All API endpoints (unless otherwise noted) will require authentication. Authentication is performed through having a valid Authorization: Bearer ${token} header in the request. A bearer token may be retrieved through a standard OAuth2 flow.

Developers seeking to access the XIVAuth API will need to define an OAuth client in the XIVAuth Developer Portal prior to being able to access the API. Depending on scopes requested, an access review may apply before an OAuth client is enabled. A reference of available scopes can be found in the OAuth Scopes page.

• Token Request Endpoint: /oauth/token

Authorization Code Flow

Authorization Request URL: /oauth/authorize

XIVAuth supports a standard Authorization Code flow, with support for PKCE. To authenticate, the OAuth client will generate an OAuth request and redirect the user to XIVAuth’s Authorization URI. The user will then authenticate, approve scopes, and be redirected back to the OAuth client with a code that may be exchanged for a proper OAuth token.

When using the Authorization Code flow, applications must either provide their client_secret upon token redemption or use PKCE. Applications that purely perform authentication in an untrusted environment (e.g. a desktop app or an SPA) must use PKCE to ensure security. Clients may use PKCE in addition to client_secret, if so desired.

The Authorization Request URL supports the following parameters passed in as query params:

• response_type: Must be code for an Authorization Code flow
• client_id: The OAuth Client ID for the application requesting authentication
• redirect_uri: The URI to return the user to after successful authentication
  • The redirect URI must be included in the app’s configuration in the XIVAuth Developer Portal
  • Redirect URIs must be protected by SSL or be a request to localhost (though 127.0.0.1 and [::1] are accepted as well)
• scope: A space-separated list of scopes to request from the user
• state: An optional string provided by the OAuth client for CSRF protection
• code_challenge (PKCE): An opaque (generated) challenge for the PKCE process.
• code_verifier (PKCE): The algorithm used for PKCE. Only S256 is supported by XIVAuth.

Client Credentials Flow

A limited set of API resources may be accessed via the Client Credentials flow for machine-to-machine communication. Examples of these endpoints include JWT validation and control endpoints. APIs that return or handle user data are not available when using a Client Credentials flow, as there is no associated user with that OAuth token.

To use the Client Credentials flow, a POST request must be made to the Token Request Endpoint (/oauth/token) with the following parameters:

• grant_type: Must be client_credentials for this flow.
• client_id: The OAuth Client ID for the application requesting authentication.
• client_secret: The OAuth Client Secret for the application requesting authentication.

$ curl -X POST --url '<https://xivauth.net/oauth/token>' \\
		--header 'content-type: application/x-www-form-urlencoded' \\
		--data 'grant_type=client_credentials' \\
		--data 'client_id=APP_CLIENT_ID' \\
		--data 'client_secret=APP_CLIENT_SECRET'

Device Authorization Flow