Xsolla-logo

Auth by username and password

post/oauth2/login

Authenticates the user by the username/email and password specified. To finish user authentication, get the user JWT by sending the Generate JWT request.

Request
query Parameters
response_type
required
string

Grant type used in your project that has the enabled OAuth 2.0 protocol. Must be code to get the user authentication code in the response. The received code must be exchanged to a JWT via the Generate JWT call to finish user authentication.

client_id
required
integer

Your application ID. Get it after creating an OAuth 2.0 client.

state
required
string

Value used for additional user verification. Often used to mitigate CSRF Attacks. The value will be returned in the response. Must be longer than 8 symbols.

audience
string

The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case- sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL.

scope
string

Scope is a mechanism in OAuth 2.0 to limit an application’s access to a user’s account.

Can be:

  • email for Auth via social network or Get link for social auth calls to request an email from the user additionally.
  • offline to use refresh_token from Generate JWT call to refresh the JWT when it is expired.
  • playfab to write SessionTicket to the session_ticket claim of the JWT if you store user data at PlayFab.

If you process your own values of the scope parameter, that are not mentioned above, you can set them when using this call. The Xsolla Login server does not process these values, but returns them in the received JWT.

redirect_uri
string

URL to redirect the user to after account confirmation, successful authentication, or password reset confirmation. To set up this parameter, contact your Account Manager.

Notice. The parameter is required if you have more than one redirect URI in your project settings.
Request Body schema: application/json
username
required
string

Username or email address.

password
required
string

User password.

Responses
200

OK

400

Bad Request

401

Unauthorized

404

Not Found

422

Unprocessable Entity

429

Too Many Requests

Request samples
application/json
{
  • "password": "password123",
  • "username": "John"
}
Response samples
application/json
{
  • "login_url": "string"
}