RESTful API Overview

Endpoint for OAuth v1.0 API 



Mobage Simplified Chinese Platform

Mobage Traditional Chinese Platform

Endpoint for Social API

Note: Social API includes Appdata API, Blacklist API, People API, Profanity API, Leaderboard API, Remote Notification API.

Mobage Simplified Chinese Platform

Mobage Traditional Chinese Platform

Endpoint for Bank API


Mobage Simplified Chinese Platform

Mobage Traditional Chinese Platform

The RESTful API can be used between platforms and partners' game servers.

Follow the steps for OAuth 1.0 to use the RESTful API.

Please read  RFC5849 - The OAuth 1.0 Protocol for details.

Acquisition of temporary credentials

  1. Use XHR to make a request from the game client to the game server for temporary credentials to be requested from the game server to the partner server.
  2. Use the RESTful API to make a request for the temporary credentials from the game server to the platform.
  3. The temporary credentials are returned from the platform to the game server.
    • The acquired temporary credentials are needed to request token credentials, so they must be kept on the game server.
  4. The temporary credentials are returned from the game server to the game client.

Approval of resource owner

  1. The game client indicates the identification of the acquired temporary credentials and executes Social.Common.Auth.authorizeToken().
  2. The SDK automatically makes an approval request to the platform.
  3. The verification code is returned from the platform to the SDK.
  4. The verification code is returned as a parameter to the Social.Common.Auth.authroizeToken() callback.

Token credentials request

  1. Use XHR to make a request from the game client to the game server for token credentials to be requested from the game server to the partner server.
    • At this time, the temporary credentials identifier and verification code must be sent.
    • If you are not using HTTPS, please do not send the shared key for the temporary credentials over the network.
  2. Use the RESTful API to make a request for the token credentials from the game server to the platform.
    • The consumer_key and consumer_secret used in the signature can be acquired from the app details screen on the Developer’s Site.
    • The oauth_token and oauth_secret used in the signature use the temporary credentials kept on the game server.
  3. The token credentials are returned from the platform to the game server.
    • The token credentials have a period of validity. If this period has expired, you must reacquire them from the temporary credentials.
  4. A response is sent from the game server to the game client, indicating that the process has finished.
    • Please do not return the acquired token credentials.
    • For example, you can return the ID of the session separately generated on the game server and use it for communication between the game client and game server.

Communication between the game server and platform

  1. Make a RESTful API request from the game server to the platform.
    • The Consumer key and secret that can be acquired from the Developer’s Site and the acquired token credentials are used in the signature.
  2. A response is returned from the platform to the game server.

Communication between the game client and game server (reference example)

  1. Use XHR to send a request from the game client to the game server.
    • Using the session acquired in process 12., for example, could be considered as user approval.
  2. A response is returned from the game server to the game client.

Verifying the Current User

When the game server get the current user's identifying information (ex. UserId) from Mobage, the game server should always ask Mobage for the current user's information that is tied with the negotiated token credential.

As a reason, there is a spoofing risk that UserId altered by the malicious user will be sent when user information that is acquired from getCurrentUser of Mobage SDKs is directly transmitted to the game server from the game client.

The game server should request the current user's ID from Mobage with the REST People API in the 3-legged OAuth.

The following example calls the RESTful API on the Mobage sandbox server.

Request:

Content-Type: application/json; charset=utf-8
Authorization: OAuth realm="", oauth_consumer_key="31816a6d9beac8c1xxxx", oauth_nonce="b9a19f5ceac92a7bxxxx", oauth_signature="yY0IRUStlDYw1qcyPuz8fsD%2BIrxxxx", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1331798387", oauth_token="sp_client_id%3A58cee178e5ea60732d2b6fae0294xxxx", oauth_version="1.0"

GET /social/api/restful/v2/people/@me/@self?fields=id,thumbnailUrl,hasApp,displayName,nickname

Host: sp.sb.mobage-platform.kr
Accept: application/json

Response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
  
{
    "displayName": "username", 
    "hasApp": true, 
    "id": "10000", 
    "nickname": "username", 
    "thumbnailUrl": "http://ava.sb.daum-mobage.kr/img_u/10000/111.1.png"
}

Note

  • To allow for cases in which users may use games (clients) on both iOS and Android devices, please acquire token credentials for each device independently, and link them to the session ID.

Update history

  • January 7, 2012 - Added "Verifying the Current User" section.
  • November 16, 2012 - Added an explanation about acquiring token credentials for each device.
  • May, 2011 Translated to English.

PREVIOUS

RESTful API for Game Server

NEXT

Authorization