Elements Manual
Elements 3 Manual
Elements 2 ManualElements 3 Manual
Elements 3 Manual
Elements 2 ManualElements 3 Manual
  • Welcome 👋
  • QUICK START
    • Elements in Five Minutes or Less
    • Accessing the Web UI (CRM)
    • Creating A User
  • General
    • General Concepts
    • N-Tier Architecture
    • Security Model
  • Core Features
    • Core API Overview
    • Sessions
    • Applications
    • Users and Profiles
    • Digital Goods
    • Progress and Missions
    • Leaderboards
    • Matchmaking
    • Followers
    • Friends
    • Reward Issuance
    • Save Data
    • Schemas and Metadata Specifications
    • Queries
      • Base Query Syntax
      • Boolean Queries
      • Object Graph Navigation
      • Advanced Operators
        • .ref
        • .name
    • Custom Code
      • Element Structure
      • RESTful APIs
      • Websockets
    • Auth Schemes
      • OIDC
      • OAuth2
  • Web 3
    • Omni Chain Support
    • Vaults
    • Wallets
    • Smart Contracts
      • Smart Contracts: Ethereum
      • Smart Contracts: Flow
      • Smart Contracts: Solana
      • Smart Contracts: Neo
  • CONFIGURATION
    • Direct Database Access and Batch Configuration
    • Batch Samples
      • Item Upload Bash Script Sample
      • Mission Upload Bash Script Sample
  • RESTful APIs
    • Swagger and Swagger UI
    • API Specification
      • /application
      • /application/configuration
      • /auth
      • /auth_scheme
        • /custom
        • /oauth2
        • /oidc
      • /blockchain
      • /followee
      • /follower
      • /friend
      • /google
      • /index
      • /inventory
      • /item
      • /large_object
      • /leaderboard
      • /rank
      • /score
      • /match
      • /mission
      • /progress
      • /reward_issuance
      • /schedule
      • /notification
      • /profile
      • /save_data
      • /metadata_spec
      • /mock_session
      • /session
      • /health
      • /version
      • /signup
      • /user
    • Javadocs
  • Releases
    • 3.1 Release Notes
Powered by GitBook
On this page
  • Creation Methods
  • Scoping Rules
  1. Core Features

Sessions

Elements utilizes Sessions in order for the client application to securely communicate with Elements APIs.

PreviousCore API OverviewNextApplications

Last updated 1 month ago

All HTTP requests between the client application and Elements APIs can have a session key. Creating a Session may be completed through several API calls. There are multiple ways to create a session as detailed in this document.

Elements recognizes the following session headers:

  • Authorization: [bearer] {secret}

  • secret (Required): The Session secret (See below for more information.)

  • Elements-SessionSecret: {secret} [u{UserId}] [p{ProfileId}]

  • secret (Required): The Session secret (See below for more information.)

  • userId (Optional): The id of a User. If the secret matches a then this may be any other non Super User in Elements. This will cause the subsequent request to be executed as the specified User. For all other Users, this must be the identity associated with the session making the request. This will override the User .

  • profileId (Optional): The id of a Profile. If the secret matches a then this may be any Profile in Elements. For all other Users, this must be a Profile associated with the User making the request. Ths will override the .

Creation Methods

There are several ways to create sessions within Elements. Each section here describes the supported creation methods and how to implement each one of them. In all cases, Elements performs the account verification authoritatively, ensuring that the server has verified the credentials supplied to it.

Username and Password

This the most basic method of creating a session and requires no third-party integration. When creating a User, the client supplies the desired username and password. Elements securely hashes each User's password in the database.

SSO using OIDC / OAuth2

Elements provides the ability to create and customize Single Sign On (SSO) options for a variety of services, and even connect a single User to multiple external ids. These services must follow the OIDC or OAuth2 specifications. See for more details on how this works.

Scoping Rules

User

All sessions will have a User associated with them. Once created, they will always be valid for that User until it expires or the user changes their password.

Profile

A Session may, optionally, be scoped by a User and a Profile. The Profile's owner must match the User who created the session. APIs that require Profile scoping rules are as follows:

  • Fetching current Profile (eg GET /profile/current)

  • Processing IAPs

  • Leaderboards and Rankings

  • Push Notifications

  • Progress and Missions

Within the Elements , sessions may have two scopes: User or Profile. Some APIs require a session with a current Profile and not just a User. Generally these APIs are for application specific operations, such as Matchmaking.

Security Model
Auth Schemes
Creation Methods
Creation Methods
Scoping Rules
Profile Scoping Rules
Super User
Super User