Authenticate Users

When a player launches a game, THNDR will make a server-to-server request to the Operator to validate the session and authenticate the user.

This ensures that the sessionId provided during game launch is valid and not expired.

Endpoint

GET {operatorURL}/thndr/sessions/{sessionToken}

Path Parameters

• operatorURL - Base URL of the Operator’s API.

• sessionToken - The session token originally provided by the Operator when launching the game. It should be single-use and expire very quickly.

Expected Response

{
  "userId": "{USER_ID}",
  "displayName": "{DISPLAY_NAME}",
  "sessionId": "{OPTIONAL_SESSION_ID}"
}

• userId - Unique identifier of the player on the Operator’s platform.

• displayName - Player’s display name, safe for public display within THNDR games.

Error Handling

If the session is invalid, expired, or otherwise not usable, the Operator should return:

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "errors": [
    {
      "code": "SESSION_EXPIRED",
      "isClientSafe": true
    }
  ]
}

Signature Verification

Verify the request signature using “sessionId” as the request payload. More in the Request Signing section.

Example signed payload:

Server secret: DUMMY_SECRET

Payload: 5393f66c-a063-402a-92f8-c4a8326dc29b

x-server-authorization: 35786aeba64b3468b6534245b227d4b175eba257aef3e4c3b1b9f325514448c0