Set up user authentication

Authentication allows users to buy items in the Web Shop and see unique offers in the catalog.

Key features of the Web Shop with authentication:

Multiple authorization methods in the Web Shop.
Set up personalized storefronts and promo codes for authorized users.
Compliance with regional laws and regulations for the protection and processing of personal data.
Rate limit and DDoS protection.

You can choose one of the following authentication methods:

User ID authentication:
- Simplifies the integration of the Web Shop with the game.
- The authentication widget does not require registration or password entry. A user simply needs to enter the user ID from the game or use the same social network account for login as for logging in to the game.

Use user ID authentication if Xsolla Login isn’t set up in your game.

Authentication via Xsolla Login:
- Provides a wide range of authorization methods: social networks, one-time codes or links, and login and password.
- Allows you to customize the Xsolla Login widget.
- You can impose age restrictions on authorization.

Use Xsolla login authentication if this solution is already set up in your game.

For any of the authentication method, you can add a Fast Login block to your site.

User flow

The user goes to Web Shop with user ID authentication configured.
The user authorizes in the Web Shop in one of the following ways:
- The user enters their ID in the Fast Login block and clicks the login button.
- The user clicks the buy button for the selected item or the login button on the top bar:
  1. A modal window for entering the user ID or logging in through a social network opens.
  2. User enters their ID and clicks Continue or clicks on the social networks icon to choose a social network and completes authentication on the social network page.

The system checks if a user exists in the game. If a user with this ID or social account exists in the game, the user is authorized in the Web Shop. Otherwise an error message is displayed.

How to get it

On your application’s side, implement handling of the user validation webhook.

When receiving a webhook, the application should do the following:

Search for a user by their ID passed in the webhook.
Depending on the result, send one of the following status codes:
- 200 HTTP-code with an answer from webhook if a user is found
- 404 HTTP-code if the user ID is not found
Send user attributes for personalization.

The user ID must be unique for every user.

Open your project in Publisher Account.
In the side bar click Site Builder.
Click Open Site Builder.
Go to the Login Settings block.

Select the User ID option.

Widget customization settings in the login project do not affect the user ID authentication interface.

In the drop-down list, select New Login.

Enter the URL to receive webhooks.

Webhook URLs should start with https://. Using http:// will cause an error.

Xsolla storage is used by default. We recommend that you do not change it in Publisher Account since Xsolla storage provides a wider variety of settings.

Set up authorization via social networks already connected to your application (optional):
1. Open your project in Publisher Account and go to the Login section.
2. Click Configure in the site bar.
3. Go to the Authentication block and select Social login.

1. To set up a social network, go to the social network card, click the ⚙ icon to the right of the title, and select Connect.

To use social network authorization, in the social network card settings, specify the Application ID and secret of the application in your project. The Application ID and secret are available from the developer account of the social provider. Detailed instructions for locating the Application ID and secret are available in the social network card settings in Publisher Account.

User flow

The user goes to Web Shop with Xsolla Login authentication configured.
The user clicks the buy button for the selected item, the login button on the top bar, or the login button in the Fast Login block.
A modal window opens with authorization methods set up in Xsolla Login.

The user proceeds to authorization and enters additional data if necessary.
The system checks if the user exists in the game. If the user exists in the game, the user is authorized in Web Shop. Otherwise an error message is displayed.

How to get it

In the Builder for your site, go to the Login settings block.

Select the Xsolla Login authorization option.
In the drop-down list, select New Login.

As a result, the Login project with user authentication by email and password will be automatically created. For the created Login project, the Web Shop URL will be specified as a callback URL that the user will be redirected to in the following cases:

after successful authentication
after successful email confirmation
after password reset
in case of authentication failure

When you change the domain of Web Shop, the callback URL in the Login project settings changes automatically.

Go to the Login project settings from the modal window or click Set up authentication method in the Xsolla Login block.

For authentication in Web Shop, set up the same social networks as for authentication in your application. If social networks are not set up, user authentication by email address and password will be available.

When setting up the authentication in Web Shop via social networks, use the same Application ID and Application Secret as for authentication in your application.

Connect user data storage.

Depending on the method of storing user data, different product functionality is available to you (see Comparison of user data storage options).

Xsolla storage

If you want the Login product to process all authentication logic, connect to Xsolla storage. More flexible settings will be available to you.

When you create a Login project, Xsolla storage is connected by default, no additional steps are required to configure it. If you have changed the default storage type and need to reconnect to Xsolla storage, follow these steps:

Go to the User database block and select the Storage section.
Select Xsolla storage and click Save changes.

Xsolla storage supports JWT standard-based and OAuth 2.0 protocol-based authentication. All user information is stored on Xsolla’s side.

PlayFab storage

If you want to use PlayFab functionality to work with users, connect to PlayFab storage. The storage saves the following user data:

username
user email address
user password
fields from an extended registration form if the form is set up

PlayFab storage supports JWT standard-based and OAuth 2.0 protocol-based authentication.

PlayFab storage gives you access to the following features:

user registration
authentication by email address or username and password
authentication via Twitch
user password reset
user blocking

To connect the storage:

Go to the User database block and select the Storage section.
Select PlayFab.
In the Title ID field, enter the value of the same field from your PlayFab account.
Click Save changes.

All user information is stored on Xsolla’s side. User passwords are verified by PlayFab only.

Firebase storage

If you want to use Firebase functionality to work with users, connect to Firebase storage. This storage saves the following user data:

username
user email address
user password
fields from an extended registration form if the form is set up

Firebase storage supports JWT standard-based and OAuth 2.0 protocol-based authentication.

To connect the storage:

Go to the User database block and select the Storage section.
Select Firebase.
In the API key field, enter the value of the same field from your Firebase account.
Click Save changes.

All user information is stored in the JSON format and is updated in real time with every connected client.

Custom storage

If you use your own authorization system and store user data on your application side, connect to custom storage.

The custom storage gives you access to the following features:

user registration
authentication by email address or username and password
passwordless authentication by phone number
authentication via social networks
user password reset

Custom storage supports JWT standard-based authentication.

To set up the connection between the Xsolla Login server and your application as a client:

Connect the custom storage.
Set up the processing of requests from the Xsolla Login server.

All user information is stored on Xsolla’s side. User passwords are verified by the custom storage only.

Connect custom storage

Go to the User database block and select the Storage section.
Select Custom storage.
Enter URLs where to send API requests:
Click Save changes.
For the URLs you have set, implement an API that will respond as follows:
- HTTP 200 / HTTP 204 for successful requests. If required, a JSON containing additional user data can be placed in the response body. The passed data is written to a JWT (the partner_data parameter).
- Other HTTP status codes for unsuccessful requests.

If you want the JWT to contain the user ID from your database, contact your Customer Success Manager or email to csm@xsolla.com.
For passwordless authentication via a phone number to work correctly, your API response must contain the account_id parameter that matches the user ID from the client.

Set up processing of requests from Xsolla Login server

Xsolla Login server requests are sent to URLs, you specified in Publisher Account, with the Authorization: Bearer <JWT> header. The JWT is signed with the secret key of your project.

To process a request:

Validate a received JWT.
If the validation is successful, decode the JWT and make sure it includes the claims from the table below. Find and use a library for decoding.

Claim	Type	Description
exp	Unix Timestamp	The date and time of the JWT expiry. The JWT lifetime is 7 minutes.
iat	Unix Timestamp	The date and time JWT is issued.
iss	string	The service that signed the JWT: `https://login.xsolla.com`.
request_type	string	Constant: `gateway_request`.
xsolla_login_project_id	string (UUID)	Your Login project ID in Publisher Account.

Example of a token payload:

Copy

Full screen

Small screen

{
  "exp": 1573635020,
  "iat": 1573634600,
  "iss": "https://login.xsolla.com",
  "request_type": "gateway_request",
  "xsolla_login_project_id": "00000000-0000-0000-0000-000000000000"
}

Set up Fast Login block

The Fast Login block provides users with an additional way to authenticate on the site.

The appearance of the block and its features depend on the selected authentication method.

If authentication via user ID is configured for the site, the Fast Login block displays a field for entering the ID and a login button.

Features:

User authentication without additional transition to the modal window.
Setting up the content of the block. You can enable and configure the following sections:
- Title
- Description
- Instructions on how to find the user ID
- Custom background

You can also expand the features of the block, for example, add text, a button, or an image, using JS code.

If authentication via Xsolla Login is configured for the site, an additional button calling for authorization is displayed in the Fast Login block. When you click on the button in the block, a modal window opens for authorization using one of the Xsolla Login methods.

Features:

Setting up the text of the button calling for authorization
Setting up a custom background

You can also expand the features of the block, for example, add text, a button, or an image, using JS code.

For new sites, the Fast Login block is added to the Web Shop template by default, and you can remove it if necessary.

If you created a site earlier and it doesn’t have a Fast Login block, you can add it.

To add a Fast Login block:

Open the project in Publisher Account.
In the side menu, click Site Builder.
In the Sites section, select your site and click Open Site Builder.
Click Add block.
Choose Fast Login block.

To use the Fast Login block, an authorization option should be chosen in advance from the drop-down list in the Login settings section.

For the user ID authentication method in the Login settings section, you also need to specify the URL to receive the webhook. If you don’t specify it, the site can’t be published because user authentication will be unavailable.

User authentication during site preview is possible without adding a webhook URL.

Next steps

Useful links

Integration flow

Thank you for your feedback!

We’ll review your message and use it to help us improve your experience.

Last updated: March 4, 2024

Found a typo or other text error? Select the text and press Ctrl+Enter.

Your browser is not supported. Please try a different browser

Popular articles

Or choose frequently asked ones:

Answer based on the following sources:

Leave us some feedback (optional)

Leave us some feedback (optional)

Web Shop

Set up user authentication

User flow

How to get it

User flow

How to get it

Xsolla storage

PlayFab storage

Firebase storage

Custom storage

Connect custom storage

Set up processing of requests from Xsolla Login server

Set up Fast Login block

Next steps

Useful links