# Authenticate Users

When a player launches a game, THNDR will make a server-to-server request to the Operator to validate the session and authenticate the user.

This ensures that the sessionId provided during game launch is valid and not expired.

#### Endpoint

```url
GET {operatorURL}/thndr/sessions/{sessionToken}
```

#### Path Parameters

* `operatorURL` - Base URL of the Operator’s API.
* `sessionToken` - The session token originally provided by the Operator when launching the game. It should be single-use and expire very quickly.

Expected Response

```json
{
  "userId": "{USER_ID}",
  "displayName": "{DISPLAY_NAME}",
  "sessionId": "{OPTIONAL_SESSION_ID}",
  "currency": "{OPTIONAL_USER_CURRENCY}",
  "subOperatorID": "{OPTIONAL_SUB_OPERATOR_ID}",
}
```

* `userId` - Unique identifier of the player on the Operator’s platform.
* `displayName` - Player’s display name, safe for public display within THNDR games.
* `sessionId` - Must be a valid UUID if provided. If omitted, the API will treat the path parameter `sessionToken` as the session ID.
* `currency` - Player's wallet currency (read more in [currencies](https://docs.thndr.io/integration/server-webhooks/currencies "mention")).
* `subOperatorId` - Identifies a specific sub-operator under a main operator, enabling separate tracking and reporting across multiple game portals

#### Error Handling

If the session is invalid, expired, or otherwise not usable, the Operator should return:

```
HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "errors": [
    {
      "code": "SESSION_EXPIRED",
      "isClientSafe": true
    }
  ]
}
```

#### Signature Verification

Verify the request signature using “sessionId” as the request payload. More in the [Request Signing](https://docs.thndr.io/integration/server-webhooks/request-signing) section.

Example signed payload:

```
Server secret: DUMMY_SECRET

Payload: 5393f66c-a063-402a-92f8-c4a8326dc29b

x-server-authorization: 35786aeba64b3468b6534245b227d4b175eba257aef3e4c3b1b9f325514448c0
```