HYPLAY supports 2 patterns of authorization. Implicit auth and explicit auth. Depending on how you're building your app or game, one pattern may be better than the other. See the explanations below to choose which is best for you.

Implicit Auth

Implicit auth occurs when you construct your OAuth url with &responseType=token. Setting the responseType to token will set the #accessToken= fragment when the authorizing user is redirected back to your application or game's redirectUri that you originally provided in the auth flow url.

From here, you can grab the returned session access token in the URL fragment, and make API requests and transactions against HYPLAY APIs on behalf of the authorized user.

The implicit auth flow is intended for apps or games that do not have a backend or do not have a way to securely store a HYPLAY app secret key.

Explicit Auth

Explicit auth occurs when you construct your OAuth url with &responseType=code. Setting the responseType to code will set the ?code= query parameter when the authorizing user is redirected back to your application of game's redirectUri that you originally provided in the auth flow url.

Your application must perform a code exchange to retrieve a session access token for the authorized user. This typically performed by a backend service you've built for your app or game where your HYPLAY app secret is securely stored.

This code exchange can be done through the Grant Session Token api endpoint here.

The explicit auth flow is the preferred authorization flow when possible due to its more secure nature with regards to require a secret key. However, it may not be possible depending on your application or game's architecture, in which case you can defer to the implicit auth flow.