Results 1 to 5 of 5

Thread: Verifying a player account using API token

  1. #1
    Join Date
    Apr 2015
    Florida, USA

    Lightbulb Verifying a player account using API token

    I have written a bot for Discord that relies heavily on the Clash of Clans API to keep track of player data and which organizes users in the Discord server based on their membership and rank in our family of clans. Currently, account "linking" (telling my bot which Discord user is which player account) is a manual process. This is not ideal, because of the lack of automation and increased possibility for human error. I would really like to use the API token which is provided in-game and used by a few websites to verify the ownership of a player account. However, the Developer Portal does not include any endpoints to support this.

    Please add the user API token verification endpoint to the Developer Portal/API documentation. Thank you!


    Darian responded to this other thread and said "Once we have the World Championships registration site up and running, the token will be able to be used by API developers." However that was over a year ago and no more information has been posted about the API token since then.
    Last edited by eslindsey; 1 Week Ago at 04:05 PM.

  2. #2
    Forum Champion JusMe's Avatar
    Join Date
    Feb 2017
    amongst the stars
    This has been asked for a long time now ... and yes, apart from that answer from Darian I haven't seen anything either. We also have been waiting for it ... we'd like to do some stuff with our website and maybe discord too... quite a few things on hold

  3. #3
    Fresh Spawn
    Join Date
    Dec 2013
    This is a complete guess, but I think the reason they haven't released this feature for the general public is because it's not a good validation method, because tokens can be reused by services. For example, I could run a web service that asks users for their API Token ingame, and then take that token and pretend to be that user to Clash of Stats, registering or resetting their account. That's very bad for security.

    Independent of this API Token button, they seem to have made an OAuth flow for SCID, for their Creators program, visible at that looks like it was made with public access in mind, if you look at the JWT issued by the button itself, which has scope "identity.relay_email" and aud "scid:oauth:login-1". I'm personally hoping they make this public, as it's more standard and more secure than the in-app API Token button.
    Last edited by kuilin; 2 Days Ago at 08:27 PM. Reason: Removed random emoji

  4. #4
    Yes, the OAuth option seems more suitable for use by the general community. Hopefully this is something we get access to soon.
    Clash Ninja - Upgrade Tracker and Guides - Forum Thread

  5. #5
    You are wrong.
    The token work one time. When you click in game to get the token, you got different value on the next click.
    The token is used to ensure you are the owner, after your enter your token on Clash of Stats, the token expires. Clash of Stats not reuse the token because it store the a link between your account and your player tag in her database.

    There is no real reason for SuperCell for keep token documentation in private.
    Last edited by SoldatBourrin; 5 Hours Ago at 11:01 AM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts