Authenticate Users

When a player launches a game, THNDR will make a server-to-server request to the Operator to validate the session and authenticate the user.

This ensures that the sessionId provided during game launch is valid and not expired.

Endpoint

GET {operatorURL}/thndr/sessions/{sessionToken}

Path Parameters

  • operatorURL - Base URL of the Operator’s API.

  • sessionToken - The session token originally provided by the Operator when launching the game. It should be single-use and expire very quickly.

Expected Response

{
  "userId": "{USER_ID}",
  "displayName": "{DISPLAY_NAME}",
  "sessionId": "{OPTIONAL_SESSION_ID}",
  "currency": "{OPTIONAL_USER_CURRENCY}",
  "subOperatorID": "{OPTIONAL_SUB_OPERATOR_ID}",
}

  • userId - Unique identifier of the player on the Operator’s platform.

  • displayName - Player’s display name, safe for public display within THNDR games.

  • sessionId - Must be a valid UUID if provided. If omitted, the API will treat the path parameter sessionToken as the session ID.

  • currency - Player's wallet currency (read more in Currencies).

  • subOperatorId - Identifies a specific sub-operator under a main operator, enabling separate tracking and reporting across multiple game portals

Error Handling

If the session is invalid, expired, or otherwise not usable, the Operator should return:

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "errors": [
    {
      "code": "SESSION_EXPIRED",
      "isClientSafe": true
    }
  ]
}

Signature Verification

Verify the request signature using “sessionId” as the request payload. More in the Request Signing section.

Example signed payload:

Server secret: DUMMY_SECRET

Payload: 5393f66c-a063-402a-92f8-c4a8326dc29b

x-server-authorization: 35786aeba64b3468b6534245b227d4b175eba257aef3e4c3b1b9f325514448c0
PreviousGame APINextCustom

Last updated