There are two methods of authenticating with HYPLAY: implicit and explicit. Which you use will depend on your specific app or game.

Implicit Auth

The implicit auth flow is intended for apps or games that do not have a backend or do not have a way to securely store a HYPLAY app secret key.

When you construct your OAuth url with &responseType=token, you're using the implicit authentication flow. Setting the responseType to token will set the #accessToken= fragment when the user is redirected back to your game/app/website.

From here, you can use the returned session access token in the URL fragment to make API requests and transactions against HYPLAY APIs on behalf of the user.

Explicit Auth

The explicit auth flow is the preferred authorization flow due to its more secure nature - it requires your app's secret key. However, it is not advisable to use your secret key in the built game or app, or your website's frontend, as these can be reverse engineered. If you do not have a backend server for your app or game, you may use the implicit auth flow.

To use the explicit auth flow, construct your OAuth url with &responseType=code. Setting the responseType to code will set the ?code= query parameter when the user is redirected back to your game/app/website.

Your application must perform a code exchange to retrieve a session access token for the authorized user. This typically performed by a backend service you've built for your game/app/website where your HYPLAY app secret is securely stored.

This code exchange can be done through the Grant Session Token api endpoint here.