• Versão: 1.0.0
• Servidores: https://login.xsolla.com/api
• Protocolos: https
• Aceita: application/json
• Responde com: application/json
• Entre em contato conosco por e-mail
• URL de contato: https://xsolla.com/

Esta seção descreve as chamadas de API para trabalhar com Login. Configure seu projeto Login na Conta de Distribuidor antes de enviar solicitações.

The full list of IP addresses that login.xsolla.com may use:

• 34.94.0.85
• 34.94.14.95
• 34.94.25.33
• 34.94.115.185
• 34.94.154.26
• 34.94.173.132
• 34.102.48.30
• 35.235.99.248
• 35.236.32.131
• 35.236.35.100
• 35.236.117.164

Você pode baixar a definição de API em dois formatos:

• YAML
• JSON

Você tem acesso aos seguintes tipos de projeto Login na Conta de Distribuidor:

• Projeto Login padrão
• Projeto Shadow Login

Para obter mais informações sobre ele, consulte o recurso Conta multiplataforma.

São as restrições aplicadas pela API Xsolla sobre a frequência de acesso por um usuário dentro de um período de tempo definido.

É um projeto Login usado para armazenar contas principais.

É um projeto Login usado para armazenar contas de plataforma.

É um tipo de conta criado em um projeto Login padrão e vinculado a contas de plataforma. A conta principal é usada para identificar o jogador em diferentes plataformas.

É um tipo de conta criado em um projeto de Login sombra e conectado a uma plataforma de distribuição definida. A conta da plataforma não pode ser vinculada a outra conta da plataforma. Além disso, não é possível desvincular as contas de uma conta principal.

É uma plataforma de jogos que é usada para a distribuição de jogos (por exemplo, Steam, PlayStation, Xbox, etc.).

A Login API oferece suporte aos seguintes tipos de token:

• Token de usuário. Ele é usado para enviar solicitações para os seguintes recursos do usuário:
  • perfil
  • amigos
  • atributos
• Token de servidor. Ele é usado para enviar solicitações para recursos do aplicativo, como configurações ou dados do usuário. As seguintes solicitações estão disponíveis:
  • Criar contas de plataforma
  • Obter dados do usuário
  • Vincular contas
  • Vincular contas de usuário via ID externo

Você pode determinar se uma chamada de API ocorre no lado do cliente ou do servidor pelo esquema de autenticação:

• Client-side — are called without authentication or with the Authorization header: Bearer <user_JWT> header, where <user_JWT> — is the user token.
• Server-side API calls for implementing the user flow — are called with the header: X-SERVER-AUTHORIZATION: <server_JWT>, where <server_JWT> — is the server token.

Para obter o token, envie uma das seguintes solicitações:

• registro de usuário (JWT ou OAuth 2.0)
• autenticação por nome de usuário e senha (autenticação JWT, OAuth 2.0 ou JWT por nome de usuário e senha)
• autenticação via redes sociais (JWT ou OAuth 2.0)
• autenticação silenciosa (JWT ou OAuth 2.0)
• Autenticação por meio de um token de acesso à rede social
• autenticação através de uma plataforma de publicação

Após a autenticação JWT, o usuário é redirecionado para o URL de retorno de chamada com um token em um parâmetro de consulta: <Callback URL>?token=<User token (JWT)>.

Após a autenticação baseada no protocolo OAuth 2.0, envie a solicitação Generate JWT ao servidor do Xsolla Login para trocar o parâmetro code recebido por um token de usuário (access_token).

Para obter um token de servidor:

1. Configure o cliente OAuth 2.0 do servidor.
2. Gere o JWT do servidor.

Configure o cliente OAuth 2.0 do servidor

1. Abra seu projeto na Conta de Distribuidor e vá para a seção Login.
2. Clique em Configure no painel de um projeto Login.
3. Vá para o bloco Security e selecione a seção OAuth 2.0.
4. Clique em Adicionar cliente OAuth 2.0.
5. Marque a caixa Server (server-to-server connection).
6. Especifique o Tempo de vida do token.
7. Clique em Connect.
8. Copie e salve o ID do cliente e a chave secreta.

Geração do JWT do servidor

No back-end do seu aplicativo, implemente um método para obter o JWT do servidor usando a chamada Generate JWT API. A solicitação deve conter os seguintes parâmetros:

• grant_type é o tipo de obtenção de JWT; passa o valor client_credentials.
• client_secret é a chave secreta que é recebida quando você configura o cliente OAuth 2.0 do servidor.
• client_id é o ID do cliente recebido quando você configura o cliente OAuth 2.0 do servidor.

Para evitar sobrecarregar o sistema Xsolla e proteger contra picos repentinos no tráfego de entrada, a Xsolla limita o número de solicitações recebidas pela API Xsolla dentro de um período de tempo especificado. Se o limite for excedido, a API Xsolla retornará uma resposta HTTP com o código de status 429.

Rate limits vary by method, IP-address, authentication scheme, and other factors.

Rate limits for server-side methods are applied to methods with server-side authentication — methods that are called with the X-SERVER-AUTHORIZATION: <server_JWT> header, where <server_JWT> is the server token.

Rate limits for client-side methods are applied to methods without authentication or with client-side authentication — methods that are called with the Authorization: Bearer <user_JWT> header, where <user_JWT> is the user token.

Example of a method with server-side authentication: Example of a method with client-side authentication:

Os limites de taxa para métodos do lado do cliente não mudam e são necessários para evitar ataques de força bruta. A taxa máxima de solicitação para métodos do lado do servidor é maior do que para métodos do lado do cliente. Você pode consultar as recomendações sobre como gerenciar limites de taxa na documentação.

Cada token tem um formato JWT e contém uma informação definida em uma carga.

O JWT do usuário é um token recebido como resultado da autenticação ou cadastro. Uma carga de token contém informações sobre o usuário e a chamada de autenticação.

Para obter um token de usuário por meio do protocolo OAuth 2.0, você precisa de um cliente OAuth 2.0. O token de usuário é passado no cabeçalho Authorization: Bearer <JWT>.

Um token conterá as principais declarações após a autenticação ou confirmação do endereço de e-mail. A presença dessas declarações não depende do banco de dados do usuário e da chamada de autenticação.

Declarações contidas no token após a autenticação se você usar o armazenamento PlayFab.

Declarações contidas no token após a autenticação se você usar armazenamento personalizado.

Declarações que estão contidas no token após a autenticação por meio de uma rede social. A presença dessas declarações não depende do banco de dados do usuário.

Declarações contidas no token após a autenticação do OAuth 2.0.

Reivindicação que está contida no token após a autenticação por meio de um número de telefone.

O token do servidor é passado no cabeçalho X-SERVER-AUTHORIZATION.

A carga do token contém informações sobre recursos pertencentes ao cliente OAuth 2.0. O token tem acesso a chamadas com autenticação baseada em servidor para esses recursos.

To validate the JWT, use the following Login API calls:

• User JWT validate — for a user token.
  • Server JWT validate — for a server token.

Erros

Em caso de respostas de erro, o servidor do Xsolla Login retorna um objeto JSON com os seguintes campos:

{
  "error": {
    "code": "000-000",
    "description": "description"
  }
}

| Error Code | Description | Recommendation | |---------------------------|---------------------------------------------------

---------------------------------------------------------------------------|:---

---------------------------------------------------------------------------:| | 002-016 | Invalid JWT. | The user should try to log in again. | | 002-027 | Parameter is invalid. | Make sure all request parameters are correct. | | 002-028 | Parameter was not passed. | Make sure all required parameters are provided. | | 002-040 | This user is banned. | The user should contact the game support team. | | 002-043 | This phone number cannot receive SMS. Use a different number. | The user should try another phone number that can receive SMS. | | 002-050 | User MFA settings have not changed. | The error occurs when trying to enable two-factor authentication if it's already enabled, or disable it if it's already disabled. | | 002-056 | Invalid phone number. Verify the number or try another one. | The user should verify the phone number or enter a different one. | | 002-057 | Too many login attempts. | The user should try again later. If you believe this error should not occur, please contact the integrator team in any messenger. | | 002-058 | You exceeded login attempts limit. To unblock your account, follow the link in the email that we sent or reset your password. | The user should use the link in the email to unblock their account or reset the password. | | 002-060 | User younger than required age. | Inform the user of the age restrictions. | | 003-001 | Incorrect email address/username or password. | The user should verify the entered information and try again. | | 003-002 | User is not signed up. | The user should sign up in the game to continue. | | 003-003 | User with this username already exists. Try another username. | The user should try a different username. | | 003-004 | User with this email address already exists. Try another email address. | The user should use a different email address. | | 003-005 | Email address does not exist. Try another email address. | The user should try a different email address. | | 003-007 | Account not activated. Please confirm email address. | The user should confirm their email address to activate the account. If they haven't received a confirmation email, they should check the spam folder. | | 003-008 | Changing email address not allowed. | Changing the email address is not allowed. | | 003-009 | User search request wrong. | The search failed for technical reasons, please try again later. | | 003-010 | Changing birth date is unavailable. | Changing the birth date is not allowed. | | 003-011 | Email address not confirmed. Try another email address or confirm this one. | The user should confirm the email address or use another one that has not been previously used during registration. | | 003-012 | User with specified phone number already exists. | The user should confirm the phone number or use another one that has not been previously used during registration. | | 003-019 | Login with this project ID not found. | Check the existence of the authentication variant with the passed ID. | | 003-020 | Call unavailable for this Login project. | Check the authorization option settings in your Publisher Account. | | 003-021 | Logging in via username/password not allowed. | The user should contact game support. | | 003-022 | Incorrect project configuration. | Verify the authorization option settings in your Publisher Account. | | 003-023 | Signing up via username/password not allowed. | Registration is not allowed for this authorization option. The user should contact game support. | | 003-030 | Link has expired. Please perform password recovery again. | The password reset link has expired or is incorrect. The user should attempt to reset the password again. | | 003-049 | Too many attempts to use confirmation code. Try again later. | The user should try again later. | | 007-001 | Login via phone is currently unavailable in your country. Please try a different login method. | The user should use an alternative login method. | | 008-001 | Passwordless login URL not configured. | Add the correct login URL in the authorization option settings in your Publisher Account (section User database > Storage > Custom storage). | | 008-002 | User verification URL not configured. | Add the correct user verification URL in the authorization option settings in your Publisher Account (section User database > Storage > Custom storage). | | 008-003 | New user URL not configured. | Add the correct URL in the authorization option settings in your Publisher Account (section User database > Storage > Custom storage). | | 008-004 | Password reset URL not configured. | Add the correct password reset URL in the authorization option settings in your Publisher Account (section User database > Storage > Custom storage). | | 008-005 | PlayFab Title ID invalid. | Ensure the correct Title ID is specified in the authorization option settings in your Publisher Account (section User database > Storage). | | 008-006 | PlayFab API key invalid. | Ensure the PlayFab API key is valid. | | 008-008 | Invalid response from your API. It must contain user ID as "accountID" response body parameter. | Ensure the server returns the accountID parameter in the response body. | | 008-009 | Invalid URL in Custom storage settings. | Verify the URLs specified in the Custom storage settings in the authorization option in your Publisher Account (section User database > Storage > Custom storage). | | 008-011 | Set new password page URL not configured. | Ensure that the callback URL for password reset is specified in the authorization option settings in your Publisher Account (section Password settings). | | 008-013 | Consent page URL not configured or invalid. | Ensure that a link to the user agreement is specified in the authorization option settings in your Publisher Account (section Legal Terms

Policies and Agreements). | | 008-014 | Okta integration not completed. | Contact the integration team through any messenger. | | 008-015 | SAML integration not completed. | Contact the integration team through any messenger. | | 008-016 | Firebase API key not set. | Add the API key to the settings in your Publisher Account (section Legal Terms > Policies and Agreements). | | 010-004 | Service temporarily unavailable. Try again later. | The user should try again later. | | 010-005 | Allowable number of requests exceeded. Try again later. | The user should try again later. | | 010-006 | If this social profile is unlinked, no authentication methods will be available. | The user should add another authentication method before unlinking the social network. | | 010-007 | Incorrect CAPTCHA input. Try again. | The user should complete the CAPTCHA again. | | 010-010 | Invalid confirmation code. | The user should verify the code and try again. | | 010-014 | Your code is expired. Return to the login page and log in again. | The user should log in again from the login page. | | 010-015 | Something went wrong during authentication with this social network. Try again later. | The user should try again later. | | 010-016 | This social account is already linked to another user. | The user should use a different social account. If they believe this is an error, they should contact the integration team through any messenger. | | 010-017 | Client authentication failed. Some request parameters are missing in request or have invalid values. | Verify the correctness of the request parameters being sent. | | 010-019 | Client authentication failed. Client with this client_id value does not exist. | Ensure that a client with the provided client_id exists. | | 010-020 | Client authentication failed. Parameter scope is invalid or malformed. | Ensure that the provided scope parameter is correct. Refer to the instructions for detailed setup information. | | 010-021 | Client authentication failed. Parameter response_type is invalid or malformed. You should pass value of code parameter to response_type. | Ensure that the value of the response_type parameter is set to "code". | | 010-022 | Client authentication failed. Parameter state is missing or its value has less than 8 characters. | Ensure that the state parameter is present and consists of at least 8 characters. | | 010-023 | Client authentication failed. Authorization code, authorization grant types, or refresh token are invalid or expired. Also this error is returned when the redirect_uri given in authorization grant type does not match the URI provided in access token request. | Ensure that the authorization code is valid and not expired, and that the redirect_uri parameter contains an authorized URL. Refer to the instructions for detailed setup information. | | 010-026 | The resource owner or authorization server denied the request. | Ensure that you have sufficient permissions to access the resource. | | 010-030 | Cross social network is not enabled for this Login. | Ensure that cross-authentication is enabled for the authorization option. Refer to the instructions for detailed setup information. | | 010-031 | Social provider already exists. | The error occurs when attempting to connect a social network that is already enabled. | | 010-032 | Social network is not enabled for this Login. You can enable it in your Xsolla Publisher Account > Login Project > Social connections. | Ensure that the social network is enabled and configured in the authorization option settings in your Publisher Account (section Authorization via Social Networks). | | 010-033 | This call is temporary unavailable. | The user should try again later. | | 010-035 | Dependency service is unavailable | The user should try again later. | | 010-045 | Account with this social provider email address already exists. | The user should use a different social account for registration. | | 030-024 | Password recovery is not allowed. | The user should contact the game support team. | | 040-001 | Email address must be 254 characters or shorter. | The user should enter an email address containing no more than 254 characters. | | 040-002 | Username of the email address is invalid. Try another email address. | The user should enter a valid email address. | | 040-003 | Local part of the email address is too long. | The user should enter a different email address. | | 040-004 | Email address domain is invalid. Try another email address. | The user should contact Xsolla support. | | 040-005 | Email address should contain one @ character only. (E.g., username@example.com) | The user should enter an email with only one @ character. | | 040-006, 040-007, 040-008 | Email address domain is invalid. Try another email address. | The user should contact Xsolla support. | | 040-009 | Email address domain doesn’t exist. Try another email address. | The user should enter an email with an existing domain. | | 040-010 | Email address domain is not allowed. Try another email address. | The user should contact Xsolla support. | | 010-018 | Email address is invalid. Try another email address. | The user should enter a different email address. | | 300-003 | Allowable number of requests exceeded. Try again later. | The user should try again later. | | 300-005 | Failed to resend code. Try again later. | The user should try again later. | | 300-006 | Incorrect confirmation code. Check the code that you received and try again. | The user should verify and re- enter the confirmation code. | | 300-008 | You've exceeded the maximum number of attempts. Use the new code sent to your email or phone. | The user should use the new code sent to their email or phone. | | 003-007 | User account not confirmed. | The user should confirm their email address to activate the account. If they haven't received a confirmation email, they should check the spam folder. | | 003-025 | Error occurred while getting OAuth 2.0 access token. | The user should try a different authentication method. | | 003-040 | Unauthorized user. | The user should log in again. | | 003-033 | Mismatch project type. | Ensure that shadow authentication is used for the authorization option. | | 2002-0001 | Duplicated attributes. | Make sure that the attribute being created has not been previously added to the user. |