Set up selling items

In-Game Store allows you to monetize games through the in-game sale of the following items for real or virtual currency:

  • in-game currency and currency packages
  • consumable items
  • nonconsumable items
  • time-limited items

GoodsSelling method
One item (e.g., virtual item or a custom amount of virtual currency)Fast purchase calls
Several items in a cartPass the unique user ID. The unique user ID is used in the title as a number or line when calling the API methods of the Catalog subsection from the Virtual items & currency method group (x-unauthorized-id parameter). The identifier is generated on the front-end side, for example, via the identifier generation library.

To manage the users’ access to your application and features of Xsolla products, set up an authentication system. For this, you can use Xsolla Login or implement your own authentication system.

If you have implemented your own authentication system and need only the payment UI, generate a Pay Station access token and set up webhooks on your server.

You can use Xsolla Login for your in-game store, if you don’t have your own servers or you want to use the existing solution. The following features are performed on the Xsolla side:

  • store and manage a catalog
  • manage prices
  • store data on regional prices
  • authenticate users
  • process transactions

Authentication via Xsolla login

Xsolla Login supports the OAuth 2.0 standard protocol for user registration and authentication. The standard OAuth 2.0 protocol helps to simplify the development of the client-side application. OAuth 2.0 lets you update the access token without involving the user.

The data on authorized users can be stored:

User data includes the balance in the real currency (change), saved cards, transactions history, and subscriptions.

Authentication via Pay Station access token

Recommended if you want to integrate In-Game Store and Buy Button API methods.
The flow of interaction between your client and the Xsolla server:
  1. Your client sends an authentication request to your server.
  2. Your server requests an authorization token and sends a header that contains project_id/merchant_id and api_key parameters to the Xsolla server.
  3. Xsolla server returns the Pay Station access token.
  4. Your server passes the Pay Station access token to your client.
  5. The returned Pay Station access token is used as an authorization token for authentication in the In-Game Store and Buy Button API and building a store interface.

Get Pay Station access token

On the back-end of your application, implement a method to get a Pay Station access token using an HTTP POST request.

The Xsolla API uses basic HTTP authentication. The request must contain the Authorization: Basic <your_authorization_basic_key> header, where <your_authorization_basic_key> is the merchant ID:API key pair, encoded according to the Base64 standard. Go to Publisher Account to find these parameters:

  • Merchant ID is shown:
    • In the Company settings > Company section.
    • In the URL in the browser address bar on any Publisher Account page. The URL has the following format: https:​//<merchant ID>/<Publisher Account section>.

  • API key is shown in Publisher Account only once when it is created and must be stored on your side. You can create a new key in the following section:
    • Company settings > API keys
    • Project settings > API keys

For more information about working with API keys, see the API reference.

Key recommendations:

  • Save the generated API key on your side. You can view the API key in Publisher Account only once when it is created.
  • Keep your API key a secret. It provides access to your personal account and your projects in Publisher Account.
  • The API key must be stored on your server and never in binaries or on the frontend.

If an API call you need does not contain the project_id path parameter, use the API key that is valid in all the company’s projects to set up authorization.

HTTP request:


To get the token, pass the following parameters in the request body:

objectCustom project settings (object).
integerGame’s Xsolla ID. Can be found in Publisher Account beside the name of your project. Required.
objectUser details (object).
objectUser ID in your authorization system (object).
stringUser ID. Required.
objectUser email (object).
stringUser email. Must be valid according to the RFC 822 protocol. Required.
objectUser screen name (object).Required.
stringUser screen name
objectUser Steam ID (object).
stringUser Steam ID. Required if the application is published on Steam.
objectUser PlayFab ID (object)
stringUser PlayFab ID. Required if the application uses PlayFab services to grant items.
See examples of requests and responses in the API reference.
In the request, use only parameters from the list above. Don’t pass other parameters of the API call (custom_parameters, purchase, etc.), they are not intended to receive an authorization token.

The lifetime of the Pay Station access token when working with the in-game store and inventory is 1 hour after the last call to the Xsolla API. To change the lifetime of the Pay Station access token, contact your Customer Success Manager or email to

Implement the logic of receiving a new Pay Station access token after its expiration. It is recommended that you get a new token in the background mode, so the user doesn’t have to log in to the application again.

Your progress
Thank you for your feedback!
Last updated: April 5, 2024

Found a typo or other text error? Select the text and press Ctrl+Enter.

Report a problem
We always review our content. Your feedback helps us improve it.
Provide an email so we can follow up
Thank you for your feedback!