New user account integration
Overview
Before allowing your users to register and login, you need to set the following for new accounts:
- The acceptable user information (e.g., usernames, passwords, email addresses, etc.)
- The registration flow that you want to use
- The minimum user age for accessing your platform
- The legal agreements for the users before they can access your platform
- The third-party logins that are allowed for your platform
This article provides information and resources on how to integrate these for new user account creation for AccelByte Gaming Services (AGS) games.
IAM input validation (user information)
You can customize the validation of usernames, display names, passwords, emails, and avatars your users use in their full accounts. To learn more, see Input Validation.
Age restrictions
You can prevent account creation for users below a certain age. To learn more, see Age restrictions.
Legal agreements
You need to set up legal document(s) such as a Terms of Service (ToS), Privacy Policy, End User License Agreement (EULA), and marketing preferences so your users can agree and comply when they register. To learn more, see Legal Agreements.
Mandatory email verification
You can enable the mandatory email verification that will force users to verify their email addresses before registering, or allow them to verify after registration. To learn more, see Mandatory email verification.
Third-party logins
You can let your users use their third-party accounts to log into your game or website. To learn more, see the guide for each platform in the Authentication section.
Integration
Use the information in these sections to help you integrate account registration.
Web Application
You can use the AGS Web SDK to integrate the AGS API into your web applications.
Registration Flow
First, you need to fetch the input validation using the PublicGetInputValidations API. It will be used to validate user input when they register.
Fetch the user country using the GetCountryLocationV3 API. With the country data, you can call PublicGetCountryAgeRestrictionV3 to check the age restriction to the specific country.
You can have a different registration flow depending on your mandatory email verification setting.
- Mandatory Email verification enabled
- Mandatory Email verification disabled
The user needs to enter their email address and send the verification code to their email using the PublicSendRegistrationCode API.
The user will receive the verification code on their side.
The user will be forced to fill the
code
field with the verification code that they received in their email inbox.After the user fills in all of the required fields, create the user using the PublicCreateUserV4 API.
After the user registers successfully, you can use their email address and password input to do an account login flow, so they will be logged in automatically after they register.
The user doesn't need to fill in the
code
field.After the user fills in all of the required fields, create the user using PublicCreateUserV4 API.
After the user registers successfully, you can use their email address and password input to do an account login flow, so they will be logged in automatically after they register.
Login flow
First, you need to obtain the
request_id
by calling the AuthorizeV3 API. Set the basic authorization using the client credential.After you got the
request_id
, you can continue to authenticate the user. User authentication has two login options: account login or third-party login.
- Account login
- Third-party login
Fetch the input validation data using the PublicGetInputValidations API.
The user will need to input their username or email address and password. You can validate the user input using input validation data from the previous step. If the username or email is using the wrong format, you can disable the login button to prevent them from proceeding before they adjust their input.
When the user inputs are using the valid formats, a user can click login. You need to call the AuthenticateV3 API.
user_name
: it can be a username or email addresspassword
: its passwordrequest_id
: use therequest_id
from the previous section
The browser will be redirected based on
redirect_uri
from the previous AuthorizeV3 request.- if it succeeds, the redirect URI will contain
code
as the query parameter. - When the login fails, it will redirect the user to the
redirect_uri
and there will be an error detail as the query parameter.
- if it succeeds, the redirect URI will contain
Exchange the token using the TokenGrantV3 API. In this case:
- set basic authorization using the client credential
grant_type
: useauthorization_code
code
: use thecode
that was obtained from the redirected URIcode_verifier
: fill it based on thecode_challenge
on the AuthorizeV3 requestclient_id
: fill it based on theclient_id
on AuthorizeV3 request
When exchanged token and login is successful, it will set
access_token
andrefresh_token
. Withaccess_token
, the user can access AGS.
Supported third-party platforms:
- Steam
- PSN
- XBOX
- Epic Games
- Twitch
- Facebook
- Google
- Snapchat
- Discord
List out all active third party logins by using RetrieveAllActiveThirdPartyLoginV3 and list out all the active OIDC platform logins by using RetrieveActiveOIDCClientsV3.
When clicking one of the third-party logins, call AuthCodeRequestV3. Fill the
platform_id
based on chosen third party from the user and fill in therequest_id
based on the AuthorizeV3 request.The user will be redirected to the third-party authentication page. After the user successfully authenticates the third-party side, the user will be redirected back to your website with the
code
query parameter.You can use the
code
to authenticate the third-party using PlatformAuthenticationV3.PlatformAuthenticationV3
will redirect again to your website with newcode
query parameter. Then, you can Exchange the token using TokenGrantV3 API. In this case:grant_type
: useauthorization_code
code
: use thecode
that was obtained from the previous sectioncode_verifier
: fill it based on thecode_challenge
on the AuthorizeV3 requestclient_id
: fill it based onclient_id
on AuthorizeV3 request
When the exchange token and login is successful, it will set
access_token
andrefresh_token
. With theaccess_token
, the user can access AGS.
- When the
access_token
has expired, you can refresh the user token using the validrefresh_token
. To refresh the token, call the TokenGrantV3 API:- set the basic authorization using the client credential
- set
grant_type
asrefresh_token
- fill
refresh_token
with the user refresh token