Authenticate Users

When a player launches a game, THNDR will make a server-to-server request to the Operator to validate the session and authenticate the user.

This ensures that the sessionId provided during game launch is valid and not expired.

Endpoint

GET {operatorURL}/thndr/sessions/{sessionToken}

Path Parameters

operatorURL - Base URL of the Operator’s API.
sessionToken - The session token originally provided by the Operator when launching the game. It should be single-use and expire very quickly.

Expected Response

{
  "userId": "{USER_ID}",
  "displayName": "{DISPLAY_NAME}",
  "sessionId": "{OPTIONAL_SESSION_ID}",
  "currency": "{OPTIONAL_USER_CURRENCY}",
  "subOperatorID": "{OPTIONAL_SUB_OPERATOR_ID}",
}

userId - Unique identifier of the player on the Operator’s platform.
displayName - Player’s display name, safe for public display within THNDR games.
sessionId - Must be a valid UUID if provided. If omitted, the API will treat the path parameter sessionToken as the session ID.
currency - Player's wallet currency (read more in Currencies).
subOperatorId - Identifies a specific sub-operator under a main operator, enabling separate tracking and reporting across multiple game portals

Error Handling

If the session is invalid, expired, or otherwise not usable, the Operator should return:

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "errors": [
    {
      "code": "SESSION_EXPIRED",
      "isClientSafe": true
    }
  ]
}

Signature Verification

Verify the request signature using “sessionId” as the request payload. More in the Request Signing section.

Example signed payload:

Server secret: DUMMY_SECRET

Payload: 5393f66c-a063-402a-92f8-c4a8326dc29b

x-server-authorization: 35786aeba64b3468b6534245b227d4b175eba257aef3e4c3b1b9f325514448c0

PreviousGame API NextCustom

Last updated 4 months ago

hashtagEndpoint

hashtagPath Parameters

hashtagError Handling

hashtagSignature Verification

Endpoint

Path Parameters

Error Handling

Signature Verification