Implicit vs. Explicit Auth
In-depth explanation of implicit and explicit auth flows for HYPLAY.
HYPLAY supports 2 patterns of authorization. Implicit auth and explicit auth. Depending on how you're building your app or game, one pattern may be better than the other. See the explanations below to choose which is best for you.
Implicit Auth
Implicit auth occurs when you construct your OAuth url with &responseType=token
. Setting the responseType
to token
will set the #accessToken=
fragment when the authorizing user is redirected back to your application or game's redirectUri
that you originally provided in the auth flow url.
From here, you can grab the returned session access token in the URL fragment, and make API requests and transactions against HYPLAY APIs on behalf of the authorized user.
The implicit auth flow is intended for apps or games that do not have a backend or do not have a way to securely store a HYPLAY app secret key.
Explicit Auth
Explicit auth occurs when you construct your OAuth url with &responseType=code
. Setting the responseType
to code
will set the ?code=
query parameter when the authorizing user is redirected back to your application of game's redirectUri
that you originally provided in the auth flow url.
Your application must perform a code exchange to retrieve a session access token for the authorized user. This typically performed by a backend service you've built for your app or game where your HYPLAY app secret is securely stored.
This code exchange can be done through the Grant Session Token api endpoint here.
The explicit auth flow is the preferred authorization flow when possible due to its more secure nature with regards to require a secret key. However, it may not be possible depending on your application or game's architecture, in which case you can defer to the implicit auth flow.
Updated 6 months ago