XIVAuth is an identity service designed to provide a unified and cohesive authentication solution for websites targeting players of the critically-acclaimed MMORPG Final Fantasy XIV.
At a high level, XIVAuth allows users to create and register (and verify) their characters with the service. Other sites may then use an OAuth2-like flow to allow users to sign in with either their user account or one (or more) of the player’s characters. Users only need to register their characters once to be able to use them on any service.
XIVAuth does not provide Lodestone scraping services, nor does it provide any sort of authorization service; web services that require Lodestone scraping or have more advanced needs may be better served by XIVAPI or by implementing their own character verification process. XIVAuth is still able to provide authentication services (and authoritative validation that a character is verified) to these applications, however. It is best to think of XIVAuth (and its APIs) as purely an identity and authentication service (really, a dedicated SSO provider) that may tack on additional character data in an attempt to be useful.
XIVAuth’s API is present at https://xivauth.com/api/v1/, with a version defined in the URL.
A version increment may happen when XIVAuth’s API changes in such a way that clients will need to adjust their behavior to adapt. Put simply, the version will not increment for feature additions, but will increment if a route, field name, or prior guarantee need to change. It is generally advised that XIVAuth consumers use the latest possible version of the API.
As there has not been a need for a version bump for XIVAuth yet, all documentation present assumes Version 1.
All XIVAuth API routes require a valid Bearer token, obtained through the OAuth flow. Certain API routes are only accessible if the Bearer token has been granted a specific scope, and the data returned by any given API route may be subject to constraints based on a user’s selections as to what data they do or do not want to share with any given service. For more information, please consult the XIVAuth is Not Quite OAuth page.
It is important to note that applications will implement the XIVAuth API differently based on their use cases. A service that wishes to authenticate on only characters will only consume the Character API and will not request the Users API. For more information, please see the Examples page.