<aside> ⚠️ This documentation is a work in progress! XIVAuth is still undergoing active development and the API surface described in this document is incomplete. Things documented in this page may not exist yet or may change slightly between now and release.
</aside>
All API endpoints (unless otherwise noted) will require authentication. Authentication is performed through having a valid Authorization: Bearer ${token} header in the request. A bearer token may be retrieved through a standard OAuth2 flow.
Whenever access to user resources is required, XIVAuth will require the use of an Authorization Code flow or the Device Authorization flow to get consent and sharing settings from the user. Certain endpoints will additionally support bearer tokens retrieved through a Client Credentials flow, but these endpoints will not grant access to any user data.
Developers seeking to access the XIVAuth API will need a Client ID and Client Secret. Both of these can be obtained by creating an Application through the XIVAuth UI.
localhost and related IP addresses.XIVAuth uses OAuth2 to control access to its resources, with the following URLs. Note that these URLs are relative to the base (e.g. https://xivauth.net/oauth/redirect) and are not versioned.
/oauth/authorize/oauth/tokenRefresh tokens are only issued if the refresh scope has been requested. All access tokens will otherwise expire in 120 minutes. Authorization codes expire after 10 minutes.
A reference of available scopes can be found in the OAuth Scopes page.
The Characters API allows services to view (and in some cases manage) characters for authentication purposes. The following routes are defined:
GET /characters: List All CharactersGET /characters/{lodestone_id}: Get CharacterPOST /characters: Register new CharacterPUT|PATCH /characters/{lodestone_id}: Update Character DataDELETE /characters/{lodestone_id}: Remove Character