Authentication and Authorization

Overview

User Account Management (UAM) is a secure, multi-layer security system that allows access to AccelByte backend services. With UAM, you can allow and deny access to some or all of our backend services with our customizable user roles, client roles, and permissions settings. These settings allow for precision in determining which users or clients have access to which backend services.

Client Credentials

Before creating an access token for a client, you must first perform authentication using your Client ID and Client Secret.

  • Client ID is a unique, public ID.
  • Client Secret is your own password. Do not share your Client Secret or embed it anywhere.

Basic authentication is needed to define the verified client application that is going to be used for the login process.

Grant Type

OAuth has different grant types for different use cases. We use these two grant types to grant access to AccelByte services:

Grant TypeUtilizationFunction
authorization_codeGenerate an access token using this API ResponseAuthorize a user to access UAM services
refresh_tokenGenerate a refresh tokenAllow access to UAM after the initial access token has expired
client_credentialsGenerate a token by checking the provided client credentialsAuthorize a user to access UAM services that requires client credentials

For authentication and authorization, AccelByte uses the OAuth 2.0 protocol. To enable services such as 3rd party user authentication, we use OpenID Connect as our authentication method. There are two ways to authorize access to our services using UAM:

Direct Access Implementation

Direct access implementation uses authentication that includes client credentials (Client ID and Client Secret) in the authorization request header. You’ll receive the client’s credentials when you register that client in UAM Client Management. After registering the client, you can use those credentials in the authorization request header to create an access token (JSON Web Token format) for that client.

The access token is used to authorize every request made to UAM, to grant access to the related services or resources. The default expiration time of the token is four hours, which can be extended using the refresh token that is automatically created during a successful authentication request.

Step 1: Set Basic Authentication

To set the basic authentication, follow these steps:

  1. Click the Set Basic Auth button.
  2. Input the Client ID and Client Secret.
  3. Click Set Authorization Header.

After a successful request, the Authorization Header will be generated in the Authorization Header field.

Step 2: Generate an Access Token

To generate an access token you need to use the OAuth2.0: OAuth2 Access Token Generation - POST /iam/v3/oauth/token endpoint and follow these steps:

  1. Choose the Grant Type.
  2. Input the Authorization Code received from the authorization server in the Code field.
  3. Input the previously registered Client ID into the Client ID field.
  4. Input the registered client in the Redirect URI field.
  5. Click Try it out! to generate the access token.
info

Redirect URI is a unique set of authenticators that each client uses to identify itself. The redirect URI indicates where a client will be redirected to after successful authorization, so it must match the actual redirect URI from the client.

API Gateway Implementation

API gateway implementation offers greater security when authorizing access to backend services, by issuing a session ID to the client application instead of an access token. With this implementation, the access token and client secret are stored in the API gateway. The client must request access to the backend services by sending the session ID to the API gateway, and the API gateway will authorize the session ID and pass the access token to UAM.

Just like access tokens, a session ID expires after four hours and can be extended using a refresh ID, which is provided during the authentication request. The refresh will be performed automatically before the session ID expires.

Step 1: Login Challenge

Use the OAuth 2.0: OAuth2 Authorize API - GET /iam/v3/oauth/authorize endpoint and follow these steps to make the request:

  1. Input the previously registered Client ID.
  2. Input the Redirect URI from the registered client.
  3. Input the random value into the State field.
  4. Input the scope of the access request into the Scope field.
  5. Input the value generated by transforming the code verifier into the Code Challenge field.
  6. Select a Code Challenge Method. The default value is plain.
  7. Click Try it out!
info
  • Scope can be filled with multiple values, delimited with whitespace.
  • Code Challenge is mandatory for all public clients.

After a successful request, a 302 status code that provides a URL in the HTTP header field will be returned. The URL contains the login challenge code in the form of query parameters, which can be used for validation later.

Step 2: Login Challenge Code Validation

The login challenge code needs to be validated to ensure the client that sends it has authorized access. This can be done using the OAuth2.0 - Extension: Authentication API - POST /iam/v3/authenticate endpoint. Follow these steps to make the request:

  1. Input the account username into the Username field.
  2. Input the account password into the Password field.
  3. Input the valid request ID generated during the authorization process into the Request ID field.
  4. Click Try it out!

After a successful request, a 302 status code will be returned and successful requests will be redirected to the consent page.

Step 3: User Authentication

After the login has been validated, you can move to user authentication by using the OAuth2.0: Access Token Generation - POST /iam/v3/oauth/token endpoint and following these steps:

  1. Choose your desired Grant Type. The default value is authorization_code.
  2. Input the authorization code into the Code field.
  3. Input the code received from the authorization server into the Code Verifier field.
  4. If you chose authorization_code as the grant type, input the client ID into the Client ID field.
  5. If you chose authorization_code as the grant type, input the client’s redirect URI into the Redirect URI field.
  6. If you chose refresh_token as the grant type, input the refresh token into the Refresh Token field.
  7. Click Try it out!

After a successful request the access token will be exchanged for a session ID by the API gateway. After that, the access token will be passed back to the client application to authorize access through the API Gateway.

How It Works

Player Login with username and password

static string email = "johnDoe@example.com";
static string password = "Password1";
public static void OnLogin(Result result)
{
if (!result.IsError)
{
// show the login result
Debug.Log("Login successful");
}
else
{
Debug.Log("Login failed:" + result.IsError);
}
}
public static void Main(string[] args)
{
User user = AccelBytePlugin.GetUser();
user.LoginWithUserName(email, password, OnLogin);
}

Log in with a Device ID

Use the OAuth2 access token generation specific to platform: POST /iam/v3/oauth/platforms/{platformId}/token endpoint. Follow these steps to make request;

  1. Input Platform ID with platform ID to login.
  2. Input the Platform Token with authentication code returned by the Platform.
  3. Input the previously registered Client ID into the Client ID field.
  4. Input the Device ID such as; Android Device ID or any unique string.

After a successful request, the access token will be retrieved.

Log in with an Epic Games Account

Setting up the Epic Games Login:

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:CLIENT [CREATE]

  2. Use the bearer token you were just granted to add third party platform credentials by invoking this endpoint: POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

    For Epic Games:

    • Input the namespace with your publisher namespace

    • Input the platformId with epicgames

    • Fill in the parameters as seen below:

      {
      "AppId": " ”. <optional>",
      "ClientId": "<Epic client_id>", //This obtained from https://epicgames.dev
      "IsActive": true,
      "RedirectUri": ”. <optional>"
      "Secret": "<Epic client_secret>"
      }

Upon successful request, your Epic Games platform login will be ready to use.

Integrating with the Client

For Epic Games, you must get an OAuth token from Epic OAuth and exchange the auth code for an IAM token. To perform this exchange, follow the steps below:

  1. The client, for instance the Player Portal, should call the POST /IAM/v3/oauth/platforms/epicgames/token endpoint to exchange the Epic token for an IAM token. At the same time, the user will be automatically created if this is the first time the player has logged in. The request body should be filled out as seen below:
    {
    "platform_token": <token get from Epic>
    "client_id": <client_id get from Epic>
    "device_id": "" // Epic platform didn’t use device_id
    }
    This endpoint requires all requests to have an Authorization header set with Basic access authentication, constructed from the client ID and client secret.

Upon successful request, the IAM token will be returned.

Log in with a Steam Account

There are two ways to login with Steam Account. It can be done via Steam OpenID and In-game Services.

Log in Via Steam Open ID

The Steam Open ID platform is a Steam authentication service based on the Open ID protocol. The Steam Open ID platform is usually used by the web client, e.g. Player Portal for implementing login with Steam. In order to login using Steam Open ID, please follow the below steps:

Setting up the Steam OpenID Platform Login

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:{platformId}:CLIENT [CREATE].

  2. Use the bearer token to add third party platform credentials by invoking this endpoint POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

    For Steam OpenID platform:

    • Input the namespace with your publisher namespace
    • Input the platformId with steamopenid
  3. Fill in the parameters as seen below:

    {
    "AppId": "<Steam game App ID. If you don't have any, use 480>",
    "ClientId": "", // Steam doesn't use clientID, so it's safe to leave it empty
    "IsActive": true,
    "RedirectUri": "http://127.0.0.1/", // Steam doesn't use redirectURI, so it's safe to leave it empty
    "Secret": "<Your Steam Web API Key>" // How to create Steam Web API key can be found here: https://steamcommunity.com/dev/apikey
    }

Upon successful request, your Steam OpenID platform login will be ready to use.

Integrating with the Client

The general flow of what the client should do to integrate 3rd party login in IAM:

  1. Get authorization request id.

    The client, for instance the Player Portal, should hit GET /iam/v3/oauth/authorize endpoint It will redirect to login page with request_id parameter, e.g. example.net/auth/?request_id=c586293b3add4af18486ef766e586328

    Generate Steam Open ID login URL:

    • Client, player portal for example, should call GET /iam/v3/oauth/platforms/steamopenid/authorize endpoint.
    • The platformId should be steamopenid and the request_id should be obtained from the previous request.
    • It will redirect to Steam login URL.
  2. Generate IAM authorization code.

  3. Exchange the auth code to UAM token.

    • Client, for instance player portal, should call POST /iam/v3/oauth/platforms/{platformId}/token endpoint to exchange the code from previous request to IAM token.
    • Upon successful request, the IAM token will be returned.
Getting the Steam Open ID platform token manually

UAM has already done this in /iam/v3/oauth/platforms/steamopenid/authorize endpoint. But, in case it's needed for debugging purposes, generating the URL manually can be done by running this code into your javascript console.

function getSteamURL(){
const justiceApiUrl = "<your web client URL, e.g. https://example.net>";
const steamLoginWindowURL = new URL("https://steamcommunity.com/openid/login");
const urlParams = {
"openid.mode": "checkid_setup",
"openid.ns": "http://specs.openid.net/auth/2.0",
"openid.ns.sreg": "http://openid.net/extensions/sreg/1.1",
"openid.sreg.optional": "nickname,email,fullname,dob,gender,postcode,country,language,timezone",
"openid.ns.ax": "http://openid.net/srv/ax/1.0",
"openid.ax.mode": "fetch_request",
"openid.ax.type.fullname": "http://axschema.org/namePerson",
"openid.ax.type.firstname": "http://axschema.org/namePerson/first",
"openid.ax.type.lastname": "http://axschema.org/namePerson/last",
"openid.ax.type.email": "http://axschema.org/contact/email",
"openid.ax.required": "fullname,firstname,lastname,email",
"openid.identity": "http://specs.openid.net/auth/2.0/identifier_select",
"openid.claimed_id": "http://specs.openid.net/auth/2.0/identifier_select",
"openid.return_to": justiceApiUrl,
"openid.realm": justiceApiUrl
};
Object.keys(urlParams).forEach(key => steamLoginWindowURL.searchParams.set(key, urlParams[key]));
return steamLoginWindowURL.toString().
}

In-game Login

In-game using API

Use the OAuth2 access token generation specific to platform: POST /iam/v3/oauth/platforms/{platformId}/token endpoint. Follow these steps to make request;

  1. Input Platform ID with platform ID to login.
  2. Input the Platform Token with authentication code returned by the Platform.
  3. Input the previously registered Client ID into the Client ID field.
  4. Input the Device ID such as; Android Device ID or any unique string.

After a successful request, the access token will be retrieved.

In-game using SDK

public static void OnLoginWithDeviceId(Result result)
{
// show the login with device id
Debug.Log(result.IsError);
}
public static void Main(string[] args)
{
User user = AccelBytePlugin.GetUser();
user.LoginWithDeviceId(OnLoginWithDeviceId);
}

Troubleshooting

If you encounter any errors while integrating with Steam, refer to the solutions below.

Error Code 102

{"Message": "platform's: error:{\"response\":{\"error\":{\"errorcode\":102,\"errordesc\":\"Ticket for other app\"}}}"}

This error occurs when the wrong Steam WebAPI key has been used. Make sure you have the correct Client ID, Client Secret, and Namespace configured for the SDK.

Steam API Failed to Initialize

SteamAPI failed to initialize, conditions not met.

This occurs when the Steamworks SDK fails to initialize the Steam API. Make sure you have configured the correct steam App ID and that you own the game you’re trying to access on Steam. \

Automatically in-game Login through Justice Launcher

Logging in With Launcher

When you are using the AccelByte Launcher to log in, the game will login into the same user as the user that login into the Launcher.

public static void OnLoginWithLauncher(Result result)
{
if (!result.IsError)
{
// show the login result
Debug.Log("Login successful");
}
else
{
Debug.Log("Login failed:" + result.IsError);
}
}

Log in with a Discord Account

Setting up the Discord Login:

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:CLIENT [CREATE]

  2. Use the bearer token to add third party platform credentials by invoking this endpoint POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

    For Discord Platform:

    • Input the namespace with your publisher namespace

    • Input the platformId with discord

    • Fill in the parameters as seen below:

      {
      "AppId": " ”. <optional>",
      "ClientId": "<Discord client_id>", // How to create Discord client_id can be found here: https://discordapp.com/developers/docs/topics/oauth2
      "IsActive": true,
      "RedirectUri": "http://127.0.0.1/", // Discord doesn't use redirectURI, so it's safe to leave it empty
      "Secret": "<Discord client_secret>" // How to create Discord client_secret can be found here: https://discordapp.com/developers/docs/topics/oauth2
      }

Upon successful request, your Discord platform login will be ready to use.

Integrating with the Client

For Discord, you must get an OAuth token from Discord OAuth and exchange the auth code for an IAM token. To perform this exchange, follow the steps below:

  1. The client, for instance the Player Portal, should call POST /iam/v3/oauth/platforms/discord/token endpoint to exchange the Discord token for an IAM token. At the same time, the user will be automatically created if this is the first time the player has logged in. The request body should be filled out as seen below:

    {
    "platform_token": "<token get from discord>"
    "client_id": "<client_id get from discord>"
    "device_id": // Discord platform didn’t use device_id
    }

    This endpoint requires all requests to have an Authorization header set with Basic access authentication, constructed from the client ID and client secret.

Upon successful request, the IAM token will be returned.

Log in with a Twitch Account

Setting up the Twitch Platform Login:

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:CLIENT [CREATE]

  2. Use the bearer token to add third party platform credentials by invoking this endpoint POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

    For Twitch Platform:

    • Input the namespace with your publisher namespace

    • Input the platformId with twitch

    • Fill in the parameters as seen below:

      {
      "AppId": " ”. <optional>",
      "ClientId": "<Twitch client_id>", // How to create Twitch client_id can be found here: https://dev.twitch.tv/docs/authentication#registration
      "IsActive": true,
      "RedirectUri": "http://127.0.0.1/", // twitch doesn't use redirectURI, so it's safe to leave it empty
      "Secret": "<Twitch client_secret>" // How to create Twitch client_secret can be found here: https://dev.twitch.tv/docs/authentication#registration
      }

Upon successful request, your Twitch platform login will be ready to use.

Integrating with the Client

For Twitch, you must get an OAuth token from Twitch OAuth and exchange the auth code for an IAM token. To perform this exchange, follow the steps below:

  1. The client, for instance the Player Portal, should call the POST /iam/v3/oauth/platforms/twitch/token endpoint to exchange the Twitch token for an UAM token. At the same time, the user will be automatically created if this is the first time the player has logged in.

The request body is filled as the following:

{
"platform_token": "<token get from twitch>
"client_id": "<client_id get from twitch>"
"device_id": " // twitch platform didn’t use device_id
}

This endpoint requires all requests to have an Authorization header set with Basic access authentication constructed from client id and client secret.

Upon successful request, the IAM token will be returned.

Log in with a Google Account

Setting up the Google Platform Login:

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:CLIENT [CREATE]

  2. Use the bearer token to add third party platform credentials by invoking this endpoint POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

    For Google Platform:

    • Input the namespace with your publisher namespace

    • Input the platformId with google

    • Fill in the parameters as seen below:

      {
      "AppId": " ”. <optional>",
      "ClientId": "<Google client_id>", // How to create Google client_id can be found here: https://developers.google.com/identity/protocols/oauth2/openid-connect
      "IsActive": true,
      "RedirectUri": "http://127.0.0.1/", // Google redirectURI is optional, so it's safe to leave it empty
      "Secret": "<Google client_secret>" // How to create Google client_secret can be found here: https://developers.google.com/identity/protocols/oauth2/openid-connect
      }

Upon successful request, your Google platform login will be ready to use.

Integrating with Client

For Google, you must get an OAuth token from Google OAuth and exchange the auth code for an IAM token. To perform this exchange, follow the steps below:

  1. The client, for instance the Player Portal, should call the POST /iam/v3/oauth/platforms/google/token endpoint to exchange the Google token for an IAM token. At the same time, the user will be automatically created if this is the first time the player has logged in.

The request body should be filled out as seen below:

{
"platform_token": <token get from Google>
"client_id": <client_id get from Google>
"device_id": "" // Google platform didn’t use device_id
}

This endpoint requires all requests to have Authorization header set with Basic access authentication constructed from client id and client secret.

Upon successful request, the IAM token will be returned.

Log in with a Facebook Account

Setting up the Facebook Platform Login:

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:CLIENT [CREATE]

  2. Use the bearer token to add third party platform credentials by invoking this endpoint POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

    For Facebook Platform:

    • Input the namespace with your publisher namespace

    • Input the platformId facebook

    • Fill in the parameters as seen below:

      {
      "AppId": " ”. <optional>",
      "ClientId": "<Facebook client_id>", // How to create Facebook client_id can be found here: https://developers.facebook.com/docs/facebook-login/access-tokens/#usertokens
      "IsActive": true,
      "RedirectUri": "http://127.0.0.1/", // Facebook redirectURI is optional, so it's safe to leave it empty
      "Secret": "<Facebook client_secret>" // How to create Facebook client_secret can be found here: https://developers.facebook.com/docs/facebook-login/access-tokens/#usertokens
      }

Upon successful request, your Facebook platform login will be ready to use.

Integrating with Client

For Facebook, you must get an OAuth token from Facebook OAuth and exchange the auth code for an IAM token. To perform this exchange, follow the steps below:

  1. The client, for instance the Player Portal, should call the POST /iam/v3/oauth/platforms/facebook/token endpoint to exchange the Facebook token for an IAM token. At the same time, the user will be automatically created if this is the first time the player has logged in.

The request body should be filled out as seen below:

{
"platform_token": <token get from facebook>
"client_id": <client_id get from facebook>”
"device_id": ""// Facebook platform didn’t use device_id
}

This endpoint requires all requests to have Authorization header set with Basic access authentication constructed from client id and client secret.

Upon successful request, the IAM token will be returned.

Log in with an Android

Setting up the Android Platform Login:

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:CLIENT [CREATE]

  2. Use the bearer token to add third party platform credentials by invoking this endpoint POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

    For Android Platform:

    • Input the namespace with your publisher namespace

    • Input the platformId with android

    • Fill in the parameters as seen below:

      {
      "AppId": " ”. <optional>",
      "ClientId": "", //Android didn’t need clientId.
      "IsActive": true,
      "RedirectUri": "http://127.0.0.1/", // Android didn’t need redirectUri
      "Secret": "" //Android didn’t need clientSecret.
      }

Upon successful request, your Facebook platform login will be ready to use.

Integrating with the Client

For Android platform, we just only need to specify the device_id and platformId then include it in the POST /iam/v3/oauth/platforms/android/token and it will return IAM token The request body should be filled out as seen below:

{
"platform_token": "" // Android platform didn’t need token
"client_id": " "Android platform didn’t need client_id
"device_id": "<Android_unique_device_id>" // Android platform unique device_id
}

This endpoint requires all requests to have Authorization header set with Basic access authentication constructed from client id and client secret.

Log in with an IOS

Setting up the IOS Platform Login:

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:CLIENT [CREATE]

  2. Use the bearer token to add third party platform credentials by invoking this endpoint POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

    For IOS Platform:

    • Input the namespace with your publisher namespace
    • Input the platformId with IOS
    • Fill in the parameters as seen below:
      {
      "AppId": " ”. <optional>",
      "ClientId": "", //IOS didn’t need clientId.
      "IsActive": true,
      "RedirectUri": "http://127.0.0.1/", // IOS didn’t need redirectUri
      "Secret": "" //IOS didn’t need clientSecret.
      }

Upon successful request, your IOS platform login will be ready to use.

Integrating with the Client

For IOS platform, we just only need to specify the device_id and platformId then include it in the POST /iam/v3/oauth/platforms/ios/token and it will return an IAM token.

The request body should be filled out as seen below:

{
"platform_token": " " // IOS platform didn’t need token
"client_id": " "IOS platform didn’t need client_id
"device_id": "<IOS_unique_device_id>" // IOS platform unique device_id
}

This endpoint requires all requests to have an Authorization header set with Basic access authentication constructed from client id and client secret.

Log in with an Xbox Account

Log in with Xbox Web API

Setting up the Xbox Platform Login:

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:CLIENT [CREATE]

  2. Use the bearer token to add third party platform credentials by invoking this endpoint POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

    For Xbox:

    • Input the namespace field with your publisher namespace.

    • Input the platformId field with xblweb.

    • Fill in the parameters as seen below:

      {
      "AppId": " ”. <optional>",
      "ClientId": "", //Xbox didn’t need clientId.
      "IsActive": true,
      "RedirectUri": "http://127.0.0.1/",
      "Secret": "" “<credential_from_xbox_live>”
      }

Upon successful request, your Xbox platform login will be ready to use.

Integrating with the Client

For the Xbox platform, we only need to define the platform ID and platform token. Input this information into the POST /iam/v3/oauth/platforms/xbox/token endpoint and it will return an IAM token.

The request body should be filled out as seen below:

{
"platform_token": " " // xsts token generated from client
"client_id": " "Xbox platform doesn’t need client_id”
"device_id": "Xbox platform doesn’t need device_id”
}

This endpoint requires all requests to have an Authorization header set with Basic access authentication constructed from client ID and client secret.

Log in with a PSN Account

Log in with PSN Web API

Setting up the PSN Platform Login using Web API:

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:CLIENT [CREATE]

  2. Use the bearer token to add third party platform credentials by invoking this endpoint POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

    For PSN Web API:

    • Input the namespace field with your publisher namespace.

    • Input the platformId field with ps4web.

    • Fill in the parameters as seen below:

      {
      "AppId": " ”. <optional>",
      "ClientId": "", //PSN didn’t need clientId.
      "IsActive": true,
      "RedirectUri": "http://127.0.0.1/",
      "Secret": "" “<credential_from_psn>”
      }

Upon successful request, your PSN platform login will be ready to use.

Integrating with the Client

For the PSN platform, we only need to define the platform ID and platform token. Input this information into the POST /iam/v3/oauth/platforms/psn/token endpoint and it will return an IAM token.

The request body should be filled out as seen below:

{
"platform_token": " " // psn token generated from client
"client_id": " "PSN platform doesn’t need client_id”
"device_id": "PSN platform doesn’t need device_id”
}

This endpoint requires all requests to have an Authorization header set with Basic access authentication constructed from client ID and client secret.

Log in with Stadia

Setting up the Stadia Login:

  1. Perform a token grant as a user with this permission ADMIN:NAMESPACE:{namespace}:PLATFORM:CLIENT [CREATE]
  2. Use the bearer token you were just granted to add third party platform credentials by invoking this endpoint: POST /iam/v3/admin/namespaces/{namespace}/platforms/{platformId}/clients

For Stadia:

  • Input the namespace field with your publisher namespace.
  • Input the platformId field with stadia.
  • Fill in the parameters as seen below:
{
"AppId": "<optional>",
"ClientId": "<stadia_client_id>",
"Environment": "string",
"IsActive": true,
"Namespace": "string",
"PlatformId": "string",
"RedirectUri": "<optional>",
"Secret": "<stadia_client_secret>",
"OrganizationId": "string" // the new one
}

Upon successful request, your Stadia platform login will be ready to use.

Integrating with the Client

For Stadia, you must get an OAuth token from the Google OAuth service and exchange the auth code for an IAM token. To perform this exchange, follow the steps below:

  1. The client, for instance, the Player Portal, should call the POST /IAM/v3/oauth/platforms/stadia/token endpoint to exchange the Stadia token for an IAM token. At the same time, the user account will be automatically created if this is the first time the player has logged in.

The request body should be filled out as seen below:

{
"platform_token": <token get from Stadia>
"client_id": <client_id get from Stadia>
"device_id": "" // Stadia platform didn't use device_id
}

This endpoint requires all requests to have an Authorization header set with Basic access authentication, constructed from the client ID and client secret. Upon successful request, the IAM token will be returned.

In-game Login with Stadia

For Stadia, you can get the Auth Code by requesting a user's JWT token. If you’re using Unity, you can also use the Stadia Platform Support package.

GgpPlayerId playerId = StadiaNativeApis.GgpGetPrimaryPlayerId();
GgpStatus reqStatus;
GgpPlayerJwt playerJwt = StadiaNativeApis.GgpGetJwtForPlayer(playerId, 1000, new GgpJwtFields((ulong)GgpJwtFieldValues.kGgpJwtField_None)).GetResultBlocking<GgpPlayerJwt>(out reqStatus);

Tutorials

For Publishers

Creating a Platform Admin Account in Admin Portal

As the Platform Admin Account you have the credentials to configure the platform such as configuring the virtual currency, payment setup and more other features. Follow these steps below to create a Platform Admin Account.

  1. Login to the Admin Portal with your valid credentials.

  2. Go to the Platform Configurations section, then click the Roles menu.

    uam

  3. Click the Create New button.

  4. Input the Role Name such as in this case you can input with “Platform Admin”.

  5. Since this is an Admin Role, you need to choose the Role Manager.

    uam

  6. Once you are done click the Add button and this page will appear. Go to User Permissions and click Add.

    uam

  7. Input the needed information into the Resource field, with the appropriate format.

    • Input ADMIN:NAMESPACE:*:CURRENCY to add the Virtual Currency permission.
    • Input ADMIN:NAMESPACE:*:PAYMENT to add the Payment Setup permission.
    • Select the desired Action. You can select more than one.

    Click the Confirm button when you're done.

    uam

  8. Once it’s done, the new permission will be added to the list.

    uam

Creating a Game Admin Account in Admin Portal

In the Game Admin Account credentials you have the privilege to configure various features in the game level such as Dedicated Server Manager, Matchmaking, and Global Statistics.

  1. Login to the Admin Portal with your valid credentials.

  2. Go to the Platform Configurations section, then click the Roles menu.

  3. Click the Create New button.

    uam

  4. Input the Role Name such as in this case you can input with “Game Admin”.

    uam

  5. Since this is an Admin Role, you need to choose the Role Manager.

    uam

  6. Once you are done click the Add button and this page will appear. Go to User Permissions and click Add.

    uam

  7. Input the needed information into the Resource field, with the appropriate format.

    • Input ADMIN:DSM to add the DSM permission.
    • Input ADMIN:NAMESPACE:*:MATCHMAKING:CHANNEL to add the Matchmaking permission.
    • Input ADMIN:NAMESPACE:*:STAT to add the Global Statistics permission.
    • Select the desired Action. You can select more than one.

    Click the Confirm button when you're done.

    uam

  8. Once it’s done, the new permission will be added to the list.

    uam

Creating a Game Client

The game client is made for a game to access the AccelByte service so that users can log into the game.

  1. Login with your valid credentials.

  2. In the dashboard, go to the Platform Configuration section and click the Clients menu.

    uam

  3. The list of existing clients appears. To create a game client, choose the Game Namespace.

    uam

  4. Click Create New button

    • Fill in the fields required by your client type.
    • To create a game client, choose the Game Namespace and Confidential Client type.

    When you’re finished, click Create. Your new client will be added to the client list.

    uam

For Game Developers

Before starting this guide, make sure you are integrated with AccelByte SDK and also have Create Game Client Credentials.

In-Game User Registration

To register a user account, the user needs to provide an Email Address and Password.

private static void OnRegister(Result<UserData> result)
{
if (result.IsError)
{
Debug.Log("Register failed:", result.Error.Message);
}
else
{
Debug.Log("Register successful.");
}
}
public static void Main(string[] args)
{
var user = AccelBytePlugin.GetUser();
string email = "useremail@example.com";
string username = "JohnDoe";
string password = "password";
string displayName = "displayed";
string country = "US";
string dateOfBirth = "1995-12-30";
user.Registerv2(email, username, password, displayName, OnRegister, country, dateOfBirth);
}

User Verifies Ongoing Registration

After an account has been registered, it needs to be verified before it can log in.

//Let's assume that user has inputted verification code somehow after receiving email with verification code
private static void OnVerifyClicked(object sender, string verificationCode)
{
var user = AccelBytePlugin.GetUser();
user.Verify(verificationCode, OnVerify);
}
private static void OnVerify(Result result)
{
if (result.IsError)
{
Debug.Log("Verify failed:", result.Error.Message);
}
else
{
Debug.Log("Verify successful. User verified");
}
}

Player: Upgrade Headless Account with Verification Code

Upgrade a headless account by linking the headless account with the email address and password, after a successful request the account will automatically verify the email address.

static string email = "johnDoe@example.com";
static string password = "Password1";
public static void OnUpgradeAccount(Result result)
{
if (!result.IsError)
{
// show the login result
Debug.Log("Upgrade Account successful");
}
else
{
Debug.Log("Upgrade Account failed:" + result.IsError);
}
}
public static void Main(string[] args)
{
User user = AccelBytePlugin.GetUser();
user.Upgrade(email, password, OnUpgradeAccount);
}

User Login with Username and Password

This shows you how to login using Username and Password in Player Portal.

static string email = "johnDoe@example.com";
static string username = "JohnDoe";
static string password = "Password1";
public static void OnLogin(Result result)
{
if (!result.IsError)
{
// show the login result
Debug.Log("Login successful");
}
else
{
Debug.Log("Login failed:" + result.IsError);
}
}
public static void Main(string[] args)
{
User user = AccelBytePlugin.GetUser();
// either this
user.LoginWithUserName(email, password, OnLogin);
// or this
// user.LoginWithUserName(username, password, OnLogin);
}

User Login with 3rd Party - Steam

The login process for players using a 3rd party platform requires PlatformType and PlatformToken as the parameters. The registering process will be performed automatically on the first login attempt from a 3rd party platform. This way, the created account will be a headless account, because it won’t have its own username and password. Thus, it relies only on the third party platform token to login.

public static void OnLoginWithOtherPlatform(Result result)
{
if (!result.IsError)
{
// show the login result
Debug.Log("Login successful");
}
else
{
Debug.Log("Login failed:" + result.IsError);
}
}
public static void Main(string[] args)
{
User user = AccelBytePlugin.GetUser();
//Example login with steam
if (SteamManager.Initialized)
{
var ticket = new byte[1024];
uint actualTicketLength;
HAuthTicket ret = SteamUser.GetAuthSessionTicket(ticket, ticket.Length, out actualTicketLength);
Array.Resize(ref ticket, (int) actualTicketLength);
var sb = new StringBuilder();
foreach (byte b in ticket)
{
sb.AppendFormat("{0:x2}", b);
}
user.LoginWithOtherPlatform(PlatformType.Steam, sb.ToString(), OnLoginWithOtherPlatform);
}
}

User Login with AB Launcher

When you are using the AccelByte Launcher to log in, the game will login into the same user as the user that login into the Launcher.

//Attempts to login with launcher
public void LoginWithLauncher()
{
// Check if auth code is available from launcher
string authCode = Environment.GetEnvironmentVariable(AUTHORIZATION_CODE_ENVIRONMENT_VARIABLE);
if (authCode != null)
{
abUser.LoginWithLauncher(OnLogin);
// Toggle loading animation
uiHandler.FadeLoading();
}
else
{
Debug.Log("LoginWithLauncher authCode is null");
}
}
//Handles User Login, on Success it will get the User's account details
private void OnLogin(Result result)
{
if (result.IsError)
{
uiHandler.FadeLoading();
Debug.Log("Login failed:" + result.Error.Message);
Debug.Log("Login Response Code: " + result.Error.Code);
//Show Error Message
}
else
{
Debug.Log("Login successful. Getting User Data");
//Show Login Successful
//Show "Getting User Details"
GetUserDetails();
}
}

User Login Anonymously / Device ID

Just like when players log in with another platform, the account created by this process will be a headless account.

public static void OnLoginWithDeviceId(Result result)
{
if (!result.IsError)
{
// show the login result
Debug.Log("Login successful");
}
else
{
Debug.Log("Login failed:" + result.IsError);
}
}
public static void Main(string[] args)
{
User user = AccelBytePlugin.GetUser();
user.LoginWithDeviceId(OnLoginWithDeviceId);
}

User GetUserData Extracting user data and using it on the game

Getting user data retrieves all of the personal data for a specific player.

public static void OnGetUserData(Result<UserData> result)
{
if (result.IsError)
{
Debug.Log("Get data failed:", result.Error.Message);
}
else
{
Debug.Log("Get data successful.");
}
}
public static void Main(string[] args)
{
var user = AccelBytePlugin.GetUser();
user.GetData(OnGetUserData);
}

What’s Next?

  • For more information about Authentication and Authorization you can access the API references.