Version: en

Xbox Certification


This documentation is now deprecated. If you are using Matchmaker Self Serve though UDash, please use the documentation here.

In order to pass Xbox certification, all game client communications with the matchmaker must go through a game service. The game service must authenticate the console before creating/reading/deleting tickets associated with the game client. The user flow described in the Player Auth Delegate Token documentation should not use the read-only token flow from the consoles.

User auth flow for Xbox

A typical user flow would go as follows:

  1. The game client authenticates with Xbox XSTS service. After a successful login, the client can cache the received XSTS Partner token because it will be used throughout the game session.
  2. The game service creates a Service Token using the client_id and client_secret.
  3. The game service uses the created Service Token to generate a matchmaking scoped Delegate Token.
  4. The game client can request to create a Matchmaking ticket from the game service using its XSTS token.
    • It is very important to validate this token to make sure the game client is a legitimate player.
  5. The game service creates a new ticket (using the Delegate Token with the matchmaking scope) and sets the author of the ticket (using the x-on-behalf-of header) to match the ID of the client that sent the request, and forwards the newly created ticket's id to the game client.
  6. The game client can now use the locally cached XSTS token along with the ticket ID to query for the ticket status by going through the game service. The game service should set the x-on-behalf-of to the client's ID to make sure a client doesn't request the status of someone else's ticket.
  7. If the game client wants to stop matchmaking (in case an assignment is received or the player decides to cancel), it can contact the game service to have the ticket deleted by providing their XSTS token and the ID of the ticket to be deleted.
    • Here the game service should also use the x-on-behalf-of header to make sure a ticket belonging to someone else is not deleted.