Authentication secret

A token can be acquired from a request made to${config.authentication.token_url}. This token will need to be provided in theAuthorizationheader for every request to the OkLetsPlay back-end.

Requesting a token

curl -s \ 
  -X POST \ 
  -H 'Content-Type: application/x-www-form-urlencoded' \ 
  -d 'client_id=${config.authentication.client_id}' \ 
  -d 'client_secret=${config.authentication.client_secret}' \ 
  -d 'grant_type=client_credentials' \ 
  -d 'scope=olp-report-api' \ 

The JWT within the access_token field is what needs to be provided to the OkLetsPlay back-end. The token is always provided using the Authorization header with a Bearer type. So, if your access token is 1234567890 then the header you will specify to OkLetsPlay is Authorization: Bearer 1234567890.

Token Expiration

Tokens expire, as per theexpires_infield (in seconds) of the returned JSON. To refresh the token, just request a new one using the same endpoint above.

Validating Webhook Requests (Push flow only)

When the OkLetsPlay backend makes a request to the game's backend we also send an access token using the Authorization header with a Bearer type. This should be validated using the public key that can be fetched using the following request:

const axios = require('axios')
const crypto = require('crypto')
const jwt = require('jsonwebtoken');

const fetchPubKey = (url) => {
    return axios.get(url).then((res) =>

const validateJWT = async ({ token, pubKeyUrl }) => {
    const pubKey = await fetchPubKey(pubKeyUrl)
    const pubKeyObject = crypto.createPublicKey('-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----')
    return jwt.verify(token, pubKeyObject, { algorithms: ['RS256'] })

const validationResultPromise = validateJWT({
    token: token,
    pubKeyUrl: '${config.authentication.public_key_url}'