Overview

• Version: 2.0.0
• Servers: https://store.xsolla.com/api
• Contact Us by Email
• Contact URL: https://xsolla.com/
• Required TLS version: 1.2

The Catalog API allows you to configure a catalog of in-game items on the Xsolla side and display the catalog to users in your store.

The API allows you to manage the following catalog entities:

• Virtual items — in-game items such as weapons, skins, boosters.
• Virtual currency — virtual money used to purchase virtual goods.
• Virtual currency packages — predefined bundles of virtual currency.
• Bundles — combined packages of virtual items, currency, or game keys sold as a single SKU.
• Game keys — keys for games and DLCs distributed via platforms like Steam or other DRM providers.
• Groups — logical groupings for organizing and sorting items within the catalog.

API calls

The API is divided into the following groups:

• Admin — calls for creating, updating, deleting, and configuring catalog items and groups. Authenticated via basic access authentication with your merchant or project credentials. Not intended for storefront use.
• Catalog — calls for retrieving items and building custom storefronts for end users. Designed to handle high-load scenarios. Support optional user JWT authorization to return personalized data such as user-specific limits and active promotions.

Authentication

API calls require authentication either on behalf of a user or on behalf of a project. The authentication scheme used is specified in the Security section in the description of each call.

Authentication using user's JWT

User's JWT authentication is used when a request is sent from a browser, mobile application, or game. In this case, a user's JWT is used. By default, the XsollaLoginUserJWT scheme is applied. For details on how to create a token, see the Xsolla Login API documentation.

The token is passed in the Authorization header in the following format: Authorization: Bearer <user_JWT>, where <user_JWT> is the user token. The token identifies the user and provides access to personalized data. You can try this call using the following test token:

Alternatively, you can use a token for opening the payment UI.

Basic HTTP authentication

Basic HTTP authentication is used for server-to-server interactions, when an API call is sent directly from your server rather than from a user's browser or mobile application. HTTP Basic authentication with an API key is typically used.

With basic server-side authentication, all API requests must include the following header:

• for basicAuth — Authorization: Basic <your_authorization_basic_key>, where your_authorization_basic_key is the project_id:api_key pair encoded in Base64
• for basicMerchantAuth — Authorization: Basic <your_authorization_basic_key>, where your_authorization_basic_key is the merchant_id:api_key pair encoded in Base64

You can find the parameter values in Publisher Account:

• merchant_id is displayed:
  • In Company settings > Company.
  • In the URL in the browser address bar on any Publisher Account page. The URL has the following format: https://publisher.xsolla.com/<merchant_id>.
• project_id is displayed:
  • Next to the project name in Publisher Account.
  • In the URL in the browser address bar when working on a project in Publisher Account. The URL has the following format: https://publisher.xsolla.com/<merchant_id>/projects/<project_id>.
• api_key is shown in Publisher Account only at the time of creation and must be stored securely on your side. You can create an API key in the following sections:
  • Company settings > API keys
  • Project settings > API key

For more information about working with API keys, see the API references.

Authentication with guest access support

The AuthForCart authentication scheme is used for cart purchases and supports two modes:

1. Authentication with a user's JWT. The token is passed in the Authorization header in the following format: Authorization: Bearer <user_JWT>, where <user_JWT> is the user token. The token identifies the user and provides access to personalized data. You can try this call using the following test token:

Alternatively, you can use a token for opening the payment UI.

2. Simplified mode without Authorization header. This mode is used only for unauthorized users and can be applied only for game key sales. Instead of a token, the request must include the following headers:
   • x-unauthorized-id with a request ID
   • x-user with the user's email address encoded in Base64

Useful links

• API calls by interaction model
• Endpoint types
• Errors handling
• API keys
• Webhooks

Core entity structure

Items of all types (virtual items, bundles, virtual currency, and keys) use a similar data structure. Understanding the basic structure simplifies working with the API and helps you navigate the documentation more easily.

Identification

• merchant_id — company ID in Publisher Account
• project_id — project ID in Publisher Account
• sku — item SKU, unique within the project

Store display

• name — item name
• description — item description
• image_url — image URL
• is_enabled — item availability
• is_show_in_store — whether the item is displayed in the catalog

For more information about managing item availability in the catalog, see the documentation.

Organization

• type — item type, for example, a virtual item (virtual_item) or bundle (bundle)
• groups — groups the item belongs to
• order — display order in the catalog

Sale conditions

• prices — prices in real or virtual currency
• limits — purchase limits
• periods — availability periods
• regions — regional restrictions

Example of core entity structure:

Pagination

API calls that return large sets of records (for example, when building a catalog) return data in pages. Pagination is a mechanism that limits the number of items returned in a single API response and allows you to retrieve subsequent pages sequentially.

Use the following parameters to control the number of returned items:

• limit — number of items per page
• offset — index of the first item on the page (numbering starts from 0)
• has_more — indicates whether another page is available
• total_items_count — total number of items

Example request:

Response example:

It is recommended to send subsequent requests until the response returns has_more = false.

Date and time format

Dates and time values are passed in the ISO 8601 format.

The following are supported:

• UTC offset
• null value when there is no time restriction for displaying an item
• Unix timestamp (in seconds) used in some fields

Format: YYYY-MM-DDTHH:MM:SS±HH:MM

Example: 2026-03-16T10:00:00+03:00

Localization

Xsolla supports localization of user-facing fields such as item name and description. Localized values are passed as an object where the language code is used as the key. The full list of supported languages is available in the documentation.

Supported fields

Localization can be specified for the following parameters:

• name
• description
• long_description

Locale format

The locale key can be specified in one of the following formats:

• Two-letter language code: en, ru
• Five-letter language code: en-US, ru-RU, de-DE

Examples

Example with a two-letter language code:

Example with a five-letter language code:

Error response format

If an error occurs, the API returns an HTTP status and a JSON response body. The full list of store-related errors is available in the documentation.

Response example:

• errorCode — error code.
• errorMessage — short error description.
• statusCode — HTTP response status.
• transactionId — request ID. Returned only in some cases.
• errorMessageExtended — additional error details, such as request parameters. Returned only in some cases.

Extended response example:

Common HTTP status codes

• 400 — invalid request
• 401 — authentication error
• 403 — insufficient permissions
• 404 — resource not found
• 422 — validation error
• 429 — rate limit exceeded

Recommendations

• Handle the HTTP status and the response body together.
• Use errorCode to process errors related to application logic.
• Use transactionId to identify requests more quickly when analyzing errors.