Custom user data storage
If you use custom user data storage, Xsolla Login acts as an intermediary, and all user identification data is stored on your side. Xsolla Login passes authentication data in the a token included in the header of webhooks and in their bodies.
Note
User email addresses, social media data, and user attributes are stored on the Xsolla side. Passwords are not stored on the Xsolla side.
- user registration
- authentication via username and password
- passwordless authentication via phone number
- passwordless authentication via email
- authentication via social networks
- user password reset
Note
If you are testing the integration locally,
POST
requests from Xsolla do not reach URLs like http://localhost:3000/my-webhook-endpoint
. Ngrok allows you to create a tunnel for external access, enabling you to receive requests from Xsolla locally. You can read more about this in the ngrok documentation.Interaction flow
Note
The maximum length of the JSON with additional user data is 1000 characters.
- nickname
- date of birth
- first name
- last name
- user ID on your server
You can also update user attributes by passing an array of user attribute objects. The structure of these objects is described below.
Structure of a user attribute object:
Parameter | Type | Description |
---|---|---|
attr_type | string | Definition of user’s access level to service attributes:
|
key | string | The name of the attribute that is used to identify the user’s attribute. Must be unique for each user. Maximum length: 256 symbols. You can use numbers, Latin letters, hyphens, and underscores. |
permission | string or null | The type of access to the user’s attributes affects the list of attributes returned by the methods:
Possible values: public , private (default). |
read_only | string | Whether the attribute is protected from modifications. By default, false and changing attribute values is allowed. |
value | string | The value of the user’s attribute. Maximum length: 256 symbols. |
User registration
Authentication via username and password
Passwordless authentication via phone number
Passwordless authentication via email
Authentication via social networks
User password reset
- The client sends the
Reset password POST
request to the Xsolla Login Server. The request must include the following required parameters:- The
projectId
query parameter — ID of the Login project in Publisher Account. - The
username
body parameter — user’s name. Allowed length: 3 to 255 characters.
- The
- The Xsolla Login server sends the user a password reset confirmation email.
- After confirming password reset in the email, the user is redirected to the page where they can enter a new password.
- The user enters a new password.
- The Xsolla Login server sends a webhook to the Password reset URL.
- If a password reset is unsuccessful, you can provide an error message that will be displayed in the authentication widget. To do this, in the response to the user creation request, pass the
error
object with the following details:- In the
code
parameter, specify an error code, for example011-002
. - In the
description
parameter, provide the error message text.
- In the
Password reset URL webhook example:
Copy
http
- http
- curl
1POST https://your.hostname/your_reset_uri HTTP/1.1
2Authorization: Bearer {JWT}
3Content-Type: application/json
4
5{
6 "username": "john@gmail.com",
7 "fields": {
8 "password": "NewPa$$word1"
9 }
10}
1curl --request POST \
2 --url 'https://your.hostname/your_reset_uri' \
3 --header 'authorization: bearer_JWT' \
4 --header 'content-type: application/json' \
5 --data '{"email":"john@gmail.com","fields":{"password":"NewPa$$word1"}}'
Token refresh
Note
Token refresh is available only when using the OAuth 2.0 authentication protocol.
- When the access token expires, the client sends Generate JWT
POST
request endpoint on the Xsolla Login server. The request body must include the following parameters:grant_type
— JWT grant type, pass therefresh_token
value.client_id
— OAuth 2.0 client ID.refresh_token
— refresh token received in response to the user authorization request.
- The Xsolla Login server processes the user data received from the social network and sends a webhook to Refresh token URL. The response must be in the format described in the interaction flow. In the response, you can specify a list of user attributes and/or any necessary JSON object. The JSON object you provide in the response is recorded in the
partner_data
field of the user’s JWT.
Note
To map JSON fields to user profile properties in Xsolla and configure account linking by user ID on your server, follow the instruction.
Copy
- http
1POST https://your.hostname/your_refrsh_token_uri HTTP/1.1
2Authorization: Bearer {JWT}
3Content-Type: application/json
4
5{}
Example of a response to a webhook with user attributes:
Copy
- json
1{
2 "attributes": [
3 {
4 "attr_type": "server",
5 "key": "company",
6 "permission": "private",
7 "value": "facebook-promo"
8 },
9 {
10 "attr_type": "server",
11 "key": "custom-id",
12 "permission": "private",
13 "value": 48582
14 }
15 ]
16}
Example of a response to a webhook with a JSON object:
Copy
- json
1{
2 "user": {
3 "player_id": "12345678",
4 "email": "user@example.com"
5 },
6 "user_info": {
7 "username": "gamer123",
8 "user_first_name": "John",
9 "user_last_name": "Doe",
10 "gender": "male",
11 "birthday": "1990-05-15",
12 "country": "US",
13 "language": "en"
14 },
15 "subscription_status": "active",
16 "loyalty_level": "gold"
17
18}
Was this article helpful?
Thank you for your feedback!
We’ll review your message and use it to help us improve your experience.Continue reading
Last updated: August 29, 2025Found a typo or other text error? Select the text and press Ctrl+Enter.