What is it for
The Login product’s underlying security mechanism is based on the use of access tokens. Each time a user registers or authenticates, the Xsolla Login server issues an access token in the form of a JSON Web Token (JWT). The JWT contains information about the user, such as their ID. This token is provided as a pass that must be presented each time the user accesses your resources.
When receiving a JWT, your application must verify that it was the Xsolla Login server that issued it. For this purpose, the token includes an encrypted digital signature, which is generated using a secret key. Using a signature verifies the identity of the sender of the JWT and ensures that the content of the token has not been modified in transit. These tokens are usually only valid for 24 hours.
The secret key for signing the tokens is automatically generated when you create your Login project. The Login product supports two encryption algorithms for JWT signing. The default algorithm is HS256. You can choose the other encryption algorithm — RS256, reset the secret key, and change the token validity period if necessary (see the JWT signature section).
To enhance the protection of your users’ sensitive data, add additional security features to your Login project. The following security features are available for the Login product:
- Connecting the OAuth 2.0 protocol. OAuth 2.0 is an authorization protocol that allows you to obtain short-lived application access tokens and then renew them without user intervention.
- Setting up the Single sign-on (SSO) authentication scheme. SSO allows a user to securely authenticate to multiple related services by providing their authentication details once when logging into your game.
- Using multi-factor authentication. Multi-factor authentication (MFA) is a user authentication method that requires more than one type of verification. MFA allows you to prevent intruders from accessing an account, even if they have the username and password.
You can view or change the security settings for your Login project in the Security section.
Found a typo or other text error? Select the text and press Ctrl+Enter.