Xsolla-logoXsolla Developers
前往发布商帐户

概述

本部分介绍用于登录管理器的API调用。发送请求之前请在发布商帐户设置您的登录管理器项目。

IP addresses

The full list of IP addresses that login.xsolla.com may use:

  • 34.94.0.85
  • 34.94.14.95
  • 34.94.25.33
  • 34.94.115.185
  • 34.94.154.26
  • 34.94.173.132
  • 34.102.48.30
  • 35.235.99.248
  • 35.236.32.131
  • 35.236.35.100
  • 35.236.117.164

下载API定义

您可以下载两种格式的API定义:

词汇表

您可以在发布商帐户中访问以下登录管理器项目类型:

  • 标准登录管理器项目
  • 影子登录管理器项目

关于它的详细信息请参阅跨平台帐户功能。

流量限制

Are the restrictions applied by Xsolla API on the frequency of access by a user within a defined timeframe.

标准登录管理器项目

用于存储主帐户的登录管理器项目。

影子登录管理器项目

用于存储平台帐户的登录管理器项目。

主帐户

一种在标准登录管理器项目中创建的且关联了平台帐户的帐户类型。主帐户用于在不同平台上识别玩家。

平台帐户

一种在影子登录管理器项目中创建的且关联了指定发布平台的帐户类型。一个平台帐户不能关联其他平台帐户。另外,不能解除帐户与主帐户的关联。

发布平台

用于分发游戏的游戏平台(例如Steam、PlayStation、Xbox等)。

身份认证

Login API支持以下令牌类型:

Authentication schemes

您可以按照身份认证机制来判断一个API调用属于客户端侧还是服务器侧:

  • Client-side — are called without authentication or with the Authorization header: Bearer <user_JWT> header, where <user_JWT> — is the user token.
  • Server-side API calls for implementing the user flow — are called with the header: X-SERVER-AUTHORIZATION: <server_JWT>, where <server_JWT> — is the server token.

获取用户令牌

要获取令牌,请发送以下请求之一:

JWT认证后,用户将重定向到在查询参数中包含令牌的回调URL:<Callback URL>?token=<User token (JWT)>

进行基于OAuth 2.0协议的认证后,请将生成JWT请求发送给艾克索拉登录管理器服务器来用收到的code交换用户令牌(access_token)。

获取服务器令牌

要获取服务器令牌:

  1. 设置服务器OAuth 2.0 客户端
  2. 生成服务器JWT

设置服务器OAuth 2.0客户端

  1. 发布商帐户中打开您的项目,然后前往登录管理器部分
  2. 登录管理器项目的面板中单击配置
  3. 前往安全性区块并选择OAuth 2.0部分。
  4. Click Add OAuth 2.0 Client.
  5. 勾选服务器(服务器对服务器连接)复选框。
  6. 指定令牌有效期
  7. 单击连接
  8. 复制并保存客户端ID和密钥。

生成服务器JWT

在应用程序的后端,实现使用生成JWT API调用获取服务器JWT的方法。请求必须包含以下参数:

  • grant_type is the type of getting JWT, pass the client_credentials value.
  • client_secret is the secret key that is received when you set up the server OAuth 2.0 client.
  • client_id is the client ID received when you set up the server OAuth 2.0 client.

流量限制

To prevent Xsolla system overloads and protect against sudden spikes in incoming traffic, Xsolla limits the number of requests received by the Xsolla API within a specified period of time. If the limit is exceeded, the Xsolla API returns an HTTP response with the 429 status code.

Rate limits vary by method, IP-address, authentication scheme, and other factors.

Rate limits for server-side methods are applied to methods with server-side authentication — methods that are called with the X-SERVER-AUTHORIZATION: <server_JWT> header, where <server_JWT> is the server token.

Rate limits for client-side methods are applied to methods without authentication or with client-side authentication — methods that are called with the Authorization: Bearer <user_JWT> header, where <user_JWT> is the user token.

Example of a method with server-side authentication: Example of a method with server-side authentication Example of a method with client-side authentication: Example of a method with server-side authentication

Rate limits for client-side methods do not change and are necessary to prevent brute-force attacks. The maximum request rate for server-side methods is higher than for client-side methods. You can refer to the recommendations on how to manage rate limits in the documentation.

Note In certain cases, it is possible to adjust the rate limits by request. To request the rate limits adjustment, contact your Customer Success Manager or email csm@xsolla.com.

JWT结构

每个密钥都一个JWT格式,并在负载中包含固定的信息。

用户JWT

用户JWT是作为身份认证或注册结果收到的一个令牌。令牌负载包含关于用户和认证调用的信息。

通过OAuth 2.0协议获取用户令牌需要OAuth 2.0客户端。用户令牌在Authorization: Bearer <JWT>头中传入。

主要声明

身份认证或邮箱地址确认后,令牌会包含主要声明。这些声明的存在不依赖于用户数据库和认证调用。

 
声明 类型 必需 描述
exp Unix时间戳 令牌过期的日期和时间。默认过期时间是24小时。您可以更改各登录管理器项目的过期时间。
iss string 给令牌签名的服务:https://login.xsolla.com
iat Unix时间戳 授予令牌的日期和时间。
sub 字符串(UUID) 写入在艾克索拉登录管理器服务器侧的用户ID。
groups array

用户所在组的列表。每个组的写入格式如下:

  • id — 组ID
  • name — 组名称
  • is_default — 显示该组是否是默认组(truefalse值)。

只能有一个默认组。该组最初包含将用户分到不同组之前的所有用户。
xsolla_login_project_id 字符串(UUID) 登录管理器项目ID。
type string

身份认证选项:

  • xsolla_login — 通过用户名/邮箱和密码登录。
  • social — 社交网络登录
  • email — 通过电子邮件接收的一次性代码进行无密码登录。
  • phone — 通过短信接收的一次性代码进行无密码登录。
  • firebase — 用户数据存储为Firebase时,通过用户名/邮箱和密码登录。
  • playfab — 用户数据存储为PlayFab时,通过用户名/邮箱和密码登录。
  • proxy — 用户数据存储为自定义时,通过用户名/邮箱和密码登录。
  • device — 使用设备ID登录。
  • server_custom_id — 使用自定义ID登录。

只能有一个默认组。该组最初包含将用户分到不同组之前的所有用户。
avatar string 用户头像URL。
username string 用户名。
publisher_id integer 拥有登录管理器项目的商户ID。
email string 用户邮箱地址。
payload string 身份认证过程中在payload参数中传递的附加信息。
promo_email_agreement boolean

可以是以下值之一:

  • true,如果用户同意接收电子简讯。
  • false,不同意接收。
默认为true值。

要向登录管理器小组件的注册表单添加该功能:

  • 如使用小组件2.0,请联系您的帐户经理。
  • 如果使用上一版本的小组件,请在初始代码中添加值为promo_email_agreementfields参数。
connection_information string 显示用户是否确认了其出生日期。确认由okname服务进行。

PlayFab存储

如果使用PlayFab存储,身份认证后包含在令牌中的声明如下。

声明 类型 必需 描述
external_account_id string 用户PlayFab ID。
session_ticket string

认证请求或向PlayFab API发送请求期间收到的SessionTicket参数。

如果通过OAuth 2.0协议来认证用户并向scope参数传入了playfab值,则令牌包含该声明。

entity_token string 一个EntityToken.EntityToken参数。
entity_type string 一个EntityToken.Entity.Type参数。只能有title_player_account值。
entity_id string 一个EntityToken.Entity.Id参数。

自定义存储

如果使用自定义存储,身份认证后包含在令牌中的声明如下。

声明 类型 必需 描述
provider string 认证使用的社交网络的名称。如果用户通过用户名和密码进行认证,则声明的值为xsolla
external_account_id string 您服务器侧的用户ID。
partner_data Data of any type returned by your server in the response body during authentication. To enable the transmission of this claim, contact your Customer Success Manager or email to csm@xsolla.com
social_access_token Access token of the social network through which the user was authenticated. To enable the transmission of this claim, contact your Customer Success Manager or email to csm@xsolla.com.

社交网络帐户认证

通过社交网络进行认证后包含在令牌中的声明如下。这些声明的存在不依赖于用户数据库。

声明 类型 必需 描述
provider string 认证使用的社交网络的名称。
id string 社交网络中的用户ID。
is_cross_auth boolean 显示静默认证请求正在进行中。
social_access_token string 用于认证的社交网络帐户access_token参数。请联系您的帐户经理设置该功能。
picture 字符串(URL) 社交网络中用户个人资料图片的链接。
birthday 日期(RFC3339) 社交网络中的用户出生日期。
gender string 社交网络中的用户性别。
name string 社交网络中的用户昵称。

通过OAuth 2.0协议进行认证

OAuth 2.0认证后包含在令牌中的声明如下。

声明 类型 必需 描述
jti string 唯一令牌ID。

通过手机号码进行认证

通过手机号码进行认证后包含在令牌中的声明如下。

声明 类型 必需 描述
phone_number string 用于认证的用户手机号码。手机号码格式由国家代码、地区代码和线路号码组成,没有分隔符。

服务器JWT

服务器令牌在X-SERVER-AUTHORIZATION头中传入。

令牌负载包含OAuth 2.0客户端拥有的资源的信息。令牌可以访问对这些资源有基于服务器认证的调用。

声明 类型 必需 描述
xsolla_login_project_id 字符串(UUID) OAuth 2.0客户端所属登录管理器项目的ID。
resources array

OAuth 2.0客户端拥有的资源的列表。可能的资源类型:

  • publisher_id — 拥有该登录管理器项目的商户的资源
  • publisher_project_id发布商帐户中项目的资源。

各组的写入格式如下:

  • name — 资源类型
  • value — 资源ID
jti string 唯一令牌ID。

JWT验证

To validate the JWT, use the following Login API calls:

注意

请勿将密钥告诉任何人。如果发生密钥泄露,请立即更新。

错误

对于错误响应,艾克索拉登录管理器服务器返回包含以下字段的JSON对象:

字段 类型 描述
code string 艾克索拉登录管理器服务器错误代码。
description string 错误描述。文本始终为英文。发生错误时不要使用此文本,因为文本值将来可能会更改。 
{
  "error": {
    "code": "000-000",
    "description": "description"
  }
}
Error Code 描述 Recommendation
002-016 Invalid JWT. The user should try to log in again.
002-027 Parameter is invalid. Make sure all request parameters are correct.
002-028 Parameter was not passed. Make sure all required parameters are provided.
002-040 This user is banned. The user should contact the game support team.
002-043 This phone number cannot receive SMS. Use a different number. The user should try another phone number that can receive SMS.
002-050 User MFA settings have not changed. The error occurs when trying to enable two-factor authentication if it's already enabled, or disable it if it's already disabled.
002-056 Invalid phone number. Verify the number or try another one. The user should verify the phone number or enter a different one.
002-057 Too many login attempts. The user should try again later. If you believe this error should not occur, please contact the integrator team in any messenger.
002-058 You exceeded login attempts limit. To unblock your account, follow the link in the email that we sent or reset your password. The user should use the link in the email to unblock their account or reset the password.
002-060 User younger than required age. Inform the user of the age restrictions.
003-001 Incorrect email address/username or password. The user should verify the entered information and try again.
003-002 User is not signed up. The user should sign up in the game to continue.
003-003 User with this username already exists. Try another username. The user should try a different username.
003-004 User with this email address already exists. Try another email address. The user should use a different email address.
003-005 Email address does not exist. Try another email address. The user should try a different email address.
003-007 Account not activated. Please confirm email address. The user should confirm their email address to activate the account. If they haven't received a confirmation email, they should check the spam folder.
003-008 Changing email address not allowed. Changing the email address is not allowed.
003-009 User search request wrong. The search failed for technical reasons, please try again later.
003-010 Changing birth date is unavailable. Changing the birth date is not allowed.
003-011 Email address not confirmed. Try another email address or confirm this one. The user should confirm the email address or use another one that has not been previously used during registration.
003-012 User with specified phone number already exists. The user should confirm the phone number or use another one that has not been previously used during registration.
003-019 Login with this project ID not found. Check the existence of the authentication variant with the passed ID.
003-020 Call unavailable for this Login project. Check the authorization option settings in your Publisher Account.
003-021 Logging in via username/password not allowed. The user should contact game support.
003-022 Incorrect project configuration. Verify the authorization option settings in your Publisher Account.
003-023 Signing up via username/password not allowed. Registration is not allowed for this authorization option. The user should contact game support.
003-030 Link has expired. Please perform password recovery again. The password reset link has expired or is incorrect. The user should attempt to reset the password again.
003-049 Too many attempts to use confirmation code. Try again later. The user should try again later.
007-001 Login via phone is currently unavailable in your country. Please try a different login method. The user should use an alternative login method.
008-001 Passwordless login URL not configured. Add the correct login URL in the authorization option settings in your Publisher Account (section User database > Storage > Custom storage).
008-002 User verification URL not configured. Add the correct user verification URL in the authorization option settings in your Publisher Account (section User database > Storage > Custom storage).
008-003 New user URL not configured. Add the correct URL in the authorization option settings in your Publisher Account (section User database > Storage > Custom storage).
008-004 Password reset URL not configured. Add the correct password reset URL in the authorization option settings in your Publisher Account (section User database > Storage > Custom storage).
008-005 PlayFab Title ID invalid. Ensure the correct Title ID is specified in the authorization option settings in your Publisher Account (section User database > Storage).
008-006 PlayFab API key invalid. Ensure the PlayFab API key is valid.
008-008 Invalid response from your API. It must contain user ID as "accountID" response body parameter. Ensure the server returns the accountID parameter in the response body.
008-009 Invalid URL in Custom storage settings. Verify the URLs specified in the Custom storage settings in the authorization option in your Publisher Account (section User database > Storage > Custom storage).
008-011 Set new password page URL not configured. Ensure that the callback URL for password reset is specified in the authorization option settings in your Publisher Account (section Password settings).
008-013 Consent page URL not configured or invalid. Ensure that a link to the user agreement is specified in the authorization option settings in your Publisher Account (section Legal Terms > Policies and Agreements).
008-014 Okta integration not completed. Contact the integration team through any messenger.
008-015 SAML integration not completed. Contact the integration team through any messenger.
008-016 Firebase API key not set. Add the API key to the settings in your Publisher Account (section Legal Terms > Policies and Agreements).
010-004 Service temporarily unavailable. Try again later. The user should try again later.
010-005 Allowable number of requests exceeded. Try again later. The user should try again later.
010-006 If this social profile is unlinked, no authentication methods will be available. The user should add another authentication method before unlinking the social network.
010-007 Incorrect CAPTCHA input. Try again. The user should complete the CAPTCHA again.
010-010 Invalid confirmation code. The user should verify the code and try again.
010-014 Your code is expired. Return to the login page and log in again. The user should log in again from the login page.
010-015 Something went wrong during authentication with this social network. Try again later. The user should try again later.
010-016 This social account is already linked to another user. The user should use a different social account. If they believe this is an error, they should contact the integration team through any messenger.
010-017 Client authentication failed. Some request parameters are missing in request or have invalid values. Verify the correctness of the request parameters being sent.
010-019 Client authentication failed. Client with this client_id value does not exist. Ensure that a client with the provided client_id exists.
010-020 Client authentication failed. Parameter scope is invalid or malformed. Ensure that the provided scope parameter is correct. Refer to the instructions for detailed setup information.
010-021 Client authentication failed. Parameter response_type is invalid or malformed. You should pass value of code parameter to response_type. Ensure that the value of the response_type parameter is set to "code".
010-022 Client authentication failed. Parameter state is missing or its value has less than 8 characters. Ensure that the state parameter is present and consists of at least 8 characters.
010-023 Client authentication failed. Authorization code, authorization grant types, or refresh token are invalid or expired. Also this error is returned when the redirect_uri given in authorization grant type does not match the URI provided in access token request. Ensure that the authorization code is valid and not expired, and that the redirect_uri parameter contains an authorized URL. Refer to the instructions for detailed setup information.
010-026 The resource owner or authorization server denied the request. Ensure that you have sufficient permissions to access the resource.
010-030 Cross social network is not enabled for this Login. Ensure that cross-authentication is enabled for the authorization option. Refer to the instructions for detailed setup information.
010-031 Social provider already exists. The error occurs when attempting to connect a social network that is already enabled.
010-032 Social network is not enabled for this Login. You can enable it in your Xsolla Publisher Account > Login Project > Social connections. Ensure that the social network is enabled and configured in the authorization option settings in your Publisher Account (section Authorization via Social Networks).
010-033 This call is temporary unavailable. The user should try again later.
010-035 Dependency service is unavailable The user should try again later.
010-045 Account with this social provider email address already exists. The user should use a different social account for registration.
030-024 Password recovery is not allowed. The user should contact the game support team.
040-001 Email address must be 254 characters or shorter. The user should enter an email address containing no more than 254 characters.
040-002 Username of the email address is invalid. Try another email address. The user should enter a valid email address.
040-003 Local part of the email address is too long. The user should enter a different email address.
040-004 Email address domain is invalid. Try another email address. The user should contact Xsolla support.
040-005 Email address should contain one @ character only. (E.g., username@example.com) The user should enter an email with only one @ character.
040-006, 040-007, 040-008 Email address domain is invalid. Try another email address. The user should contact Xsolla support.
040-009 Email address domain doesn’t exist. Try another email address. The user should enter an email with an existing domain.
040-010 Email address domain is not allowed. Try another email address. The user should contact Xsolla support.
010-018 Email address is invalid. Try another email address. The user should enter a different email address.
300-003 Allowable number of requests exceeded. Try again later. The user should try again later.
300-005 Failed to resend code. Try again later. The user should try again later.
300-006 Incorrect confirmation code. Check the code that you received and try again. The user should verify and re-enter the confirmation code.
300-008 You've exceeded the maximum number of attempts. Use the new code sent to your email or phone. The user should use the new code sent to their email or phone.
003-007 User account not confirmed. The user should confirm their email address to activate the account. If they haven't received a confirmation email, they should check the spam folder.
003-025 Error occurred while getting OAuth 2.0 access token. The user should try a different authentication method.
003-040 Unauthorized user. The user should log in again.
003-033 Mismatch project type. Ensure that shadow authentication is used for the authorization option.
2002-0001 Duplicated attributes. Make sure that the attribute being created has not been previously added to the user.
系统状态所有服务正常提供

Do Not Sell My Personal Information

隐私政策终端用户许可协议© 2006–2025 Xsolla Inc.