Authentication
This page explains how to authenticate requests to the API Gateway using HMAC-SHA256 signatures.
To ensure secure communication, every request to the Riddec Games must include a valid HMAC-SHA256 signature.
How to Sign Requests
The signature is computed using the HMAC-SHA256 algorithm.
The message is the raw request body (as a string).
If body is empty: Use an empty string
""The key is your private
AUTH_TOKEN, provided by our team.The resulting signature must be sent in the HTTP header:
X-REQUEST-SIGN.
If the signature is invalid or missing, the server will respond with:
{
"message": "Forbidden resource",
"error": "Forbidden",
"statusCode": 403
}⚠️ Keep AUTH_TOKEN Safe
AUTH_TOKEN SafeYour
AUTH_TOKENis a secret key.You must never share it or expose it in client-side code.
Store it in a secure backend environment.
Example Implementations
const crypto = require('crypto');
const axios = require('axios');
const AUTH_TOKEN = 'your-secret-token';
const body = JSON.stringify(requestBody);
const signature = crypto
.createHmac('sha256', AUTH_TOKEN)
.update(body)
.digest('hex');
axios.post('https://riddecgames.com/gateway/api/v1/launcher/{partner-id}/real', requestBody, {
headers: {
'Content-Type': 'application/json',
'X-REQUEST-SIGN': signature
}
});import hmac
import hashlib
import requests
import json
AUTH_TOKEN = b'your-secret-token' # must be bytes
request_body = {
"playToken": "abc123"
}
body_str = json.dumps(request_body, separators=(',', ':')) # no extra spaces
signature = hmac.new(AUTH_TOKEN, body_str.encode('utf-8'), hashlib.sha256).hexdigest()
headers = {
'Content-Type': 'application/json',
'X-REQUEST-SIGN': signature
}
response = requests.post(
'https://riddecgames.com/gateway/api/v1/launcher/{partner-id}/real',
data=body_str,
headers=headers
)
print(response.status_code, response.text)<?php
$authToken = 'your-secret-token';
$requestBody = [
'playToken' => 'abc123'
];
$body = json_encode($requestBody, JSON_UNESCAPED_SLASHES);
$signature = hash_hmac('sha256', $body, $authToken);
$headers = [
'Content-Type: application/json',
'X-REQUEST-SIGN: ' . $signature
];
$ch = curl_init('https://riddecgames.com/gateway/api/v1/launcher/{partner-id}/real');
curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
echo $response;
?>AUTH_TOKEN="your-secret-token"
BODY='{"playToken":"abc123"}'
SIGNATURE=$(echo -n "$BODY" | openssl dgst -sha256 -hmac "$AUTH_TOKEN" | sed 's/^.* //')
curl -X POST https://riddecgames.com/gateway/api/v1/launcher/{partner-id}/real \
-H "Content-Type: application/json" \
-H "X-REQUEST-SIGN: $SIGNATURE" \
-d "$BODY"Troubleshooting
❌ I get a 403 Forbidden response
403 Forbidden responseCheck that your
X-REQUEST-SIGNheader is present and spelled correctly.Make sure the body you signed is exactly what you're sending (no whitespace differences or formatting changes).
Verify your
AUTH_TOKENis correct.Ensure your body is a string, not a JSON object, when calculating the HMAC.
❌ My signature is different every time
Make sure you're not using a different body each time (e.g., timestamps or UUIDs).
Confirm that you’re not adding extra fields automatically (e.g., by a framework or HTTP library).
Always stringify JSON in a stable way before signing (e.g., no indentation or spaces).
FAQ
What is AUTH_TOKEN?
AUTH_TOKEN?AUTH_TOKEN is a secret key that we provide to you. It must be used to sign requests sent to our API Gateway.
Can I use this from frontend JavaScript?
No. You must never expose AUTH_TOKEN in frontend code. All requests should be signed server-side.
Last updated