JWT structure

Every token has a JWT format and contains a definite information in a payload.

User JWT

User JWT is a token received as a result of authentication or registration. A token payload contains information about the user and authentication call.

Getting a user token via the OAuth 2.0 protocol requires an OAuth 2.0 client. The user token is passed in the Authorization: Bearer <JWT> header.

Main claims

A token will contain the main claims after authentication or email address confirmation. Presence of these claims does not depend on the user database and authentication call.

Claim Type Description
exp Unix Timestamp Date and time of token expiration. Default expiration time is 24 hours. You can change expiration time for every Login project. Required.
iss string Service that signed the token: https://login.xsolla.com. Required.
iat Unix Timestamp Date and time of giving the token. Required.
sub string (UUID) User ID written on the Xsolla Login server side. Required.
groups array

The list of groups the user is in. Every group is written in the following format:

  • id — group ID
  • name — group name
  • is_default — shows whether the group is default or not (true or false values).
Required.

There can be only one default group. This group initially includes all users before they are distributed into different groups.

username string Username.
publisher_id integer ID of a merchant who owns a Login project.
email string User email address.
payload string Additional information that is passed in the payload parameter during authentication.
xsolla_login_project_id string (UUID) Login project ID. Required.
promo_email_agreement boolean

May have one of the following values:

  • true if the user agrees to receive a newsletter.
  • false otherwise.
Has the true value by default.

To add the feature to the registration form of the Login widget:

  • Contact your Account Manager if you use Widget 2.0.
  • Add the fields parameter with the promo_email_agreement value to the initialization code if you use the previous version of the widget.

connection_information string Shows whether the user confirmed their birth date or not. Confirmation is made via the okname service.

PlayFab storage

Claims that are contained in the token after authentication if you use PlayFab storage.

Claim Type Description
external_account_id string User PlayFab ID. Required.
session_ticket string

A SessionTicket parameter received during an authentication request or requests to the PlayFab API.

A token contains the claim if you authenticate users via the OAuth 2.0 protocol and pass the playfab value to the scope parameter. Required.

entity_token string An EntityToken.EntityToken parameter. Required.
entity_type string An EntityToken.Entity.Type parameter. Can have only the title_player_account value. Required.
entity_id string An EntityToken.Entity.Id parameter. Required.

Custom storage

Claims that are contained in the token after authentication if you use custom storage.

Claim Type Description
external_account_id string User ID on your server side.
provider string Name of a social network used for authentication. If the user authenticates via username and password, the claim has the xsolla value. Required.
partner_data Data of any type returned by your server in the response body during authentication.

Social authentication

Claims that are contained in the token after authentication via a social network. Presence of these claims does not depend on the user database.

Claim Type Description
provider string Name of a social network used for authentication. Required.
id string User ID in a social network. Required.
is_cross_auth boolean Shows that the silent authentication request is in progress.
social_access_token string Social network account access_token parameter used for authentication. Contact your Account Manager to set up the feature.
picture string (URL) Link to the user profile picture in a social network.
birthday date (RFC3339) User birth date in a social network.
gender string User gender in a social network.
name string User nickname in a social network.

Authentication via the OAuth 2.0 protocol

Claims that are contained in the token after OAuth 2.0 authentication.

Claim Type Description
jti string Unique token ID. Required.

Authentication via a phone number

Claim which is contained in the token after authentication via a phone number.

Claim Type Description
phone_number string User’s phone number used for authentication. The phone number format based on the country code, area code, and line number without any dividers. Required.

Server JWT

The server token is passed in the X-SERVER-AUTHORIZATION header.

The token payload contains information about resources owned by the OAuth 2.0 client. The token has access to calls with server-based authentication for these resources.

Claim Type Description
xsolla_login_project_id string (UUID) ID of a Login project that owns the OAuth 2.0 client. Required.
resources array

List of resources owned by a OAuth 2.0 client. Possible types of resources:

  • publisher_id — resources of a merchant who owns the Login project
  • publisher_project_id — resources of a project in Publisher Account.

Every group is written in the following format:

  • name — resource type
  • value — resource ID
Required.

jti string Unique token ID. Required.