Skip to content

Issue OAuth token

Issues an OAuth token required for authorization validation and secure authentication when calling Hive Server APIs.

The 'Issue OAuth token' API follows the OAuth 2.0 Client Credentials Grant standard and operates as a Server-to-Server authentication flow, where the app server calls the Hive authentication server directly.

The 'Issue OAuth token' API has the following characteristics.

  • Issues a token using only the Client ID and Secret
  • Issues only an Access Token (no Refresh Token is issued)
  • Valid for 1 hour (3600 seconds)
Note

For issuing a Client ID and Client Secret, see Security key settings.


Request URL

Production URL https://auth.qpyou.cn/oauth/token
Sandbox URL https://sandbox-auth.qpyou.cn/oauth/token
HTTP Method POST
Content-Type application/json
Data Format JSON


Request header

Field name Description Type Required
ISCRYPT Whether data is encrypted (0 = not encrypted; always pass 0) Integer Y


Request body

Field name Description Type Required
appid App ID String Y
grant_type Fixed to client_credentials String Y
client_id Client ID (issued in App Center) String Y
client_secret Client Secret (issued in App Center) String Y


Request example

curl

curl -X POST https://auth.qpyou.cn/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "appid": "com.com2us.hivesdk.normal.freefull.apple.global.ios.universal",
    "grant_type": "client_credentials",
    "client_id": "project_abc123",
    "client_secret": "secret_xyz789"
  }'

Body

{
  "appid": "com.com2us.hivesdk.normal.freefull.apple.global.ios.universal",
  "grant_type": "client_credentials",
  "client_id": "project_abc123",
  "client_secret": "secret_xyz789"
}


Response body

Field name Description Type
result_code Response code, 0=success Integer
result_msg Result message String
data Response data Object
data.access_token JWT Access Token String

Response code

Code value Description
0 Success
4000 Invalid parameter (missing required parameter or invalid format)
4001 Client authentication failed (client_id or client_secret mismatch)
4002 Unsupported grant_type
4003 Authentication failed (no permission)
5000 Internal server error


Response example

{
  "result_code": 0,
  "result_msg": "SUCCESS",
  "data": {
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InByb2plY3RfYWJjMTIzIn0.eyJwcm9qZWN0X2lkIjoiY29tLmNvbTJ1cy5leGFtcGxlIiwidG9rZW5fdHlwZSI6ImFjY2Vzc190b2tlbiIsImdyYW50X3R5cGUiOiJwcm9qZWN0IiwiaWF0IjoxNzE1NTg0MDAwLCJleHAiOjE3MTU1ODc2MDAsImF1dGhfdmVyIjoidjQiLCJ1c2VyX2lkIjoiIiwiaXNfd2hpdGVsaXN0Ijp0cnVlfQ.signature"
  }
}

Error response example

{
  "result_code": 4001,
  "result_msg": "INVALID_CLIENT",
  "data": null
}


How to use the token

Include the issued Access Token in the HTTP header when calling Hive Server APIs.

JWT token structure

The issued Access Token is in JWT (JSON Web Token) format and consists of three parts separated by periods (.): Header, Payload, and Signature.

Field Value Description
kid Client ID Client identifier (used for JWT validation)
alg RS256 Signature algorithm (RSA SHA-256)
typ JWT Token type

Payload

Field Description
grant_type project (client_credentials method)
exp Expiration time (1 hour after issue)
iat Issue time
token_type access_token
Tip

The server validates the JWT signature with a public key. The kid field in the Header identifies which client's token it is.

Header settings

Header name Value Description
X-Access-Token JWT Access Token Issued OAuth Access Token

Usage example

curl -X POST https://auth.qpyou.cn/v2/game/player/get-idp \
  -H "Content-Type: application/json" \
  -H "X-Access-Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InByb2plY3RfYWJjMTIzIn0..." \
  -H "ISCRYPT: 0" \
  -d '{
    "appid": "com.com2us.hivesdk.normal.freefull.apple.global.ios.universal",
    "player_id": 123456789
  }'
Note

When calling Hive Server APIs, include the issued JWT Access Token in the X-Access-Token header. If the token is missing or expired, an authentication error occurs.


JWT token validation errors

When JWT token validation fails in Hive Server APIs, detailed error information is provided through the token_validation field.

token_validation field

This field contains JWT validation error information:

Field name Description Type
token_validation JWT validation details Object
token_validation.result_code JWT validation result code Details Integer
token_validation.result_msg JWT validation result message String
Note
  • When JWT validation succeeds: token_validation.result_code: 0
  • When JWT validation fails: a detailed error code is returned in token_validation.result_code
  • This field is commonly used by Hive Server APIs.

Error response examples

No client information

"token_validation": {
  "result_code": 2400,
  "result_msg": "No client information found."
}

Missing token

"token_validation": {
  "result_code": 2406,
  "result_msg": "The access token is missing."
}

Token signature error

"token_validation": {
  "result_code": 2407,
  "result_msg": "Invalid token signature."
}

Expired token

"token_validation": {
  "result_code": 2408,
  "result_msg": "The access token is expired. Please refresh your token."
}

JWT validation error codes

Code value Description Resolution
2400 No client information The kid in the JWT Header is invalid. Check the Client ID.
2405 Token format error The JWT format is invalid. Reissue the token.
2406 Missing token The X-Access-Token header is missing. Issue a token and include it in the header.
2407 Token signature error JWT signature validation failed. Make sure you are using the correct token.
2408 Expired token The Access Token has expired (1 hour). Reissue a new token.
2409 Token not yet valid The JWT is before its nbf (Not Before) time. Check the system time.
2410 Grant Type mismatch The requested grant_type differs from the grant_type in the JWT.
2411 User ID mismatch The requested player_id differs from the user_id in the JWT (when using a user token).
2412 Grant Type mismatch The grant_type in the JWT is not 'user'. Use the User Token returned after a successful game client login.

Normal response

When JWT validation succeeds:

"token_validation": {
  "result_code": 0,
  "result_msg": "success"
}
Note

Hive Server APIs include the token_validation field in every response, regardless of success or failure.


Token renewal

Refresh Tokens are not issued in the Client Credentials Grant.

Handling token expiration

  1. The Access Token expires (1 hour after issue)
  2. JWT validation fails when calling the API (token_validation.result_code: 2408)
  3. Call the /oauth/token API to reissue a new Access Token
Note

When the Access Token expires, you must reissue a new token using the same Client ID and Client Secret. Because no Refresh Token is provided, reissue the token in the same way as the initial issue.

The Access Token can be reused until it expires.

Recommendations:

  • Recommended: Cache the issued token and reuse it until it expires
  • Not recommended: Issue a new token for every API call
Tip

Optimize performance by reissuing the token only when the game server starts or when the token expires. Unnecessary token issuance increases server load.


Security recommendations

Client secret management

Client Secret is sensitive information and must be managed securely.

Item Description
Never expose Never expose the Client Secret to clients (app/web)
Server only Use it only on the game server (Server-to-Server communication)
Secure storage Store it in environment variables or secure storage (Vault)
Warning

If the Client Secret is exposed, an attacker can impersonate the game server and access all player information.

HTTPS required

You must use HTTPS when issuing OAuth Tokens and calling APIs.

  • Recommended: https://auth.qpyou.cn/oauth/token
  • Prohibited: using http:// (vulnerable to man-in-the-middle attacks)