Authentication

Introduction

All GOG APIs support token authorization, similar to OAuth2. The web domains www.gog.com, embed.gog.com and some of the Galaxy domains support session cookies too. They both have to be obtained using the GOG login page, because a CAPTCHA may be required to complete the login process.

Auth-Flow

  1. Use an embedded browser like WebKit, Gecko or CEF to send the user to https://auth.gog.com/auth. An add-on in your desktop browser should work as well. The exact details about the parameters of this request are described below.
  2. Once the login process is completed, the user should be redirected to https://www.gog.com/on_login_success with a login “code” appended at the end. Use the callbacks of your browser engine to detect it, take the code and use it to request a token.
  3. Renew the token when it expires after about an hour. Check the original response for an accurate lifetime.

Authorizing a Request

To authorize a request set the Authorization header to Bearer <token>. This has to be done for each call.

Example request:

GET /library/windows HTTP/1.1
Host: embed.gog.com
Authorization: Bearer xpIjnwyncascjBf20yz1n1tu8jo9spxyvy3zlvlL0rfoiiuly2hu5xnfgjysnuyhjqI7cmcatscp3ybgDjeqzwCggttnombuuicn_t6dbqybzYvpoieqtamaKuxpgclnUlt_q4jf_haj2emwgtrkzdlkhwinu7o93bpxWrbjdxr

Methods

GET /auth

Redirects to the login site. Don’t use this directly from your client, it’s not a JSON API, visit it with a web browser instead.

Query Parameters:
 
  • client_id (str) – OAuth2 Client ID. Use 46899977096215655.
  • redirect_uri (str) – URL where the browser will be redirected after the login has been completed. Use https://embed.gog.com/on_login_success?origin=client
  • response_type (str) – Use code
  • layout (str) – Use client2

Example request:

GET /auth?client_id=46899977096215655&redirect_uri=https%3A%2F%2Fembed.gog.com%2Fon_login_success%3Forigin%3Dclient&response_type=code&layout=client2 HTTP/1.1
Host: auth.gog.com

Example redirect:

http://localhost:8000/token?code=oF8OSgZVMFb7a8Y3Dolrz4YPqDUnG7TCTsekYKcWnFNcmWWCJH7XJS3RN9d9NB0slx4FS1kss-llBEXvgkCX8oNTP1u3yYG1p56f35jVZCclrCQMk803k5LmQLKM1Wb7
GET /token

Generates a new auth token from a login code or refreshes an old one.

Query Parameters:
 
  • client_id (str) – OAuth2 client ID. Use 46899977096215655
  • client_secret (str) – OAuth2 secret. Use 9d85c43b1482497dbbce61f6e4aa173a433796eeae2ca8c5f6129f2dc4de46d9
  • grant_type (str) – authorization_code for new logins, refresh_token for refreshs.
  • code (str) – Only for new logins: Login code you got from the auth redirect.
  • redirect_uri (str) – Only for new logins: The redirect URL you used in the auth request.
  • refresh_token (str) – Only for refreshes: The refresh_token you got from an old token. This is a separate entry, not the old access token.

Example request:

GET /token?client_id=46899977096215655&client_secret=9d85c43b1482497dbbce61f6e4aa173a433796eeae2ca8c5f6129f2dc4de46d9&grant_type=authorization_code&code=oF8OSgZVMFb7a8Y3Dolrz4YPqDUnG7TCTsekYKcWnFNcmWWCJH7XJS3RN9d9NB0slx4FS1kss-llBEXvgkCX8oNTP1u3yYG1p56f35jVZCclrCQMk803k5LmQLKM1Wb7&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Ftoken HTTP/1.1
Host: auth.gog.com

Example response:

{
  "expires_in": 3600,
  "scope": "",
  "token_type": "bearer",
  "access_token": "xpIjnwyncascjBf20yz1n1tu8jo9spxyvy3zlvlL0rfoiiuly2hu5xnfgjysnuyhjqI7cmcatscp3ybgDjeqzwCggttnombuuicn_t6dbqybzYvpoieqtamaKuxpgclnUlt_q4jf_haj2emwgtrkzdlkhwinu7o93bpxWrbjdxr",
  "user_id": "48628349957132247",
  "refresh_token": "48il-pjxfpknX0hwtxvBnRgNr-n5JAOTKpczaLEBHW7F65iTchjO46f7I-HAV-Cb",
  "session_id": "6354900816570477251"
}