Social Authentication on the game hub

Aghanim supports multiple social login providers (e.g., Apple, Discord, Facebook, Google) and generic OIDC-compliant providers for player authentication via webhooks. These webhooks notify your backend of a login event, requiring validation of the OAuth2 authorization code to grant or deny access to the game hub.

Requirements

To process player verification events from Aghanim using social login, your server must:

Expose an HTTPS POST endpoint.
Accept webhook events signed by Aghanim.
Exchange the provided code (an authorization code obtained via the OAuth2 Authorization Code Grant flow using response_type=code) for an access token with the appropriate provider.
Validate and match the resulting user profile against your player database.
Respond with a 200 status code and JSON payload for success or failure.

Supported Providers

You must configure each social provider in your game application dashboard and ensure proper Redirect URI handling for OAuth2 flows. The following providers are currently supported:

Apple
Discord
Google
Facebook
OIDC (any OpenID Connect-compliant provider)

info

For providers not listed above, you can use the generic OIDC Login plugin to integrate any OpenID Connect-compliant identity provider (e.g., Keycloak, Auth0, Okta, Azure AD). If you need further assistance, please contact us.

OAuth2 Redirect URIs

For each provider, ensure the following Redirect URI is added in the respective developer console:

https://<GAME_HUB_DOMAIN>/oauth2/<PROVIDER>/callback

Replace <GAME_HUB_DOMAIN> with your game hub's domain (e.g., demo.aghanim.com) and <PROVIDER> with facebook, google, apple, discord, or oidc.

Provider-Specific Configuration

info

While the general OAuth2 flow is consistent across providers, setup steps differ slightly per platform. Detailed setup instructions can be found on each provider’s developer documentation.

Apple

Go to Apple Developer Portal
Register a new Sign In with Apple service under Identifiers
Configure your Services ID and Redirect URI
Generate a client secret JWT for OAuth2 token exchange

Discord

Visit Discord Developer Portal
Create an application and enable OAuth2
Set your Redirect URI

Facebook

Go to Facebook Developers
Create a new app (type: Consumer)
Add Facebook Login product
Under Facebook Login → Settings, configure:
- Client OAuth Login: Yes
- Use Strict Mode for Redirect URIs: Yes
Set your Redirect URI in Valid OAuth Redirect URIs

Google

Go to Google Cloud Console
Create OAuth2 credentials under APIs & Services → Credentials
Configure the Redirect URI

OIDC

Configure a client application in your OIDC-compliant identity provider (e.g., Keycloak, Auth0, Okta, Azure AD)
Note the Discovery URL, Authorization Endpoint, and Client ID
Set your Redirect URI
See the OIDC Login guide for detailed setup instructions

Configuration

Aghanim Dashboard → Game > Webhooks > New Webhook, selecting the Player Verify event type.
Or via the Create Webhook API

Request Schema

Below is an example of an player.verify webhook request:

HTTP
cURL

POST /your/webhook/uri HTTP/1.1
Content-Type: application/json
Host: your-webhook-endpoint.com
User-Agent: Aghanim/0.1.0
X-Aghanim-Signature: 2e45ed4dede5e09506717490655d2f78e96d4261040ef48cc623a780bda38812
X-Aghanim-Signature-Timestamp: 1725548450

{
  "event_type": "player.verify",
  "event_data": {
    "method": "google",
    "code": "4/0123abc...xyz"
  },
  "event_time": 1725548450,
  "event_id": "whevt_eCacGbJVbvToOgzjXUgOCitkQE",
  "idempotency_key": null,
  "request_id": "d1593e9c-c291-4004-8846-6679c2e5810b",
  "sandbox": false,
  "trigger": "hub.login",
  "transaction_id": "whtx_eCacGbJVbvT",
  "context": null,
  "game_id": "gm_exTAyxPsVwh"
}
            

curl "https://your-webhook-endpoint.com/your/webhook/uri" \
    -X POST \
    -H "Content-Type: application/json" \
    -H "User-Agent: Aghanim/0.1.0" \
    -H "X-Aghanim-Signature: 2e45ed4dede5e09506717490655d2f78e96d4261040ef48cc623a780bda38812" \
    -H "X-Aghanim-Signature-Timestamp: 1725548450" \
    -d '{
      "event_type": "player.verify",
      "event_data": {
        "method": "google",
        "code": "4/0123abc...xyz"
      },
      "event_time": 1725548450,
      "event_id": "whevt_eCacGbJVbvToOgzjXUgOCitkQE",
      "idempotency_key": null,
      "request_id": "d1593e9c-c291-4004-8846-6679c2e5810b",
      "sandbox": false,
      "trigger": "hub.login",
      "transaction_id": "whtx_eCacGbJVbvT",
      "context": null,
      "game_id": "gm_exTAyxPsVwh"
    }'
            

The Event schema

Key	Type	Description
`event_id`	`string`	Unique Event ID generated by Aghanim.
`game_id`	`string`	Your game ID in the Aghanim system.
`event_type`	`string`	The type of the event, `player.verify` in this case.
`event_time`	`number`	Event date in Unix epoch time.
`event_data`	`EventData`	Contains the event-specific data, with possible keys for inherited objects.
`idempotency_key`	`string\|null`	Ensures webhook actions are executed only once, even if retried. Can be `null` depending on event type.
`request_id`	`string\|null`	If the event was triggered by an API request, the request ID is included.
`sandbox`	`boolean`	Indicates whether the event was sent from the sandbox game environment.
`trigger`	`string\|null`	The trigger that caused the event to be sent.
`transaction_id`	`string`	The transaction ID generated by Aghanim. This ID may be the same for multiple events emitted within the same transaction.
`context`	`object\|null`	Contextual information about the event.

EventData Schema

Key	Type	Description
`method`	`string`	The provider used for authentication. One of `apple`, `discord`, `facebook`, `google`, or `oidc`.
`code`	`string`	The authorization code generated by the provider. See RFC 6749 Section 4.1.2 for details.
`redirect_uri`	`string\|null`	The redirect URI used in the original authorization request. See RFC 6749 Section 4.1.3 for details. Included for providers that require it during token exchange (e.g., OIDC). `null` for other providers.

Processing the Webhook

Your backend should:

Extract method, code, and redirect_uri from the request body.
Exchange code for an access token using the corresponding provider's OAuth2 token endpoint. If redirect_uri is not null, include it in the token exchange request.
Fetch the user profile using the access token.
Match the social account to a player in your database.
Respond with the appropriate webhook response schema to accept or deny login.

Successful Response Schema

Please refer to the player.verify webhook response documentation for expected structure.

Failure Response Schema

If the verification fails, respond with a 200 status code and the following JSON response:

{
  "status": "error",
  "code": "not_found",
  "message": "Player not found"
}

List of possible error codes:

not_found - The account/player not found.
invalid_signature - The signature was invalid.
validation_error - The request data was invalid.
banned - The account/player is banned.

FAQ

No. Aghanim never needs access to your OAuth client secret or API keys. When a player logs in via a social provider on the game hub, Aghanim receives an authorization code from the provider and forwards it to your backend through the player.verify webhook. Your server then exchanges that code for an access token using your own credentials — the same ones your game already uses.

No. You should use the same OAuth application that your game already uses. The only change required is adding the Aghanim Redirect URI to your existing app's allowed redirect URIs in the provider's developer console.

Providers like Meta (Facebook) and Apple issue player IDs that are scoped to a specific OAuth application. Since Aghanim uses your existing OAuth app (not a separate one), the player IDs returned during token exchange will be the same IDs your game already knows. There is no ID mismatch.

Need help?
Contact our integration team at [email protected]