Issue OAuth token¶
Issues an OAuth token required for authorization validation and secure authentication when calling Hive Server APIs.
The 'Issue OAuth token' API follows the OAuth 2.0 Client Credentials Grant standard and operates as a Server-to-Server authentication flow, where the app server calls the Hive authentication server directly.
The 'Issue OAuth token' API has the following characteristics.
- Issues a token using only the Client ID and Secret
- Issues only an Access Token (no Refresh Token is issued)
- Valid for 1 hour (3600 seconds)
Note
For issuing a Client ID and Client Secret, see Security key settings.
Request URL¶
| Production URL | https://auth.qpyou.cn/oauth/token |
|---|---|
| Sandbox URL | https://sandbox-auth.qpyou.cn/oauth/token |
| HTTP Method | POST |
| Content-Type | application/json |
| Data Format | JSON |
Request header¶
| Field name | Description | Type | Required |
|---|---|---|---|
| ISCRYPT | Whether data is encrypted (0 = not encrypted; always pass 0) | Integer | Y |
Request body¶
| Field name | Description | Type | Required |
|---|---|---|---|
| appid | App ID | String | Y |
| grant_type | Fixed to client_credentials | String | Y |
| client_id | Client ID (issued in App Center) | String | Y |
| client_secret | Client Secret (issued in App Center) | String | Y |
Request example¶
curl¶
curl -X POST https://auth.qpyou.cn/oauth/token \
-H "Content-Type: application/json" \
-d '{
"appid": "com.com2us.hivesdk.normal.freefull.apple.global.ios.universal",
"grant_type": "client_credentials",
"client_id": "project_abc123",
"client_secret": "secret_xyz789"
}'
Body¶
{
"appid": "com.com2us.hivesdk.normal.freefull.apple.global.ios.universal",
"grant_type": "client_credentials",
"client_id": "project_abc123",
"client_secret": "secret_xyz789"
}
Response body¶
| Field name | Description | Type |
|---|---|---|
| result_code | Response code, 0=success | Integer |
| result_msg | Result message | String |
| data | Response data | Object |
| data.access_token | JWT Access Token | String |
Response code¶
| Code value | Description |
|---|---|
| 0 | Success |
| 4000 | Invalid parameter (missing required parameter or invalid format) |
| 4001 | Client authentication failed (client_id or client_secret mismatch) |
| 4002 | Unsupported grant_type |
| 4003 | Authentication failed (no permission) |
| 5000 | Internal server error |
Response example¶
{
"result_code": 0,
"result_msg": "SUCCESS",
"data": {
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InByb2plY3RfYWJjMTIzIn0.eyJwcm9qZWN0X2lkIjoiY29tLmNvbTJ1cy5leGFtcGxlIiwidG9rZW5fdHlwZSI6ImFjY2Vzc190b2tlbiIsImdyYW50X3R5cGUiOiJwcm9qZWN0IiwiaWF0IjoxNzE1NTg0MDAwLCJleHAiOjE3MTU1ODc2MDAsImF1dGhfdmVyIjoidjQiLCJ1c2VyX2lkIjoiIiwiaXNfd2hpdGVsaXN0Ijp0cnVlfQ.signature"
}
}
Error response example¶
How to use the token¶
Include the issued Access Token in the HTTP header when calling Hive Server APIs.
JWT token structure¶
The issued Access Token is in JWT (JSON Web Token) format and consists of three parts separated by periods (.): Header, Payload, and Signature.
Header¶
| Field | Value | Description |
|---|---|---|
| kid | Client ID | Client identifier (used for JWT validation) |
| alg | RS256 | Signature algorithm (RSA SHA-256) |
| typ | JWT | Token type |
Payload¶
| Field | Description |
|---|---|
| grant_type | project (client_credentials method) |
| exp | Expiration time (1 hour after issue) |
| iat | Issue time |
| token_type | access_token |
Tip
The server validates the JWT signature with a public key. The kid field in the Header identifies which client's token it is.
Header settings¶
| Header name | Value | Description |
|---|---|---|
| X-Access-Token | JWT Access Token | Issued OAuth Access Token |
Usage example¶
curl -X POST https://auth.qpyou.cn/v2/game/player/get-idp \
-H "Content-Type: application/json" \
-H "X-Access-Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InByb2plY3RfYWJjMTIzIn0..." \
-H "ISCRYPT: 0" \
-d '{
"appid": "com.com2us.hivesdk.normal.freefull.apple.global.ios.universal",
"player_id": 123456789
}'
Note
When calling Hive Server APIs, include the issued JWT Access Token in the X-Access-Token header. If the token is missing or expired, an authentication error occurs.
JWT token validation errors¶
When JWT token validation fails in Hive Server APIs, detailed error information is provided through the token_validation field.
token_validation field¶
This field contains JWT validation error information:
| Field name | Description | Type |
|---|---|---|
| token_validation | JWT validation details | Object |
| token_validation.result_code | JWT validation result code Details | Integer |
| token_validation.result_msg | JWT validation result message | String |
Note
- When JWT validation succeeds:
token_validation.result_code: 0 - When JWT validation fails: a detailed error code is returned in
token_validation.result_code - This field is commonly used by Hive Server APIs.
Error response examples¶
No client information¶
Missing token¶
Token signature error¶
Expired token¶
"token_validation": {
"result_code": 2408,
"result_msg": "The access token is expired. Please refresh your token."
}
JWT validation error codes¶
| Code value | Description | Resolution |
|---|---|---|
| 2400 | No client information | The kid in the JWT Header is invalid. Check the Client ID. |
| 2405 | Token format error | The JWT format is invalid. Reissue the token. |
| 2406 | Missing token | The X-Access-Token header is missing. Issue a token and include it in the header. |
| 2407 | Token signature error | JWT signature validation failed. Make sure you are using the correct token. |
| 2408 | Expired token | The Access Token has expired (1 hour). Reissue a new token. |
| 2409 | Token not yet valid | The JWT is before its nbf (Not Before) time. Check the system time. |
| 2410 | Grant Type mismatch | The requested grant_type differs from the grant_type in the JWT. |
| 2411 | User ID mismatch | The requested player_id differs from the user_id in the JWT (when using a user token). |
| 2412 | Grant Type mismatch | The grant_type in the JWT is not 'user'. Use the User Token returned after a successful game client login. |
Normal response¶
When JWT validation succeeds:
Note
Hive Server APIs include the token_validation field in every response, regardless of success or failure.
Token renewal¶
Refresh Tokens are not issued in the Client Credentials Grant.
Handling token expiration¶
- The Access Token expires (1 hour after issue)
- JWT validation fails when calling the API (
token_validation.result_code: 2408) - Call the
/oauth/tokenAPI to reissue a new Access Token
Note
When the Access Token expires, you must reissue a new token using the same Client ID and Client Secret. Because no Refresh Token is provided, reissue the token in the same way as the initial issue.
Recommended token reuse¶
The Access Token can be reused until it expires.
Recommendations:
- Recommended: Cache the issued token and reuse it until it expires
- Not recommended: Issue a new token for every API call
Tip
Optimize performance by reissuing the token only when the game server starts or when the token expires. Unnecessary token issuance increases server load.
Security recommendations¶
Client secret management¶
Client Secret is sensitive information and must be managed securely.
| Item | Description |
|---|---|
| Never expose | Never expose the Client Secret to clients (app/web) |
| Server only | Use it only on the game server (Server-to-Server communication) |
| Secure storage | Store it in environment variables or secure storage (Vault) |
Warning
If the Client Secret is exposed, an attacker can impersonate the game server and access all player information.
HTTPS required¶
You must use HTTPS when issuing OAuth Tokens and calling APIs.
- Recommended:
https://auth.qpyou.cn/oauth/token - Prohibited: using
http://(vulnerable to man-in-the-middle attacks)