — with server-side or client-side API calls. Server administrative API calls should not be used to implement user flow.

Implementation example of a user flow using client-side API calls:

The user performs actions on the client. For example: fills the cart, makes an item purchase.
The game client sends a request with data to the Xsolla server.
The Xsolla server sends a response to the game client.
The game client displays the result to the user.

In this flow, authentication via user JWT is used.

Example of implementing a user flow using server-side API calls:

The user performs actions on the client. For example: fills the cart, makes an item purchase.
The game client sends a request to the game server.
If necessary, the partner implements additional data processing on the game server.
The game server sends a request to the Xsolla server.
The Xsolla server sends a response to the game server.
The game server processes the data and sends a response to the game client.
The game client displays the result to the user.

In this flow, basic access authentication or a server token is used.

Interaction flow when using server-side admin API calls:

The partner sends a request from the client or server of their application to the Xsolla server.
The Xsolla server returns a response with the result of processing the request.

In this flow, basic access authentication is used.

Endpoint types

The type of an endpoint indicates what kind of data it handles and what action it performs on it. The most common actions are:

Action	HTTP method	Description
Create	`POST`	Creates and saves an entity of the specified type.
List	`GET`	Returns a list of entities matching the query. To get details on an entity, first find out its ID using the corresponding List endpoint, and then provide this ID to the corresponding Retrieve endpoint.
Retrieve	`GET`	Provides details on the entity with the specified ID.
Replace	`PUT`	Modifies all fields of the entity with the specified ID.
Update	`PATCH`	Modifies specified fields of the entity with the specified ID.
Delete	`DELETE`	Deletes the entity with the specified ID.

Date format

All dates are specified as strings according to ISO 8601. You can specify date strings either in UTC (e.g., 2013-01-15T00:00:00Z), or indicating the UTC offset (e.g., 2013-01-15T00:00:00-08:00 for eight hours behind UTC). In the latter case, make sure to take into account the daylight saving time, if applicable.

Pagination

List endpoints might paginate the results they return. This means that, instead of returning all results in a single response, these endpoints might return some of the results, along with a response header that links to the next set of results. For this purpose we use offset and limit parameters.

Errors handling

List of supported HTTP errors:

200, 201, 204 — No error
400 Bad Request — This often indicates a required parameter missing. Refer to the response body for details
401 Unauthorized — No valid API key provided
402 Request Failed — Request failed despite valid parameters
403 Forbidden — No permission. Refer to the response body for details
404 Not Found — The requested item doesn’t exist
409, 422 — Invalid request parameters
412 Precondition Failed — The project has not been activated yet (used in the Create token method)
415 Unsupported Media Type — Content-Type: application/json missing in HTTP header
500, 502, 503, 504 Server Errors — Something went wrong

Xsolla uses conventional HTTP response codes to indicate whether the API request was successful. In general, 2xx indicates success, 4xx indicates an error in the provided information (e.g., a required parameter missing, failed authorization, etc.), and 5xx indicates a problem with Xsolla’s servers. But not all errors perfectly match HTTP response codes. For example, if a request was valid but failed, the API will return the 422 error code. All API error responses provide a JSON object with the following fields:

Name	Type	Description
http_status_code	integer	HTTP code.
message	string	A human-readable message describing the error. This message is always in English. Do not rely on this value for any particular error, because it might change in the future.
extended_message	string	More detailed error description.
request_id	string	Unique request ID that might be used for troubleshooting.

Copy

Full screen

Small screen

{
    "http_status_code": 500,
    "message": "Internal Server Error",
    "extended_message": null,
    "request_id": "6445b85"
}

Rate limits

General information

To avoid overloading Xsolla systems and protect them from bursts of incoming traffic, Xsolla limits the number of requests received by the Xsolla API within a specified period of time. If the limit is exceeded, the Xsolla API returns an HTTP response with the 429 status code. Limits vary by method, project, and other factors. The current limits are updated regularly to ensure the stable and uninterrupted operation of Xsolla systems. In some cases, it is possible to adjust the specified limits upon prior request. You can contact your Customer Success Manager or email csm@xsolla.com to submit a request.

Common causes of exceeding rate limits

A sudden increase in traffic on the partner’s side as a result of:
- seasonal sales
- start of closed and open testing
Sudden increase in traffic as a result of DDoS attacks on the partner’s side.
Incorrectly configured integration, for example:
- using the Admin subsection’s methods that are not intended for frequent use instead of the Catalog subsection’s methods
- frequent call of the Get order method to get the status of an order and the list of items in it. For example: 1 per second when the recommended delay between requests should be 3 seconds
Launching an excessively large number of requests in a given period. For example: more than 200 calls per second to the Get virtual items list method to display an item catalog.

Rate limits handling

To prevent errors caused by rate limits, we recommend that you:

Track the 429 status codes and create a retry mechanism. You can use the Retry pattern with fixed or exponential backoff between retries instead of continuous retries.
Optimize code to get only required data. Make sure you only make requests that your application requires and avoid any unnecessary API calls. If you are using the Shop Builder API, you can use the WebSocket API to reduce the number of calls.
Cache data that is frequently used by your application. You can keep the static data on your side and reduce the number of requests to the external API.
Prevent DDoS attacks that can break your API.
Adjust the rate of your requests for a smoother distribution. If the 429 error occurs regularly, consider including a process in your code that regulates the rate of your requests and allows them to be distributed more evenly.

API keys

An API key is a unique key that is used for user data encryption and API request authentication. In Publisher Account, you can create API keys for all the projects of the company and an individual project.

API keys that are valid in all the company’s projects are not displayed on the pages of individual projects.

You can work with API keys (view the list, create, and delete) if you have one of the following roles:

developer
owner

Only a project owner can change roles in Publisher Account in the Company settings > Users section.

Create API key

To create an API key:

Open Publisher Account.
Go to the Company settings > API keys or Project settings > API keys section.
Click Create API key.
Fill in the fields:
- Key name that will be displayed in the list of keys. Set a name that would allow you to easily identify the key.
- Key type — permanent or temporary.
- Expiration date — only for a temporary key. After the expiration date, the key is no longer valid, and you need to create a new key.
- Project where the key is valid (the field is not displayed when you create an API key on the project page). All projects are selected by default.
Click Create.
In the window that opens, click Copy API key and save the created API key on your side.

If you create an API key on the project page, the key is valid only in this particular project.

Key recommendations:

Save the generated API key on your side. You can view the API key in Publisher Account only once when it is created.
Keep your API key a secret. It provides access to your personal account and your projects in Publisher Account.
The API key must be stored on your server and never in binaries or on the frontend.

If an API call you need does not contain the project_id path parameter, use the API key that is valid in all the company’s projects to set up authorization.

Delete API key

To delete an API key:

Open Publisher Account.
Go to the Company settings > API keys or Project settings > API keys section.
In the API key row, click the bin icon and confirm the action.

Deleting an API key ceases:

receiving payments in the projects where this API key was used
calling API methods that used this API key

To prevent it:

Create a new API key.
Change your application to use the new API key.
Delete the initial API key.

Webhooks

Webhooks allow you to receive instant notifications of configured events on Xsolla’s side. You can set up processing webhooks to automate your application. Refer to our documentation for the list of available webhooks and detailed descriptions of how they work.

Thank you for your feedback!

We’ll review your message and use it to help us improve your experience.

Last updated: April 2, 2025

Found a typo or other text error? Select the text and press Ctrl+Enter.

Contents

Overview
API keys
Webhooks